Mailing List Archive

Reindl Harald <h.reindl@thelounge.net> writes:

> Am 28.03.20 um 08:09 schrieb Cecil Westerhof:
>> When looking at email that was marked as spam, I saw the following:
>> 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
>> blocklist
>> [URIs: techwrestle.com]
>> 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
>> blocklist
>> [URIs: techwrestle.com]
>>
>> Should not one of those two be removed, because it is now penalised
>> two times.
>> It was spam, so that is not the problem, it only looks wrong to me.
>
> there is nothing wrong
> that's the whole point of scoring
> different sources
>
> or would you remove every RBL when stuff hits more then one instead say
> "hey, when it's listed on 10 of it it's for *sure* spam"

Personally I would say: keep the highest one. In the above case 2.5.
But that is only my 2 cents.

--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof

Hai!

>>> 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
>>> blocklist
>>> [URIs: techwrestle.com]
>>> 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
>>> blocklist
>>> [URIs: techwrestle.com]
>>>
>>> Should not one of those two be removed, because it is now penalised
>>> two times.
>>> It was spam, so that is not the problem, it only looks wrong to me.

>> there is nothing wrong
>> that's the whole point of scoring
>> different sources
>>
>> or would you remove every RBL when stuff hits more then one instead say
>> "hey, when it's listed on 10 of it it's for *sure* spam"

> Personally I would say: keep the highest one. In the above case 2.5.
> But that is only my 2 cents.

Thats not making any sense. Its a extra sign and not a matter of 'keep the
highest one'. If its in 5 RBL's thats telling a lot more then if its
inside 1 RBL. (The SA scorig engine takes care of this).

Thanks! Raymond

On Sat, 28 Mar 2020, Cecil Westerhof wrote:

> Reindl Harald <h.reindl@thelounge.net> writes:
>
>> Am 28.03.20 um 08:09 schrieb Cecil Westerhof:
>>> When looking at email that was marked as spam, I saw the following:
>>> 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
>>> blocklist
>>> [URIs: techwrestle.com]
>>> 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
>>> blocklist
>>> [URIs: techwrestle.com]
>>>
>>> Should not one of those two be removed, because it is now penalised
>>> two times.
>>> It was spam, so that is not the problem, it only looks wrong to me.
>>
>> there is nothing wrong
>> that's the whole point of scoring
>> different sources
>>
>> or would you remove every RBL when stuff hits more then one instead say
>> "hey, when it's listed on 10 of it it's for *sure* spam"
>
> Personally I would say: keep the highest one. In the above case 2.5.
> But that is only my 2 cents.

The only reason to discard one or the other would be if they were two
different rules checking the *same* blacklist.

If they are different blacklists, and that domain appears on both, then
hitting both rules and getting scores for both hits is totally legitimate.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
4 days until April Fools' day

On 28 Mar 2020, at 01:09, Cecil Westerhof <Cecil@decebal.nl> wrote:
> Should not one of those two be removed, because it is now penalised
> two times.

It is penalized for being in SURBL and then penalized for being in the DBL; seems perfectly reasonable to me.



--
"You're just impressed by any pretty girl who can walk and talk."
"She doesn't have to talk.”