One spammer is persistently slipping through....

Raymond Dijkxhoorn raymond at PROLOCATION.NET
Mon Apr 26 13:08:49 IST 2004 

Hi!

> I got this in the header of another e-mail:
> X-gw-MailScanner-SpamCheck: spam, SBL+XBL, spamhaus-XBL,
>         SpamAssassin (score=32.458, required 6, CHARSET_FARAWAY 6.00,
>         CHARSET_FARAWAY_HEADER 4.00, FORGED_HOTMAIL_RCVD 0.00,
>         FORGED_MUA_OUTLOOK 1.58, MIME_CHARSET_FARAWAY 6.00,
>         MSGID_FROM_MTA_SHORT 3.31, NORMAL_HTTP_TO_IP 0.21,
>         NO_RDNS_DOTCOM_HELO 2.95, RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10,
>         RCVD_IN_NJABL_PROXY 1.10, RCVD_IN_RFCI 0.10,
>         UNWANTED_LANGUAGE_BODY 6.00)
>
> spamhaus us mention at the top (twice) but there is no score shown
> for it. Is this correct?

You use XBL in your RBL checks in SA _only_ so that wont add to SA scores.

I have this in my /etc/mail/spamassassin dir:

[root at vmx01 spamassassin]# more dnsbl_tests.cf
#
# Extra DNSBL checks:
#
# AHBL RBL checks
header RCVD_IN_AHBL             eval:check_rbl_txt('ahbl',
'dnsbl.ahbl.org.')
describe RCVD_IN_AHBL           Received via a relay in dnsbl.ahbl.org
tflags RCVD_IN_AHBL             net
score RCVD_IN_AHBL              0 1.271 0 2.0
# RSL RBL checks
header RCVD_IN_RSL              eval:check_rbl_txt('rsl',
'relays.visi.com.')
describe RCVD_IN_RSL            Received via a relay in relays.visi.com.
tflags RCVD_IN_RSL              net
score RCVD_IN_RSL               0 1.271 0 1.6
# SBL+XBL checks
header RCVD_IN_SBL+XBL
eval:check_rbl_txt('sbl-xbl','sbl-xbl.spamhaus.org.')
describe RCVD_IN_SBL+XBL        Received via a relay in
sbl-xbl.spamhaus.org
tflags RCVD_IN_SBL+XBL          net
score RCVD_IN_SBL+XBL           0 1.5 0 2.0
#
# Customize RBL scores and disable unwanted lists
#
# Higher the score of DSBL
score RCVD_IN_DSBL              0 1.271 0 1.6
score RCVD_IN_SORBS             0 1.0 0 1.0
# Disable SBL since we check with the combined SBL+XBL
score   RCVD_IN_SBL             0

You might want to consider to move the checks of XBL to SA.

Bye,
Raymond.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
For further info about MailScanner, please see the Most Asked
Questions at    http://www.mailscanner.biz/maq/     and the archives
at    http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list