An odd blip happened today while evaluating my antispam acls:
...
warn dnslists = dynablock.easynet.nl
set acl_c5 = 6
set acl_m2 = $acl_m2 YOUR SERVER ADDRESS
$sender_host_address IS BLACKLISTED AT
$dnslist_domain\n$dnslist_text\n
set acl_m4 = ${eval: $acl_m4+1}
set acl_c4 = 0
warn dnslists = opm.blitzed.org
set acl_c5 = 4
set acl_m2 = $acl_m2 YOUR SERVER ADDRESS
$sender_host_address IS BLACKLISTED AT
$dnslist_domain\n$dnslist_text\n
set acl_m4 = ${eval: $acl_m4+1}
...
[ignore the fact that I stupidly put the lower score after the
higher, as acl_c5 should store the highest positive RBL].
I received a message from a server on a dynamic ip; the ip was listed
at dynablock.easynet.nl, and indeed in named logs I have:
Oct 19 13:26:19.042 queries: info: client 127.0.0.1#53295: query:
238.125.165.165.in-addr.arpa IN PTR
Oct 19 13:26:23.424 queries: info: client 127.0.0.1#63518: query:
238.125.165.165.bl.spamcop.net IN A
Oct 19 13:26:23.561 queries: info: client 127.0.0.1#63519: query:
238.125.165.165.dnsbl.njabl.org IN A
Oct 19 13:26:23.692 queries: info: client 127.0.0.1#63520: query:
238.125.165.165.cbl.abuseat.org IN A
Oct 19 13:26:25.853 queries: info: client 127.0.0.1#63521: query:
238.125.165.165.dynablock.easynet.nl IN A
Oct 19 13:26:25.894 queries: info: client 127.0.0.1#63522: query:
238.125.165.165.dynablock.easynet.nl IN TXT
Oct 19 13:26:25.939 queries: info: client 127.0.0.1#63523: query:
238.125.165.165.opm.blitzed.org IN A
Oct 19 13:26:26.058 queries: info: client 127.0.0.1#63524: query:
238.125.165.165.relays.ordb.org IN A
Oct 19 13:26:26.124 queries: info: client 127.0.0.1#63525: query:
238.125.165.165.sbl.spamhaus.org IN A
the TXT record indicates the only RBL that resulted positive.
But in exim logs I got the wrong value for acl_c5:
2003-10-19 13:26:33 HN07W8-000FZJ-74 H=tbnb-125-238.telkomadsl.co.za
(messianic.dyndns.org) [165.165.125.238] Warning: DATA SPAM
FLAGS:0;0;0;0;0;4;0;0;0;0; SCORE: 7 RBLS: 1
^ this is acl_c5
It looks as if the subsequent warn, which should have failed, set the
acl_c5, overwriting the previous value.
I immediately run exim -bh 165.165.125.238 and got:
...
>>> processing "warn"
>>> check dnslists = dynablock.easynet.nl
>>> DNS list check: dynablock.easynet.nl
>>> new DNS lookup for 238.125.165.165.dynablock.easynet.nl
>>> DNS lookup for 238.125.165.165.dynablock.easynet.nl succeeded
>>> => that means 165.165.125.238 is listed at dynablock.easynet.nl
>>> check set = 6
>>> check set = $acl_m2 YOUR SERVER ADDRESS $sender_host_address IS
>>>BLACKLISTED AT $dnslist_domain\n$dnslist_text\n
>>> = YOUR SERVER ADDRESS 165.165.125.238 IS BLACKLISTED
>>>AT dynablock.easynet.nl
>>> Dynamic/Residential IP range listed by easynet.nl DynaBlock -
>>>http://dynablock.easynet.nl/errors.html
>>>
>>> check set = ${eval: $acl_m4+1}
>>> = 1
>>> check set = 0
>>> warn: condition test succeeded
>>> processing "warn"
>>> check dnslists = opm.blitzed.org
>>> DNS list check: opm.blitzed.org
>>> new DNS lookup for 238.125.165.165.opm.blitzed.org
>>> DNS lookup for 238.125.165.165.opm.blitzed.org failed
>>> => that means 165.165.125.238 is not listed at opm.blitzed.org
>>> warn: condition test failed
...
LOG: HN0BRM-000G3N-EZ H=tbnb-125-238.telkomadsl.co.za
(messianic.dyndns.org) [165.165.125.238] Warning: DATA SPAM
FLAGS:0;0;0;0;0;6;0;0;0;0; SCORE: 9 RBLS: 1
that indeed gives the correct value.
What could have happened? This just does not make sense. Perhaps time
to reboot...
Giuliano
--
H U M P H
|| |||
software
Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/