RE: [SURBL-Announce] ANNOUNCE: BigEvil.cf and MidEvil.cf are now
available in SURBL formas be.surbl.org
Scott at ncs.co.nz
Thu Apr 22 21:32:48 CEST 2004
> BigEvil.cf and MidEvil.cf are now available in SURBL form as
> be.surbl.org, for use with SpamCopURI SpamAssassin 2.63 and
> URIDNSBL SpamAssassin 3.0 plugins. Thanks Chris, Paul and
> Gary Funck!
> Here's an excerpt about the new list from the Quick Start
> Chris Santerre and Paul Barbeau's BigEvil and MidEvil
> SpamAssassin rules are now available as an SURBL for use with
> plugins and programs such as those mentioned above which can
> extract message body URI domains and compare them against
> name-based RBLs. The name of the list is be.surbl.org, and some
> sample rules and scores to use it appears below. The well-known
> and popular BigEvil and MidEvil SA rulesets are used to block
> messages based on domains that have occurred in spam message body
> URIs. Using this as an SURBL instead allows you to remove this
> relatively large ruleset from SA memory and lets DNS cache the
> data in a zone file instead, querying SURBL hits from DNS as
> An SA 2.63 rule and score using SpamCopURI (but not the SpamCop
> data!) looks like this:
> uri BE_URI_RBL
> describe BE_URI_RBL URI's domain appears in BigEvil
> tflags BE_URI_RBL net
> score BE_URI_RBL 3.0
> An SA 3.0 rule and score using URIBL's urirhsbl looks like this:
> urirhsbl URIBL_BE_SURBL be.surbl.org. A
> header URIBL_BE_SURBL eval:check_uridnsbl('URIBL_BE_SURBL')
> describe URIBL_BE_SURBL Contains a URL listed BigEvil
> tflags URIBL_BE_SURBL net
> score URIBL_BE_SURBL 3.0
> be.surbl.org can be used alone or with other SURBL lists; all
> that's needed are different rule and score names, as we've shown
> in the samples. More information about be.surbl.org can be found
> in the Additional SURBLs section.
> be.surbl.org joins Bill Stearns' sa-blacklist-based ws.surbl.org
> and my own SpamCop URI-based sc.surbl.org SURBLs. All are
> described more at the site.
> Please send me any questions, comments, corrections, updates,
> Jeff C.
> P.S. We will probably offer a combined list at some point.
> We're still working out the details of that. Until then it's
> quite possible to use one or more of the lists simply by using
> separate SA rules for each one that you want to use, as shown
> in the Quick Start samples.
> P.P.S. The sample rules have been updated to mention "SpamCop"
> only in the descriptions of rules that actually use SpamCop data.
> Jeff Chan
You seem to put a lot of emphasis on the memory taken up by these two lists in memory. When I removed them, spamd's memory utilisation went down only 1.9MB (down from 33.5MB to 31.6MB). Now unless you are really strapped for memory, I don't see this as a great advantage. What's quicker execution-wise...a regex of the list in memory, or a DNS lookup/eval...I would imagine the later, but does anybody know?
The obvious advantage is that one doesn't have to update the cf files manually.
What's the TTL for entries in this database?
More information about the Discuss