[Rspamd-Users] Spamhaus Technology contributions to Rspamd ruleset

[Philip Paeps]

On 2019-08-01 19:50:18 (+0530), Riccardo Alfieri wrote:
> On 01/08/19 13:39, Philip Paeps wrote:
>> I'm keeping an eye on the logs and I'm noticing a couple of odd hits 
>> on SH_EMAIL_DBL.  E.g.:
>>
>> SH_EMAIL_DBL(21.00){0.1.134.160;1.177.11.96;0.152.0.0;}
>>
>> If I understand this correctly, this message picked up 3*7=21 points 
>> for looking up three addresses in the DBL.  But why are what looks 
>> like email addresses being looked up in the DBL?
>>
>> Or more egregious:
>>
>> SH_EMAIL_DBL(63.00){0.0.0.60;0.0.0.0;0.0.0.48;0.0.0.51;0.0.0.24;0.0.0.49;}
>> SH_EMAIL_DBL(14.00){0.0.0.1;}
>
> That should -never- happen as the option "domain_only = true;" should 
> mean that the check is only done on the domain. Besides, asking DBL or 
> ZRD for an IP address will return 127.0.1.255 and that is a return 
> code not defined in the emails.conf section, meaning that it had not 
> been used in scoring (I think?)
>
> Probably (just guessing here), the line
>
> SH_EMAIL_ZRD(0.00){0.152.0.0;0.1.134.160;1.177.11.96;}
>
> means that the rule was tested with those IP address, but since there 
> where no results, it weights "0.00" on the global score. But then I 
> don't understand why SH_EMAIL_DBL has been scored so high with IP 
> addresses...
>
> I think that, while we wait for clarifications on what effectively 
> "domain_only" does, I'll add also error return codes in emails.conf 
> like I already did in rbl.conf

That sounds like a good idea.

While SH_EMAIL_ZRD returning 0.0 is not a huge problem, SH_EMAIL_DBL 
returning extremely high scores for IP addresses (that shouldn't be 
listed) is unfortunately causing a fair amount of email to be rejected.

I'm also not sure where the IP addresses come from in those results.  
Though since the messages were rejected, I can't go look at the headers. 
:-/

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises