[SURBL-Announce] Experimental list: XS now contains snowshoe and pill domains, feedback wanted

SURBL Announcement list [READONLY] announce at lists.surbl.org
Thu Dec 10 11:59:13 CET 2009


[Please send follow up discussions to:  discuss at lists . surbl. org]


An experimental source of some snowshoe and pill domains is now being
published in xs.surbl.org.  SURBL considers this feed to be
experimental and would very much welcome feedback about it,
particularly about any false positives.  Does anyone know anyone who
actually wants to receive snowshoe messages?  Here's Spamhaus'
description of snowshoe:

  http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233

XS is not included in multi currently, so for testing purposes it must
be specified as a standalone list.  For SpamAssassin, a rule would be:

 urirhssub       URIBL_XS_SURBL  xs.surbl.org.        A   2
 body            URIBL_XS_SURBL  eval:check_uridnsbl('URIBL_XS_SURBL')
 describe        URIBL_XS_SURBL  Contains an URL listed in the XS
SURBL blocklist
 tflags          URIBL_XS_SURBL  net
 #reuse          URIBL_XS_SURBL

and a score would be:

 score           URIBL_XS_SURBL  0 0.001 0 0.001

or whatever values you like.  0 would disable the test.  0.001 would
be visible in headers and reporting, but likely not push a score over
a threshold.  6.0 would block outright in most
systems, etc.  Remember to add the rule and score to a local.cf if you
want it to persist across version upgrades.

(As an aside, the SpamAssassin command urirhsbl should still work for
an individual list, but arguably is obsoleted by urirhssub since the
latter is just about universally used now and will handle the case of
a standalone list too.  More info at:
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html
)

For use in other systems, treat xs.surbl.org as it's own list and look
for a 127.0.0.2 DNS A record result to indicate inclusion.  IOW, you
won't find it in multi yet.  :)

Here's a manual test:

% dig difficultflamingos.com.xs.surbl.org
[...]

;; QUESTION SECTION:
;difficultflamingos.com.xs.surbl.org. IN    A

;; ANSWER SECTION:
difficultflamingos.com.xs.surbl.org. 180 IN A       127.0.0.2

which of course may roll off the list when that particular record
expires.

Once it goes into production, XS would be included in multi, and this
temporary, standalone test list would go away.  ***The configs would
need to be adjusted to use multi at that time, or the filtering for
that source would go away.***  In other words, please don't put the
standalone test list into production and leave it there.  It will very
likely go away later in favor of inclusion in multi.

Note that testing XS after sender blacklists and other filtering
techniques may result in XS not getting many hits.

Note also that other types of data probably will be added to XS in future.

Please test XS and send results to discuss at lists. surbl dot org


More information about the Announce mailing list