>From updates_spamassassin_org/20_dnsbl_tests.cf, using this as a model for a multi-valued DNS blacklist query:


header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
tflags __RCVD_IN_SORBS net

header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP net

"sysadmin see, sysadmin do", we tried this:

header __RCVD_IN_RBLX eval:check_rbl('domain', 'rblx.domain.tld.')
describe __RCVD_IN_RBLX DOMAIN: sender IP is listed in DOMAIN
tflags __RCVD_IN_RBLX net

header RCVD_IN_RBLX_BADREP eval:check_rbl_sub('domain', '127.0.0.2')
describe RCVD_IN_RBLX_BADREP DOMAIN: sender IP has bad reputation
tflags RCVD_IN_RBLX_BADREP net
score 3.5 3.5 3.5 3.5

We don't get any 127.0.0.2 hits on 2 SA machines, while we get plenty of hits with SA queries to single-valued DNSBLs.

Attempts at other syntaxes have failed.

suggestions?

Len




______________________________________________
IMGate OpenSource Mail Firewall www.IMGate.net