Question about SA, RBLs and Bayes

Matt Kettler mkettler at EVI-INC.COM
Thu Jun 3 20:57:19 IST 2004 

At 03:28 PM 6/3/2004, Max Kipness wrote:
>1) I searched to find where the XBL came from and finally realized I had
>created a custom rule under /etc/mail/spamassasin. Maybe this score is too
>high.
>
>But when I went to <http://www.spamhaus.org>www.spamhaus.org to check the
>IP listed above in their XBL database, it said it was not listed? Now I
>tracked down that the user has a DSL account and his IP changes. But is
>the XBL a realtime check against someone's active IP? Or why would it
>report that the IP was on the list if it wasn't?

The XBL doesn't do a reatime test of an active IP.. However, being a RBL
type system XBL's contents change constantly.

XBL gets it's contents from OPM and CBL.  One can read on the website that
OPM expires entries for dynamic IPs more quickly than for static.

I don't know how fast they expire them, but 12 or 24 hours wouldn't be
surprising to me.

>  Here is the rule I used (I've now lowered the score):
>
># XBL is the Spamhaus Exploits Block List:
><http://www.spamhaus.org/xbl/>http://www.spamhaus.org/xbl/
>header RCVD_IN_XBL              eval:check_rbl_txt('xbl','xbl.spamhaus.org.')
>describe RCVD_IN_XBL            Received via a relay in Spamhaus XBL
>tflags RCVD_IN_XBL              net
>score RCVD_IN_XBL               2
>Have I made a mistake here?

Nope, looks good.

>
>2) Obviously I have problems with Bayes and need to train more ham?? When
>I resent the actual message back through our system from myself to myself,
>the bayes score was very low. Could the bayes score be largely based on
>the fact that  it came from the domain swbell.net? And bayes has learned
>from a lot of spam coming from there?

Unlikely to be something as simple as just the sending domain, or any other
single token. The typical short message is going to have about 2 dozen
tokens in it. It would be VERY uncommon for a single token to be the
breaking point between BAYES_99 and BAYES_00.

Try running the message through spamassassin -D and look at all the tokens
listed and their scores. (note: don't freak out if one or two tokens has a
score on the "wrong side". It's the aggregate that matters)

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list