Re: Spam messages autolearned as ham
26.09.2014, 02:53, Amir Caspi kirjoitti: As a result, I've got plenty of great fresh spam to feed the filter. I've also got plenty of great ham. Could you take a share in MassChecks? Currently SpamAssassin masschecks seem to need more fresh spam and ham. Would be great to have you within the team. -- jarif.bit signature.asc Description: OpenPGP digital signature
Re: Spamassasin not as effective anymore
I’ve be using spamassasin for a number of years with excellent results. I recently updated my SA version to 3.4.0_13 and found that it caught much more than it had been. It’s not enough to run sa-update, you need to keep the install version up to date as well. Just updated SA to 3.4.0 on CentOS 6 using: http://copr.fedoraproject.org/coprs/kevin/spamassassin-el/ which seems to be a neat re-package of FC21's spamassassin for EL5 and EL6. Kevin is a Fedora project person responsible for spamassassin, so he should know what he's doing :) Anthony -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 1QR
Re: Spamassasin not as effective anymore
On 09/29/2014 05:27 PM, Lorenzo Thurman wrote: I’ve created a paste bin with a couple of sample emails here: http://pastebin.com/KfYrGMm8 reject_rbl_client sbl-xbl.spamhaus.org, replace this with zen.spamhaus.org reject_rbl_client cbl.abuseat.org, This is included in ZEn - remove. reject_rbl_client multi.uribl.com, URIBL doesn't list sender IPs - remove this. reject_rbl_client dsn.rfc-ignorant.org, OBSOLETE- DEAD - REMOVE reject_rbl_client list.dsbl.org, OBSOLETE- DEAD - REMOVE My DNS forwards queries. I hope this is enough. YOu should let your DNS do the resolving without forwarding to a third party outside your control SA reports show no SURBL/DBL/URIBL hits - do you see any hits in your maillogs? On Sep 27, 2014, at 7:02 AM, Axb axb.li...@gmail.com wrote: On 09/27/2014 04:59 AM, Lorenzo Thurman wrote: I’ve be using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0 Please try to reply the questions below so others get a better picture of your setup/issue. - Please post missed spam samples in pastebin.com - do not post samples to mailing list - What SA version are you using - How are using SA? (amavis, milter, Mailscanner, procmail, Fuglu, etc, etc) - Are you using SA in a PC/notebook? or on a server? - What plugins are you using? (Razor, Pyzor, DCC, etc) - Are you using a local, non forwarding, DNS resolver/caching server ? Axb
Re: Spamassasin not as effective anymore
I’ve created a paste bin with a couple of sample emails here: http://pastebin.com/KfYrGMm8 I’m running spam assassin on a my Mail server Ubuntu 14.04. I use postfix as my MTA. Spamassasin is at 3.4.0, with razor and I have these recipient restrictions set in postfix: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com, permit My DNS forwards queries. I hope this is enough. Thanks On Sep 27, 2014, at 7:02 AM, Axb axb.li...@gmail.com wrote: On 09/27/2014 04:59 AM, Lorenzo Thurman wrote: I’ve be using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0 Please try to reply the questions below so others get a better picture of your setup/issue. - Please post missed spam samples in pastebin.com - do not post samples to mailing list - What SA version are you using - How are using SA? (amavis, milter, Mailscanner, procmail, Fuglu, etc, etc) - Are you using SA in a PC/notebook? or on a server? - What plugins are you using? (Razor, Pyzor, DCC, etc) - Are you using a local, non forwarding, DNS resolver/caching server ? Axb
Re: [SPAM] Re: False positive in rule: FUZZY_XPILL
