[Rspamd-Users] Spamhaus Technology contributions to Rspamd ruleset

[Riccardo Alfieri]

On 01/08/19 13:39, Philip Paeps wrote:

> On 2019-07-23 14:19:47 (+0530), Riccardo Alfieri wrote:
>> You can find all the needed files and install instructions here: 
>> https://github.com/spamhaus/rspamd-dqs
>
> Remko configured this on FreeBSD.org this week.  Thank you for letting 
> us use this feed!
>
We're honored :)
> I'm keeping an eye on the logs and I'm noticing a couple of odd hits 
> on SH_EMAIL_DBL.  E.g.:
>
> SH_EMAIL_DBL(21.00){0.1.134.160;1.177.11.96;0.152.0.0;}
>
> If I understand this correctly, this message picked up 3*7=21 points 
> for looking up three addresses in the DBL.  But why are what looks 
> like email addresses being looked up in the DBL?
>
> Or more egregious:
>
> SH_EMAIL_DBL(63.00){0.0.0.60;0.0.0.0;0.0.0.48;0.0.0.51;0.0.0.24;0.0.0.49;} 
>
> SH_EMAIL_DBL(14.00){0.0.0.1;}
>
That should -never- happen as the option "domain_only = true;" should 
mean that the check is only done on the domain. Besides, asking DBL or 
ZRD for an IP address will return 127.0.1.255 and that is a return code 
not defined in the emails.conf section, meaning that it had not been 
used in scoring (I think?)

Probably (just guessing here), the line

SH_EMAIL_ZRD(0.00){0.152.0.0;0.1.134.160;1.177.11.96;}

means that the rule was tested with those IP address, but since there 
where no results, it weights "0.00" on the global score. But then I 
don't understand why SH_EMAIL_DBL has been scored so high with IP 
addresses...

I think that, while we wait for clarifications on what effectively 
"domain_only" does, I'll add also error return codes in emails.conf like 
I already did in rbl.conf

-- 
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/