Stops after RCVD_IN_BL_SPAMCOP_NET

Steve Freegard steve.freegard at fsl.com
Fri Jan 9 23:28:43 GMT 2009 

Joe Garvey wrote:
> Here are the top 15 results from the spamassassin hits.
> 
> RCVD_IN_BL_SPAMCOP_NET is sitting at 74,756. There are a few other rules that hit over 45,000 but it drops dramatically after that with most rules only being hit with an average of 5,000. With RCVD_IN_BL_SPAMCOP_NET having such as high hit count compared to everything else it really makes me wonder why no other rules are getting hit as much as it is.

Maybe it's just the style of the traffic your system gets and there's 
nothing wrong with your configuration?

Why not analyse where the hits are coming from and see if you're just 
getting a lot of connections from the same hosts; as you're running 
MailWatch - you could try running the following SQL:

SELECT clientip, COUNT(*) as count FROM maillog WHERE date >= 
CURRENT_DATE() - INTERVAL 7 DAY AND spamreport LIKE 
'%RCVD_IN_BL_SPAMCOP_NET%' ORDER BY count DESC;

All I know is that if I got that many hits on Spamcop - I'd be blocking 
it all in my MTA instead....

> DCC_CHECK 	Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 	86,708 	1,066 	1.2 	85,642 	98.8
> RCVD_IN_BL_SPAMCOP_NET 	Received via a relay in bl.spamcop.net 	74,756 	256 	0.3 	74,500 	99.7
> BAYES_99 	Bayesian spam probability is 99 to 100% 	73,555 	87 	0.1 	73,468 	99.9
> URIBL_JP_SURBL 	Contains an URL listed in the JP SURBL blocklist 	66,847 	40 	0.1 	66,807 	99.9
> URIBL_SBL 	Contains an URL listed in the SBL blocklist 	64,011 	15 	0 	63,996 	100
> URIBL_SBLXBL 	Contains a URL listed in the SBL/XBL blocklist 	59,950 	13 	0 	59,937 	100
> URIBL_AB_SURBL 	Contains an URL listed in the AB SURBL blocklist 	57,969 	72 	0.1 	57,897 	99.9
> HTML_MESSAGE 	HTML included in message 	57,796 	5,932 	10.3 	51,864 	89.7
> URIBL_OB_SURBL 	Contains an URL listed in the OB SURBL blocklist 	54,305 	28 	0.1 	54,277 	99.9
> URIBL_WS_SURBL 	Contains an URL listed in the WS SURBL blocklist 	46,946 	18 	0 	46,928 	100
> RAZOR2_CHECK 	Listed in Razor2 (http://razor.sf.net/) 	46,385 	227 	0.5 	46,158 	99.5
> RAZOR2_CF_RANGE_51_100 	Razor2 gives confidence level above 50% 	45,793 	188 	0.4 	45,605 	99.6
> RCVD_IN_XBL 	Received via a relay in Spamhaus XBL 	44,779 	2 	0 	44,777 	100
> DIGEST_MULTIPLE 	Message hits more than one network digest check 	40,121 	50 	0.1 	40,071 	99.9

Based in the above - this doesn't look to bad to me....

Cheers,
Steve.

More information about the MailScanner mailing list