surbl clarification
199 views
Skip to first unread message
Donald Baud
May 4, 2017, 11:09:41 AM5/4/17
to rspamd
I am trying to understand the SURBL module I've read the module documentation:
https://rspamd.com/doc/modules/surbl.html
As a test, I send myself an email with just a url: www.groupon.com
I get those scores:
MW_SURBL_MULTI(5.50){groupon.com;},
DBL_SPAM(3.50){groupon.com;},
SEM_URIBL(3.50){groupon.com;}
DBL_PHISH(0.00){groupon.com;}
PH_SURBL_MULTI(0.00){groupon.com;}
RAMBLER_URIBL(0.00){groupon.com;}
URIBL_BLACK(0.00){groupon.com;}
URIBL_GREY(0.00){groupon.com;}
URIBL_SBL(0.00){groupon.com;}
I would like to whitelist that domain so I added "groupon.com" in the surbl-whitelist.inc
reloaded rspamd an I still see the same scores.
I looked in the logs of rspamd.log and I see that it re-read the surbl-whitelist.inc
- read map data from /usr/local/etc/rspamd/surbl-whitelist.inc (11641 bytes)
- read map data from /usr/local/etc/rspamd/surbl-whitelist.inc (11654 bytes)
https://rspamd.com/doc/modules/surbl.html
As a test, I send myself an email with just a url: www.groupon.com
I get those scores:
MW_SURBL_MULTI(5.50){groupon.com;},
DBL_SPAM(3.50){groupon.com;},
SEM_URIBL(3.50){groupon.com;}
DBL_PHISH(0.00){groupon.com;}
PH_SURBL_MULTI(0.00){groupon.com;}
RAMBLER_URIBL(0.00){groupon.com;}
URIBL_BLACK(0.00){groupon.com;}
URIBL_GREY(0.00){groupon.com;}
URIBL_SBL(0.00){groupon.com;}
I would like to whitelist that domain so I added "groupon.com" in the surbl-whitelist.inc
reloaded rspamd an I still see the same scores.
I looked in the logs of rspamd.log and I see that it re-read the surbl-whitelist.inc
- read map data from /usr/local/etc/rspamd/surbl-whitelist.inc (11641 bytes)
- read map data from /usr/local/etc/rspamd/surbl-whitelist.inc (11654 bytes)
Donald Baud
May 5, 2017, 9:22:56 AM5/5/17
to rspamd
I guess my question is:
How do I neutralize or whitelist SURBL for a particular domain?
How do I neutralize or whitelist SURBL for a particular domain?
Andrew Lewis
May 5, 2017, 10:52:09 AM5/5/17
to rsp...@googlegroups.com
Hi Donald,
That is very suspicious - it seems your resolver returns bogus results.
> I would like to whitelist that domain so I added "groupon.com" in the
> surbl-whitelist.inc
> reloaded rspamd an I still see the same scores.
Seems there is some likely issue here, it should work.
Best,
-AL.
That is very suspicious - it seems your resolver returns bogus results.
> I would like to whitelist that domain so I added "groupon.com" in the
> surbl-whitelist.inc
> reloaded rspamd an I still see the same scores.
Best,
-AL.
Donald Baud
May 5, 2017, 7:17:54 PM5/5/17
to rspamd
Hi Andrew,
That is very suspicious - it seems your resolver returns bogus results.
I checked the local resolver, but then I realised from tcpdump/ngrep that it wasn't even being queried for groupon.com on that request.
Also, in the logs I saw multiple lines:
task; rspamd_check_group_score: maximum group score 12.50 for group ...(All SURBL symbols):
URIBL_BLACK, RAMBLER_URIBL, PH_SURBL_MULTI, ABUSE_SURBL ...
Then I saw:
task; rspamd_symbols_cache_check_symbol: slow rule: URL_TAGS_SAVE: 149
ms
I guess the URL_TAGS cache was somehow poisoned. So I disabled the url_tags module and reloaded,
problem solved.
Reply all
Reply to author
Forward
0 new messages