Quoting Jason Haar :

> ..that seems new. I see it's an RBL that "contains domains registered
> within the last five days".
>
> Can someone explain what that means? I guess it means "seen by DOB
> within the last five days" more than a domain that was registered within
> the last five days?


It means the domain was registered within the past 5 days.

> I say that because email from my home domain (registered 4 years ago) is
> currently on the list...


samba.org seems to be on the list, which is an error:

;; ANSWER SECTION:
samba.org.dob.sibl.support-intelligence.net. 2100 IN A 127.0.0.2


Domain ID2485610-LROR
Domain Name:SAMBA.ORG
Created On:10-Jan-1998 05:00:00 UTC
Last Updated On:28-Nov-2005 03:51:37 UTC
Expiration Date:09-Jan-2009 05:00:00 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:20553835-NSI
Registrant Name:Samba Team
Registrant Organization:Samba Team
Registrant Street1:26 Carstensz St
Registrant Street2:
[...]

> Anyway, emails that are on the list seem to trigger 3 different rules -
> which adds up to +2 points - is that expected behaviour?
>
> Thanks
>
> Jason


It looks like SpamAssassin is using DOB to check envelope From, received headers
and message body domains. The three different uses of DOB all give different
scores.

Jeff C.

> e.g. (actual spam to the Samba mailing-list)
>
> 0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
> medium
> trust
> [66.70.73.150 listed in list.dnswl.org]
> 0.3 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
> 0.8 RCVD_IN_DOB RBL: Received via relay in new domain (Day
> Old Bread)
> 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
> [Blocked - see
> ]
> 1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
> [88.232.135.123 listed in dnsbl.sorbs.net]
> -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]
> 0.9 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
> [URIs: samba.org]
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>