Question about SA, RBLs and Bayes
Max Kipness
mkipness at GENIANT.COM
Thu Jun 3 21:13:13 IST 2004
Ok, after checking more, I found out that I was checking Yahoo/SWBell's
SMTP server IP. What is actually listed on CBL is the guy's DSL IP. I
couldn't see this IP in the Sendmail logs, but when he sent me a message
directly I could see in OPTIONS in Outlook.
Thanks,
Max
________________________________
From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Alex Neuman
Sent: Thursday, June 03, 2004 2:40 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Question about SA, RBLs and Bayes
Could be one of the IP's where the message went through was in
fact in the XBL.
-----Original Message-----
From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Max Kipness
Sent: Thursday, June 03, 2004 2:29 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Question about SA, RBLs and Bayes
A user received an email from someone that was just
basically a personal letter. There really wasn't anything to spammy
about it.
Well, the email got tagged as spam as follows:
Jun 3 09:00:56 manhattan MailScanner[336]: Message
i53E0UHu002354 from 66.163.170.83 (xxx.xxx at swbell.net
<mailto:c at swbell.net> ) to xxx.com is spam, SpamAssassin (score=10.66,
required 8, BAYES_99 5.40, HTML_MESSAGE 0.10, NO_REAL_NAME 0.16,
RCVD_IN_XBL 5.00)
1) I searched to find where the XBL came from and
finally realized I had created a custom rule under
/etc/mail/spamassasin. Maybe this score is too high.
But when I went to www.spamhaus.org to check the IP
listed above in their XBL database, it said it was not listed? Now I
tracked down that the user has a DSL account and his IP changes. But is
the XBL a realtime check against someone's active IP? Or why would it
report that the IP was on the list if it wasn't?
Here is the rule I used (I've now lowered the score):
# XBL is the Spamhaus Exploits Block List:
http://www.spamhaus.org/xbl/
header RCVD_IN_XBL
eval:check_rbl_txt('xbl','xbl.spamhaus.org.')
describe RCVD_IN_XBL Received via a relay in
Spamhaus XBL
tflags RCVD_IN_XBL net
score RCVD_IN_XBL 2
Have I made a mistake here?
2) Obviously I have problems with Bayes and need to
train more ham?? When I resent the actual message back through our
system from myself to myself, the bayes score was very low. Could the
bayes score be largely based on the fact that it came from the domain
swbell.net? And bayes has learned from a lot of spam coming from there?
Thanks,
Max
-------------------------- MailScanner list
----------------------
To leave, send leave mailscanner to
jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------------------- MailScanner list
----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040603/2733b20e/attachment.html
More information about the MailScanner
mailing list