Mailing List Archive

On Mon, Mar 15, 2004 at 10:53:01PM -0500, Bill McGonigle wrote:
> With the recent run of Habeas impersonators, I wanted to use Habeas as
> a whitelist rather than a blacklist. I think the following ruleset
> basically accomplishes that:

Uhhh... The standard Habeas rules are a whilelist.

> The problem with this ruleset, and theirs, I believe, is that the rbl
> check is done whether or not HABEAS_SWE matches. That's alot of
> unnecessary work for their system and mine.
>
> I'd like to only do the rbl if HABEAS_SWE gets a hit. Is there a
> syntax to do this?

Yep, the standard version does that.

Is there some reason the standard rules don't work for you?

--
Randomly Generated Tagline:
"It's the same plot as the first one, only they have little teddy
bears in it." - Prof. Wittels talking about Return of the Jedi

[.note: in the process of writing this I realized my rule is useless.
I'll continue in hopes there's another solution.]

On Mar 15, 2004, at 11:05 PM, Theo Van Dinter wrote:
> Is there some reason the standard rules don't work for you?

Yeah, at least if I'm understanding it right. Perhaps I should
annotate how I think it's working:

header HABEAS_SWE X-Habeas-SWE-3 =~ /like Habeas SWE \(tm\)/
describe HABEAS_SWE Sender Warranted Email, see www.habeas.com
score HABEAS_SWE -100

at this point a message claiming to be Habeas is scored -100
it it's legit, great. If it's a spam....

header HABEAS_HIL rbleval:check_rbl('hil', 'hil.habeas.com.')
describe HABEAS_HIL Sender is on www.habeas.com Habeas Infringer List
score HABEAS_HIL 105.0

so now if the spammer is on their Infringer List (rbl) the spam is
scored +5, great
if it's legit, the message is still scored -100, great
if it's a spammer using zombies and random senders, it's not on the
infringer list, so it's still -100

I was trying to avoid the last situation, but I see now that my rule
really doesn't do that, it's just the same thing as the stock rule done
in a more obtuse way. :P

I think what I would really need is Habeas to setup a different rbl
server with _legit_ senders, and then my rule would be OK. As an
aside, what stops spammers from forging legit Habeas senders?

>> I'd like to only do the rbl if HABEAS_SWE gets a hit. Is there a
>> syntax to do this?
>
> Yep, the standard version does that.

So I'm guessing there's some code behind
rbleval:check_rbl('hil', 'hil.habeas.com.')
that does that? The rules themselves don't express this behavior,
right?

Thanks again,
-Bill

From: "Bill McGonigle" <bill@zettabyte.net>

> [.note: in the process of writing this I realized my rule is useless.
> I'll continue in hopes there's another solution.]
>
> On Mar 15, 2004, at 11:05 PM, Theo Van Dinter wrote:
> > Is there some reason the standard rules don't work for you?
>
> Yeah, at least if I'm understanding it right. Perhaps I should
> annotate how I think it's working:
>
> header HABEAS_SWE X-Habeas-SWE-3 =~ /like Habeas SWE \(tm\)/
> describe HABEAS_SWE Sender Warranted Email, see www.habeas.com
> score HABEAS_SWE -100
>
> at this point a message claiming to be Habeas is scored -100
> it it's legit, great. If it's a spam....
>
> header HABEAS_HIL rbleval:check_rbl('hil', 'hil.habeas.com.')
> describe HABEAS_HIL Sender is on www.habeas.com Habeas Infringer List
> score HABEAS_HIL 105.0
>
> so now if the spammer is on their Infringer List (rbl) the spam is
> scored +5, great
> if it's legit, the message is still scored -100, great
> if it's a spammer using zombies and random senders, it's not on the
> infringer list, so it's still -100
>
> I was trying to avoid the last situation, but I see now that my rule
> really doesn't do that, it's just the same thing as the stock rule done
> in a more obtuse way. :P
>
> I think what I would really need is Habeas to setup a different rbl
> server with _legit_ senders, and then my rule would be OK. As an
> aside, what stops spammers from forging legit Habeas senders?
>
> >> I'd like to only do the rbl if HABEAS_SWE gets a hit. Is there a
> >> syntax to do this?
> >
> > Yep, the standard version does that.
>
> So I'm guessing there's some code behind
> rbleval:check_rbl('hil', 'hil.habeas.com.')
> that does that? The rules themselves don't express this behavior,
> right?

Check out "meta" rules in the WIKI. They may be your best friends.
{^_^}

On Mar 15, 2004, at 11:29 PM, Bill McGonigle wrote:

> I think what I would really need is Habeas to setup a different rbl
> server with _legit_ senders, and then my rule would be OK. As an
> aside, what stops spammers from forging legit Habeas senders?

I'm really sorry, please excuse the dumb newbie. I found the section
on Habeas's site about their whitelist being available under agreement,
and their IP-based rbl.

Now I'm not going to bother with it; philosophically it's too much work
to have everybody enter into agreements with them to make their service
work, but it's there if you want it. If it were generally available
I'd put it in, but I can also understand the opportunity for abuse.
I'm can't see how they can work around trojan zombies bruteforcing
their whitelist and spammers spoofing their IP addresses, but that
probably belongs on their lists.

Thanks/Sorry,
-Bill

On Mon, Mar 15, 2004 at 11:29:49PM -0500, Bill McGonigle wrote:
> I think what I would really need is Habeas to setup a different rbl
> server with _legit_ senders, and then my rule would be OK. As an

Yeah, that's the HUL (not the same as HIL). :)

> aside, what stops spammers from forging legit Habeas senders?

Nothing. If it's forged, Habeas is supposed to go suing. It's all part
of the business model.

> So I'm guessing there's some code behind
> rbleval:check_rbl('hil', 'hil.habeas.com.')
> that does that? The rules themselves don't express this behavior,
> right?

Hrm. You're running 2.5x? The "correct" behavior was added for 2.60:

header HABEAS_VIOLATOR eval:check_rbl_swe('hil', 'sa-hil.habeas.com.')

then check_rbl_swe does the right thing. Hence why you don't see anything
in the code or rules about it. :)

--
Randomly Generated Tagline:
#else /* !STDSTDIO */ /* The big, slow, and stupid way */
-- Larry Wall in str.c from the perl source code