[Please send follow up discussions to: discuss at lists . surbl. org]
An experimental source of some snowshoe and pill domains is now being published in xs.surbl.org. SURBL considers this feed to be experimental and would very much welcome feedback about it, particularly about any false positives. Does anyone know anyone who actually wants to receive snowshoe messages? Here's Spamhaus' description of snowshoe:
http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233
XS is not included in multi currently, so for testing purposes it must be specified as a standalone list. For SpamAssassin, a rule would be:
urirhssub URIBL_XS_SURBL xs.surbl.org. A 2 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Contains an URL listed in the XS SURBL blocklist tflags URIBL_XS_SURBL net #reuse URIBL_XS_SURBL
and a score would be:
score URIBL_XS_SURBL 0 0.001 0 0.001
or whatever values you like. 0 would disable the test. 0.001 would be visible in headers and reporting, but likely not push a score over a threshold. 6.0 would block outright in most systems, etc. Remember to add the rule and score to a local.cf if you want it to persist across version upgrades.
(As an aside, the SpamAssassin command urirhsbl should still work for an individual list, but arguably is obsoleted by urirhssub since the latter is just about universally used now and will handle the case of a standalone list too. More info at: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDN... )
For use in other systems, treat xs.surbl.org as it's own list and look for a 127.0.0.2 DNS A record result to indicate inclusion. IOW, you won't find it in multi yet. :)
Here's a manual test:
% dig difficultflamingos.com.xs.surbl.org [...]
;; QUESTION SECTION: ;difficultflamingos.com.xs.surbl.org. IN A
;; ANSWER SECTION: difficultflamingos.com.xs.surbl.org. 180 IN A 127.0.0.2
which of course may roll off the list when that particular record expires.
Once it goes into production, XS would be included in multi, and this temporary, standalone test list would go away. ***The configs would need to be adjusted to use multi at that time, or the filtering for that source would go away.*** In other words, please don't put the standalone test list into production and leave it there. It will very likely go away later in favor of inclusion in multi.
Note that testing XS after sender blacklists and other filtering techniques may result in XS not getting many hits.
Note also that other types of data probably will be added to XS in future.
Please test XS and send results to discuss at lists. surbl dot org
-
SURBL Announcement list [READONLY]