Bug 6212 - Evaluate Hostkarma JMF DNSBL's
Summary: Evaluate Hostkarma JMF DNSBL's
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: Other All
: P5 enhancement
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-28 11:18 UTC by Warren Togami
Modified: 2023-01-23 17:59 UTC (History)
3 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description Warren Togami 2009-09-28 11:18:42 UTC
Please add the following rules to the sandbox for testing so we can get some statistics from the weekly masschecks.

http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#How_to_use_the_Lists
hostkarma.junkemailfilter.com responds to DNS queries with a few types of responses.  These three rules probably interest us the most.

header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMF Sender listed in JunkEmailFilter, ttp://hostkarma.junkemailfilter.com
tflags __RCVD_IN_JMF net
 
header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE, http://hostkarma.junkemailfilter.com
tflags RCVD_IN_JMF_W net nice
 
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK, http://hostkarma.junkemailfilter.com
tflags RCVD_IN_JMF_BL net
 
header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN, http://hostkarma.junkemailfilter.com
tflags RCVD_IN_JMF_BR net

The "yellow" list claims to list IP's of Yahoo, GMail, Hotmail, etc.  It costs us nothing to trigger a sub-rule on it.  It might be interesting to see its results in masschecks.

header RCVD_IN_JMF_YL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.3')
describe RCVD_IN_JMF_YL Sender listed in JMF-YELLOW, http://hostkarma.junkemailfilter.com
tflags RCVD_IN_JMF_YL net
Comment 1 Warren Togami 2009-09-29 19:25:37 UTC
Sigh, line wrapping mangled those rules.

There is some discussion on users@ list about the names of these rules.  For a while Marc had RCVD_IN_JMF_* on his wiki page and a few people use it copied from that.  But Marc prefers to have HOSTKARMA in the name.

RCVD_IN_HOSTKARMA_BL
RCVD_IN_HOSTKARMA_WL
RCVD_IN_HOSTKARMA_YL
RCVD_IN_HOSTKARMA_BR

I personally prefer these rule names because they are easier to read.  The only possible difficulty is people who might have manually configured their spamassassin using the old JMF rule names need to know to remove the JMF rules.

Do the developers have any strong opinions either way?
Comment 2 Henrik Krohns 2009-10-20 23:07:49 UTC
Might as well test these rules then..

urirhssub URIBL_HOSTKARMA_BL hostkarma.junkemailfilter.com. A 127.0.0.2
body      URIBL_HOSTKARMA_BL eval:check_uridnsbl('URIBL_HOSTKARMA_BL')
tflags    URIBL_HOSTKARMA_BL net nopublish

urirhssub URIBL_HOSTKARMA_BR hostkarma.junkemailfilter.com. A 127.0.0.4
body      URIBL_HOSTKARMA_BR eval:check_uridnsbl('URIBL_HOSTKARMA_BR')
tflags    URIBL_HOSTKARMA_BR net nopublish

urirhssub URIBL_HOSTKARMA_FRESH_2D hostkarma.junkemailfilter.com. A 127.0.2.1
body      URIBL_HOSTKARMA_FRESH_2D eval:check_uridnsbl('URIBL_HOSTKARMA_FRESH_2D')
tflags    URIBL_HOSTKARMA_FRESH_2D net nopublish

urirhssub URIBL_HOSTKARMA_FRESH_10D hostkarma.junkemailfilter.com. A 127.0.2.2
body      URIBL_HOSTKARMA_FRESH_10D eval:check_uridnsbl('URIBL_HOSTKARMA_FRESH_10D')
tflags    URIBL_HOSTKARMA_FRESH_10D net nopublish

BL and FRESH_2D actually work decend here, with 0.95+ S/O.
Comment 3 Warren Togami 2009-10-21 08:40:27 UTC
Where are these documented?  I don't see these on his wiki.
Comment 4 Henrik Krohns 2009-10-21 09:27:31 UTC
I suggest you read the wiki more closely then. All the information is there.
Comment 5 Warren Togami 2009-10-21 19:03:29 UTC
The wiki makes no mention of it being meant to be used as URIBL.  I asked Marc about this and he said it might give some interesting statistics though.  I'll add it to the sandbox.
Comment 6 AXB 2012-08-12 10:32:27 UTC
I'd like to propose removal of these test from sandboxes

( /trunk/rulesrc/sandbox/wtogami/20_bug_6212_hostkarma.cf )
 
They're set to nopublish (since 2009) and while it's nice to test new BLs, it puts an unnecessaary load on weekly masschecks to keep them there for such a long time.

comments, votes please!
Comment 7 Kevin A. McGrail 2012-08-12 15:33:06 UTC
(In reply to comment #6)
> I'd like to propose removal of these test from sandboxes
> 
> ( /trunk/rulesrc/sandbox/wtogami/20_bug_6212_hostkarma.cf )
>  
> They're set to nopublish (since 2009) and while it's nice to test new BLs,
> it puts an unnecessaary load on weekly masschecks to keep them there for
> such a long time.
> 
> comments, votes please!

+1 to comment them (not removal just to be clear).

However, should someone want to actively test and analyze them, I would immediately support that.  But we need mascheck to be quicker and this analysis isn't currently useful to the project.
Comment 8 AXB 2012-08-13 08:05:32 UTC
FTR: Rules commented out on Aug 12 2012
Comment 9 Christer Mjellem Strand 2023-01-23 17:59:21 UTC
In my largely anecdotal experience, the URIBL lists for FRESHness are useful and mostly accurate, while the BROWN and BLACK lists contain far too many FPs to be particularly useful.

I use the FRESH lists both as regular URIBLs, but also testing against HELO and ALLFROM/Reply-To. This roughly matches the approach Spamhaus uses against ZRD in spamassassin-dqs.