Two Questions

[Matt Kettler]

Julian answered your question 2, so I'll answer question 1.

1) turn off the auto-report feature of SpamAssassin. The razor dev's
pointed out that auto reporting after reaching a given score in SA is
probably a bad idea, and results in lots of bugtraq postings, etc being
reported to razor. The newest versions of SA have had this feature disabled
for that reason. The only emails which should be auto-reported to razor are
emails sent to troll addresses. All others should be hand confirmed.

Also, for what it's worth, razor isn't an RBL. It does not block domains,
but instead generates hashes of the body of a given message, if it matches
the hash of a message previously reported, it's spam.

So razor will never block your domain, since it never even looks at
headers, but if you send a message which has a body which is identical to a
previous email reported as spam, razor will hit it.

As for the rest of the RBLs, such as ORDB, MAPS, etc. They are mostly relay
check based, or confirmed spam source based. These systems generally work
on an IP address basis, and nobody is likely to be fooled by that spoofed
HELO. There are some that are domain based, but they aren't likely to be
fooled by this either.. spoofed HELO's claiming to be hotmail.com, etc are
super common.

I generally treat that part of the header with the same grain of salt I
treat the FROM: line with. It's most likely falsified in the case of spam.
Look at the IP in the received from and ignore the alleged name that comes
from the HELO entirely.


At 02:28 PM 7/25/2002 -0400, Gerry Doris wrote:
>1. I turned on spam logging and see the kind of message below.
>Notice that it says that the IP address the message came from is
>66.187.233.211 and the domain is dorfam.ca.
>
>Well, dorfam.ca is my domain and it definitely isn't that IP address.  My
>concern is that my domain is going to be automatically sent off to some of
>the RBL sites (ie razor) when I receive a spam message with a count over
>30 (I believe that's a default).