[Rspamd-Users] Spamhaus Technology contributions to Rspamd ruleset
Philip Paeps
philip at trouble.is
Thu Aug 1 14:36:50 UTC 2019
On 2019-08-01 19:50:18 (+0530), Riccardo Alfieri wrote:
> On 01/08/19 13:39, Philip Paeps wrote:
>> I'm keeping an eye on the logs and I'm noticing a couple of odd hits
>> on SH_EMAIL_DBL. E.g.:
>>
>> SH_EMAIL_DBL(21.00){0.1.134.160;1.177.11.96;0.152.0.0;}
>>
>> If I understand this correctly, this message picked up 3*7=21 points
>> for looking up three addresses in the DBL. But why are what looks
>> like email addresses being looked up in the DBL?
>>
>> Or more egregious:
>>
>> SH_EMAIL_DBL(63.00){0.0.0.60;0.0.0.0;0.0.0.48;0.0.0.51;0.0.0.24;0.0.0.49;}
>> SH_EMAIL_DBL(14.00){0.0.0.1;}
>
> That should -never- happen as the option "domain_only = true;" should
> mean that the check is only done on the domain. Besides, asking DBL or
> ZRD for an IP address will return 127.0.1.255 and that is a return
> code not defined in the emails.conf section, meaning that it had not
> been used in scoring (I think?)
>
> Probably (just guessing here), the line
>
> SH_EMAIL_ZRD(0.00){0.152.0.0;0.1.134.160;1.177.11.96;}
>
> means that the rule was tested with those IP address, but since there
> where no results, it weights "0.00" on the global score. But then I
> don't understand why SH_EMAIL_DBL has been scored so high with IP
> addresses...
>
> I think that, while we wait for clarifications on what effectively
> "domain_only" does, I'll add also error return codes in emails.conf
> like I already did in rbl.conf
That sounds like a good idea.
While SH_EMAIL_ZRD returning 0.0 is not a huge problem, SH_EMAIL_DBL
returning extremely high scores for IP addresses (that shouldn't be
listed) is unfortunately causing a fair amount of email to be rejected.
I'm also not sure where the IP addresses come from in those results.
Though since the messages were rejected, I can't go look at the headers.
:-/
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
More information about the Users
mailing list