Question about SA, RBLs and Bayes
Alex Neuman
alex at nkpanama.com
Thu Jun 3 20:39:57 IST 2004
Could be one of the IP's where the message went through was in fact in the
XBL.
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Max Kipness
Sent: Thursday, June 03, 2004 2:29 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Question about SA, RBLs and Bayes
A user received an email from someone that was just basically a personal
letter. There really wasn't anything to spammy about it.
Well, the email got tagged as spam as follows:
Jun 3 09:00:56 manhattan MailScanner[336]: Message i53E0UHu002354 from
66.163.170.83 (xxx.xxx <mailto:c at swbell.net> @swbell.net) to xxx.com is
spam, SpamAssassin (score=10.66, required 8, BAYES_99 5.40, HTML_MESSAGE
0.10, NO_REAL_NAME 0.16, RCVD_IN_XBL 5.00)
1) I searched to find where the XBL came from and finally realized I had
created a custom rule under /etc/mail/spamassasin. Maybe this score is too
high.
But when I went to www.spamhaus.org to check the IP listed above in their
XBL database, it said it was not listed? Now I tracked down that the user
has a DSL account and his IP changes. But is the XBL a realtime check
against someone's active IP? Or why would it report that the IP was on the
list if it wasn't?
Here is the rule I used (I've now lowered the score):
# XBL is the Spamhaus Exploits Block List: http://www.spamhaus.org/xbl/
header RCVD_IN_XBL
eval:check_rbl_txt('xbl','xbl.spamhaus.org.')
describe RCVD_IN_XBL Received via a relay in Spamhaus XBL
tflags RCVD_IN_XBL net
score RCVD_IN_XBL 2
Have I made a mistake here?
2) Obviously I have problems with Bayes and need to train more ham?? When I
resent the actual message back through our system from myself to myself, the
bayes score was very low. Could the bayes score be largely based on the fact
that it came from the domain swbell.net? And bayes has learned from a lot
of spam coming from there?
Thanks,
Max
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040603/0018ee24/attachment.html
More information about the MailScanner
mailing list