<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1276" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>A user received an
email from someone that was just basically a personal letter. There really
wasn't anything to spammy about it.</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Well, the email got
tagged as spam as follows:</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004>
<DIV><FONT face=Arial><FONT size=2>Jun 3 09:00:56 manhattan
MailScanner[336]: Message i53E0UHu002354 from 66.163.170.83 (<SPAN
class=406081919-03062004>xxx.xxx</SPAN></FONT></FONT><A
title=mailto:clay_alexander@swbell.net href="mailto:c@swbell.net"><FONT
face=Arial size=2>@swbell.net</FONT></A><FONT face=Arial size=2>) to <SPAN
class=406081919-03062004>xxx</SPAN>.com is spam, SpamAssassin (score=10.66,
required 8, BAYES_99 5.40, HTML_MESSAGE 0.10, NO_REAL_NAME 0.16, RCVD_IN_XBL
5.00) </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>1) I searched to
find where the XBL came from and finally realized I had created a custom rule
under /etc/mail/spamassasin. Maybe this score is too high. </FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>But when I went to
<A href="http://www.spamhaus.org">www.spamhaus.org</A> to check the IP listed
above in their XBL database, it said it was not listed? Now I tracked down that
the user has a DSL account and his IP changes. But is the XBL a realtime check
against someone's active IP? Or why would it report that the IP was on the list
if it wasn't?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Here is the rule I
used (I've now lowered the score):</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2># XBL is the
Spamhaus Exploits Block List: <A
href="http://www.spamhaus.org/xbl/">http://www.spamhaus.org/xbl/</A><BR>header
RCVD_IN_XBL
eval:check_rbl_txt('xbl','xbl.spamhaus.org.')<BR>describe
RCVD_IN_XBL
Received via a relay in Spamhaus XBL<BR>tflags
RCVD_IN_XBL
net<BR>score
RCVD_IN_XBL
2<BR></FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>Have I made a
mistake here?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial size=2>2) Obviously I have
problems with Bayes and need to train more ham?? When I resent the actual
message back through our system from myself to myself, the bayes score was very
low. Could the bayes score be largely based on the fact that it came from
the domain swbell.net? And bayes has learned from a lot of spam coming from
there?</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2>Max</DIV></FONT></SPAN>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=406081919-03062004><FONT face=Arial
size=2></FONT></SPAN> </DIV></SPAN></DIV></BODY></HTML>
-------------------------- MailScanner list ----------------------<br>
To leave, send leave mailscanner to <a href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</a><br>
Before posting, please see the Most Asked Questions at<br>
<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a> and the archives at<br>
<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a><br>