[antispam-f] Re: Block list processing
- From: Frank de Bruijn <antispam@xxxxxxxxxx>
- To: antispam@xxxxxxxxxxxxx
- Date: Sat, 17 Mar 2007 10:35:14 +0100
In article <4ec2e7e98cfreelists@xxxxxxxxxxxxxxxx>,
Martin <freelists@xxxxxxxxxxxxxxxx> wrote:
> I have been using AS 1.60.a5 for about 10 days now in order to experiment
> with the BlockList processing - which seems to work well, incidentally. I
> have not detected any false spams, as yet - although I do have the Weight
> test near the bottom of my rules at the moment. It is a really nice
> addition to AS.
> However, I do have some questions, which Fred
Who?
> may be able to answer now, or when the documentation is updated in due
> course.
> 1. What is the significance of the number in the Weight rule?
It indicates 'how heavy' a message must be for the Weight rule to take
effect, i.e. how many positive results the queries have returned, both
for one IP address and all the addresses in all trace fields taken
together.
> Are numbers over 10 only found when the IP address is on more than one
> blocklist?
> Or more than one IP address in a blocklist?
Both. Every time a DNSBL query returns a result, the 'weight' related to
that result (see NSQ's Settings file in !AntiSpam.Resources.!NSQ) is
added to the running total. As soon as the value set in the rule is
exceeded, the rule matches.
> How many blocklists are consulted for each IP address?
The current default is three: zen.spamhaus.org, bl.spamcom.net and
db.wpbl.info. You can always add more (or remove any of the defaults) if
you feel like it. Just make very sure you understand the format of the
Settings file before you do.
> Are only numeric IP addresses looked up, or named ones as well?
Currently just the IP addresses found in the trace fields. Future
versions may have more options here.
> 2. Because my Weight keyword is low down (ie low priority) in my
> rules, I was expecting that the DNS lookups would only happen if the
> message had not matched any higher-priority rules. This does not seem
> to be true, as the check is done for ALL emails - and presumably for
> all IP addresses found in Received headers?
That's how AntiSpam has always worked. For every header it checks all
rules with a lower line number (i.e. a higher priority) than the current
highest priority rule. The trace fields are at the start of a message,
so the program is likely to 'see' most of them before it gets to the
headers that trigger rules with a higher priority.
> Thus it appears that AS is actually spending quite a lot of time doing
> (or waiting for) the lookups, when (in my case) 80% of the messages
> are deleted by a much higher priority rule. Thus AS seems much slower
> than without the Weight keyword,
That will depend on the speed of your connection to the Internet. I have
a relatively fast connection, so the delay doesn't bother me.
> although I am not sure it is sufficient to be concerned about. I have
> toyed with the idea of setting up a second set of rules for the same
> mailbox, which just contained the one Delete rule which hits 80% of my
> Spam, and leaving the others alone, and then running the normal rule
> set to do further checks and download the ones I really want - but
> this does not seem the right way to do it at all! I suspect that
> queuing the IPs found, and only doing the checks later if really
> required, would be a major change to the program logic.
Short answer: yes.
Slightly longer answer: I thought about queuing and decided against it
for various reasons.
Regards,
Frank
Other related posts:
