<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1276" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=437421020-03062004><FONT face=Arial
color=#0000ff size=2>Ok, after checking more, I found out that I was checking
Yahoo/SWBell's SMTP server IP. What is actually listed on CBL is the guy's DSL
IP. I couldn't see this IP in the Sendmail logs, but when he sent me a message
directly I could see in OPTIONS in Outlook.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=437421020-03062004><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=437421020-03062004><FONT face=Arial
color=#0000ff size=2>Thanks,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=437421020-03062004><FONT face=Arial
color=#0000ff size=2>Max</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> MailScanner mailing list
[mailto:MAILSCANNER@JISCMAIL.AC.UK] <B>On Behalf Of </B>Alex
Neuman<BR><B>Sent:</B> Thursday, June 03, 2004 2:40 PM<BR><B>To:</B>
MAILSCANNER@JISCMAIL.AC.UK<BR><B>Subject:</B> Re: Question about SA, RBLs and
Bayes<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><SPAN class=984193919-03062004><FONT face=Arial color=#0000ff
size=2>Could be one of the IP's where the message went through was in fact in
the XBL.</FONT></SPAN></DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> MailScanner
mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] <B>On Behalf Of </B>Max
Kipness<BR><B>Sent:</B> Thursday, June 03, 2004 2:29 PM<BR><B>To:</B>
MAILSCANNER@JISCMAIL.AC.UK<BR><B>Subject:</B> Question about SA, RBLs and
Bayes<BR><BR></FONT></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>A user received
an email from someone that was just basically a personal letter. There
really wasn't anything to spammy about it.</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Well, the email
got tagged as spam as follows:</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004>
<DIV><FONT face=Arial><FONT size=2>Jun 3 09:00:56 manhattan
MailScanner[336]: Message i53E0UHu002354 from 66.163.170.83 (<SPAN
class=406081919-03062004>xxx.xxx</SPAN></FONT></FONT><A
title=mailto:clay_alexander@swbell.net href="mailto:c@swbell.net"><FONT
face=Arial size=2>@swbell.net</FONT></A><FONT face=Arial size=2>)
to <SPAN class=406081919-03062004>xxx</SPAN>.com is spam, SpamAssassin
(score=10.66, required 8, BAYES_99 5.40, HTML_MESSAGE 0.10, NO_REAL_NAME
0.16, RCVD_IN_XBL 5.00) </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>1) I searched to
find where the XBL came from and finally realized I had created a custom
rule under /etc/mail/spamassasin. Maybe this score is too high.
</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>But when I went
to <A href="http://www.spamhaus.org">www.spamhaus.org</A> to check the IP
listed above in their XBL database, it said it was not listed? Now I tracked
down that the user has a DSL account and his IP changes. But is the XBL a
realtime check against someone's active IP? Or why would it report that the
IP was on the list if it wasn't?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Here is the rule
I used (I've now lowered the score):</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2># XBL is the
Spamhaus Exploits Block List: <A
href="http://www.spamhaus.org/xbl/">http://www.spamhaus.org/xbl/</A><BR>header
RCVD_IN_XBL
eval:check_rbl_txt('xbl','xbl.spamhaus.org.')<BR>describe
RCVD_IN_XBL
Received via a relay in Spamhaus XBL<BR>tflags
RCVD_IN_XBL
net<BR>score
RCVD_IN_XBL
2<BR></FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Have I made a
mistake here?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>2) Obviously I
have problems with Bayes and need to train more ham?? When I resent the
actual message back through our system from myself to myself, the bayes
score was very low. Could the bayes score be largely based on the fact
that it came from the domain swbell.net? And bayes has learned from a
lot of spam coming from there?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2>Max</DIV></FONT></SPAN>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV></SPAN></DIV>--------------------------
MailScanner list ----------------------<BR>To leave, send leave mailscanner
to <A
href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</A><BR>Before
posting, please see the Most Asked Questions at<BR><A
href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</A>
and the archives at<BR><A
href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</A><BR></BLOCKQUOTE>--------------------------
MailScanner list ----------------------<BR>To leave, send leave mailscanner to
<A href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</A><BR>Before
posting, please see the Most Asked Questions at<BR><A
href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</A> and
the archives at<BR><A
href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</A><BR></BLOCKQUOTE></BODY></HTML>
-------------------------- MailScanner list ----------------------<br>
To leave, send leave mailscanner to <a href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</a><br>
Before posting, please see the Most Asked Questions at<br>
<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a> and the archives at<br>
<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a><br>