Question about SA, RBLs and Bayes

Max Kipness mkipness at GENIANT.COM
Thu Jun 3 21:13:13 IST 2004


Ok, after checking more, I found out that I was checking Yahoo/SWBell's
SMTP server IP. What is actually listed on CBL is the guy's DSL IP. I
couldn't see this IP in the Sendmail logs, but when he sent me a message
directly I could see in OPTIONS in Outlook.
 
Thanks,
Max


________________________________

        From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Alex Neuman
        Sent: Thursday, June 03, 2004 2:40 PM
        To: MAILSCANNER at JISCMAIL.AC.UK
        Subject: Re: Question about SA, RBLs and Bayes
	
	
        Could be one of the IP's where the message went through was in
fact in the XBL.

                -----Original Message-----
                From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Max Kipness
                Sent: Thursday, June 03, 2004 2:29 PM
                To: MAILSCANNER at JISCMAIL.AC.UK
                Subject: Question about SA, RBLs and Bayes
        	
        	
                A user received an email from someone that was just
basically a personal letter. There really wasn't anything to spammy
about it.
                 
                Well, the email got tagged as spam as follows:
                 
        	
                Jun  3 09:00:56 manhattan MailScanner[336]: Message
i53E0UHu002354 from 66.163.170.83 (xxx.xxx at swbell.net
<mailto:c at swbell.net> ) to xxx.com is spam, SpamAssassin (score=10.66,
required 8, BAYES_99 5.40, HTML_MESSAGE 0.10, NO_REAL_NAME 0.16,
RCVD_IN_XBL 5.00) 
                 
                1) I searched to find where the XBL came from and
finally realized I had created a custom rule under
/etc/mail/spamassasin. Maybe this score is too high. 
                 
                But when I went to www.spamhaus.org to check the IP
listed above in their XBL database, it said it was not listed? Now I
tracked down that the user has a DSL account and his IP changes. But is
the XBL a realtime check against someone's active IP? Or why would it
report that the IP was on the list if it wasn't?
                 
                Here is the rule I used (I've now lowered the score):
                 
                # XBL is the Spamhaus Exploits Block List:
http://www.spamhaus.org/xbl/
                header RCVD_IN_XBL
eval:check_rbl_txt('xbl','xbl.spamhaus.org.')
                describe RCVD_IN_XBL            Received via a relay in
Spamhaus XBL
                tflags RCVD_IN_XBL              net
                score RCVD_IN_XBL               2
        	
                Have I made a mistake here?
                 
                2) Obviously I have problems with Bayes and need to
train more ham?? When I resent the actual message back through our
system from myself to myself, the bayes score was very low. Could the
bayes score be largely based on the fact that  it came from the domain
swbell.net? And bayes has learned from a lot of spam coming from there?
                 
                Thanks,
                Max
                 
                 
                -------------------------- MailScanner list
----------------------
                To leave, send leave mailscanner to
jiscmail at jiscmail.ac.uk
                Before posting, please see the Most Asked Questions at
                http://www.mailscanner.biz/maq/ and the archives at
                http://www.jiscmail.ac.uk/lists/mailscanner.html
        	

        -------------------------- MailScanner list
----------------------
        To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
        Before posting, please see the Most Asked Questions at
        http://www.mailscanner.biz/maq/ and the archives at
        http://www.jiscmail.ac.uk/lists/mailscanner.html
	


-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040603/2733b20e/attachment.html


More information about the MailScanner mailing list