<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=984193919-03062004><FONT face=Arial color=#0000ff size=2>Could
be one of the IP's where the message went through was in fact in the
XBL.</FONT></SPAN></DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> MailScanner
mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] <B>On Behalf Of </B>Max
Kipness<BR><B>Sent:</B> Thursday, June 03, 2004 2:29 PM<BR><B>To:</B>
MAILSCANNER@JISCMAIL.AC.UK<BR><B>Subject:</B> Question about SA, RBLs and
Bayes<BR><BR></FONT></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>A user received an
email from someone that was just basically a personal letter. There really
wasn't anything to spammy about it.</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Well, the email
got tagged as spam as follows:</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004>
<DIV><FONT face=Arial><FONT size=2>Jun 3 09:00:56 manhattan
MailScanner[336]: Message i53E0UHu002354 from 66.163.170.83 (<SPAN
class=406081919-03062004>xxx.xxx</SPAN></FONT></FONT><A
title=mailto:clay_alexander@swbell.net href="mailto:c@swbell.net"><FONT
face=Arial size=2>@swbell.net</FONT></A><FONT face=Arial size=2>)
to <SPAN class=406081919-03062004>xxx</SPAN>.com is spam, SpamAssassin
(score=10.66, required 8, BAYES_99 5.40, HTML_MESSAGE 0.10, NO_REAL_NAME 0.16,
RCVD_IN_XBL 5.00) </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>1) I searched to
find where the XBL came from and finally realized I had created a custom rule
under /etc/mail/spamassasin. Maybe this score is too high.
</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>But when I went to
<A href="http://www.spamhaus.org">www.spamhaus.org</A> to check the IP listed
above in their XBL database, it said it was not listed? Now I tracked down
that the user has a DSL account and his IP changes. But is the XBL a realtime
check against someone's active IP? Or why would it report that the IP was on
the list if it wasn't?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Here is the rule I
used (I've now lowered the score):</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2># XBL is the
Spamhaus Exploits Block List: <A
href="http://www.spamhaus.org/xbl/">http://www.spamhaus.org/xbl/</A><BR>header
RCVD_IN_XBL
eval:check_rbl_txt('xbl','xbl.spamhaus.org.')<BR>describe
RCVD_IN_XBL
Received via a relay in Spamhaus XBL<BR>tflags
RCVD_IN_XBL
net<BR>score
RCVD_IN_XBL
2<BR></FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Have I made a
mistake here?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>2) Obviously I
have problems with Bayes and need to train more ham?? When I resent the actual
message back through our system from myself to myself, the bayes score was
very low. Could the bayes score be largely based on the fact that it
came from the domain swbell.net? And bayes has learned from a lot of spam
coming from there?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2>Max</DIV></FONT></SPAN>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV></SPAN></DIV>--------------------------
MailScanner list ----------------------<BR>To leave, send leave mailscanner to
<A href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</A><BR>Before
posting, please see the Most Asked Questions at<BR><A
href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</A> and
the archives at<BR><A
href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</A><BR></BLOCKQUOTE></BODY></HTML>
-------------------------- MailScanner list ----------------------<br>
To leave, send leave mailscanner to <a href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</a><br>
Before posting, please see the Most Asked Questions at<br>
<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a> and the archives at<br>
<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a><br>