W dniu 10.09.2014 o 06:57, John Hardin pisze: On Tue, 9 Sep 2014, Marcin Mirosław wrote: W dniu 09.09.2014 o 15:19, John Hardin pisze: On Tue, 9 Sep 2014, Marcin Mirosław wrote: Hi again, I noticed FP on mentioned rule when checking ham email. Due to confidential content I don't want to share it on ML. Is somebody willing to improve mentioned rule or one case is not enough to look at it? If somebody would like to look insight it I can send such email offlist. I'll take a look. Hi! Thank you. FUZZY_PILL has high score so it would be great to lower chance of FP. Attached email is has partially, manually removed pdf attachment. I hope I didn't break mime parts too much. Attached email still triggers FUZZY_XPILL. Regards, Marcin Hi! I'm sorry for huge delay in answer. Is that email supposed to have an image attached to it? I note one of the MIME parts has this: Content-Type: text/plain; name=mpanic.png The content-type is wrong for a binary data attachment. That attachment also doesn't appear to be a valid .PNG image file. Are you actually able to view that as an image? $ file mpanic.png mpanic.png: PNG image data, 684 x 750, 8-bit/color RGBA, non-interlaced Okular doesn't have problem with this image, thunderbird also displays it in message. The FUZZY_XPILL hit is on what appears to be binary data in the message body, likely due to that attachment being interpreted as body text due to the MIME type. I can find what appears to be the matched string within the mpanic.png file, but not anywhere in the actual text part of the message. I think that you should contact whoever sent that message and have them review how they are generating it. I'm reluctant to call this SA's fault for trusting the MIME content type. I'll try to contact but this is automated generated email with invoice. I'm expecting that their can't modify buyed soft. Thanks, Marcin
Re: [SPAM] Re: False positive in rule: FUZZY_XPILL
On Mon, 29 Sep 2014, Marcin Mirosław wrote: W dniu 10.09.2014 o 06:57, John Hardin pisze: On Tue, 9 Sep 2014, Marcin Mirosław wrote: W dniu 09.09.2014 o 15:19, John Hardin pisze: On Tue, 9 Sep 2014, Marcin Mirosław wrote: Hi again, I noticed FP on mentioned rule when checking ham email. Due to confidential content I don't want to share it on ML. Is somebody willing to improve mentioned rule or one case is not enough to look at it? If somebody would like to look insight it I can send such email offlist. I'll take a look. Hi! Thank you. FUZZY_PILL has high score so it would be great to lower chance of FP. Attached email is has partially, manually removed pdf attachment. I hope I didn't break mime parts too much. Attached email still triggers FUZZY_XPILL. Regards, Marcin Hi! I'm sorry for huge delay in answer. No problem. Is that email supposed to have an image attached to it? I note one of the MIME parts has this: Content-Type: text/plain; name=mpanic.png The content-type is wrong for a binary data attachment. That attachment also doesn't appear to be a valid .PNG image file. Are you actually able to view that as an image? $ file mpanic.png mpanic.png: PNG image data, 684 x 750, 8-bit/color RGBA, non-interlaced Okular doesn't have problem with this image, thunderbird also displays it in message. That's interesting. The tools on my linux dev box (including GIMP) claim that it's corrupted. That's why I asked. $ file mpanic.png mpanic.png: data $ od -c -t x1 mpanic.png | head -2 000 ? P N G \n 032 \n \0 \0 \0 \r I H D R \0 3f 50 4e 47 0a 1a 0a 00 00 00 0d 49 48 44 52 00 Does that match what you have? As for TB displaying it in the message: I guess they are looking at the attachment filename rather than the attachment MIME type. The FUZZY_XPILL hit is on what appears to be binary data in the message body, likely due to that attachment being interpreted as body text due to the MIME type. I can find what appears to be the matched string within the mpanic.png file, but not anywhere in the actual text part of the message. I think that you should contact whoever sent that message and have them review how they are generating it. I'm reluctant to call this SA's fault for trusting the MIME content type. I'll try to contact but this is automated generated email with invoice. I'm expecting that their can't modify buyed soft. Then the vendor needs a bug report filed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When people get used to preferential treatment, equal treatment seems like discrimination. -- Thomas Sowell --- 5 days until the 10th anniversary of SpaceshipOne winning the X-prize
