Question about SA, RBLs and Bayes

Max Kipness mkipness at GENIANT.COM
Thu Jun 3 20:28:30 IST 2004


A user received an email from someone that was just basically a personal
letter. There really wasn't anything to spammy about it.
 
Well, the email got tagged as spam as follows:
 
Jun  3 09:00:56 manhattan MailScanner[336]: Message i53E0UHu002354 from
66.163.170.83 (xxx.xxx at swbell.net <mailto:c at swbell.net> ) to xxx.com is
spam, SpamAssassin (score=10.66, required 8, BAYES_99 5.40, HTML_MESSAGE
0.10, NO_REAL_NAME 0.16, RCVD_IN_XBL 5.00) 
 
1) I searched to find where the XBL came from and finally realized I had
created a custom rule under /etc/mail/spamassasin. Maybe this score is
too high. 
 
But when I went to www.spamhaus.org to check the IP listed above in
their XBL database, it said it was not listed? Now I tracked down that
the user has a DSL account and his IP changes. But is the XBL a realtime
check against someone's active IP? Or why would it report that the IP
was on the list if it wasn't?
 
Here is the rule I used (I've now lowered the score):
 
# XBL is the Spamhaus Exploits Block List: http://www.spamhaus.org/xbl/
header RCVD_IN_XBL
eval:check_rbl_txt('xbl','xbl.spamhaus.org.')
describe RCVD_IN_XBL            Received via a relay in Spamhaus XBL
tflags RCVD_IN_XBL              net
score RCVD_IN_XBL               2

Have I made a mistake here?
 
2) Obviously I have problems with Bayes and need to train more ham??
When I resent the actual message back through our system from myself to
myself, the bayes score was very low. Could the bayes score be largely
based on the fact that  it came from the domain swbell.net? And bayes
has learned from a lot of spam coming from there?
 
Thanks,
Max
 
 

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040603/6558cda4/attachment.html


More information about the MailScanner mailing list