half-OT: please remove spam-markers from subjects
please remove markers like [SPAM] if a mesage was flagged before reply - they lead often that a message goes to junk- instead the list-folder :-) signature.asc Description: OpenPGP digital signature
Re: Spamassasin not as effective anymore
On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org wrote: From: Lorenzo Thurman lore...@thethurmans.com Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .co The IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. Mark London
Re: half-OT: please remove spam-markers from subjects
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/29/2014 10:54 AM, Reindl Harald wrote: please remove markers like [SPAM] if a mesage was flagged before reply - they lead often that a message goes to junk- instead the list-folder :-) Please teach your users to filter on the List-ID: header rather than Subject: for this list. The issue can be entirely avoided without requiring everyone else in the world to alter their behaviour. - -- Nels Lindquist nli...@maei.ca -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iEYEARECAAYFAlQpk2sACgkQh6z5POoOLgTUhACdHyxMZ+fDHc0xRTEUoTIRdfuS 12YAn0k82NMngPWl9cv+8y22VTmYaNcc =lCcD -END PGP SIGNATURE-
Re: half-OT: please remove spam-markers from subjects
Am 29.09.2014 um 19:14 schrieb Nels Lindquist: On 9/29/2014 10:54 AM, Reindl Harald wrote: please remove markers like [SPAM] if a mesage was flagged before reply - they lead often that a message goes to junk- instead the list-folder :-) Please teach your users to filter on the List-ID: header rather than Subject: for this list. The issue can be entirely avoided without requiring everyone else in the world to alter their behaviour the [SPAM] marker comes *before* all other sieve-filters otherwise it would not catch faked From-Headers it's not a big deal but i see that mistake sometimes also in business communication - not real good signature.asc Description: OpenPGP digital signature
Re: half-OT: please remove spam-markers from subjects
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/29/2014 11:19 AM, Reindl Harald wrote: Am 29.09.2014 um 19:14 schrieb Nels Lindquist: On 9/29/2014 10:54 AM, Reindl Harald wrote: please remove markers like [SPAM] if a mesage was flagged before reply - they lead often that a message goes to junk- instead the list-folder :-) Please teach your users to filter on the List-ID: header rather than Subject: for this list. The issue can be entirely avoided without requiring everyone else in the world to alter their behaviour the [SPAM] marker comes *before* all other sieve-filters otherwise it would not catch faked From-Headers I would suggest that you either add an additional condition to your sieve filter to exclude messages with the SA List-ID from subject line detection*, or alter your spam detection rule to use a header which you actually control. X-Spam-Status or X-Spam-Level are often good choices. [*] Something like: if allof ( header :comparator i;ascii-casemap :contains Subject [SPAM], not header :comparator i;ascii-casemap :contains List-Id users.spamassassin.apache.org ) { fileinto INBOX.Spam; stop; } - -- Nels Lindquist nli...@maei.ca -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iEYEARECAAYFAlQpnwYACgkQh6z5POoOLgQqFQCgsZlNFMuJKsw0B3LEQ8xeagf0 lfcAoLqwcNqkiQIBT227kdmcrvcmfUsl =l2s8 -END PGP SIGNATURE-
what's wrong
Hello, today I was pointed to a message with these headers: X-Spam-Score: 6.789 X-Spam-Status: Yes, score=6.789 tag=-999 tag2=5 kill=6 tests=[HTML_MESSAGE=0.001, MISSING_MIMEOLE=1.843, RCVD_IN_SORBS_HTTP=2.499, RCVD_IN_SORBS_SOCKS=2.443] Received: from smtp.cesky-hosting.cz (smtp.cesky-hosting.cz [IPv6:2a00:1ed0:2:0:1:5bef:c8ee:1]) by mailin.example.org (amavisd-milter); Wed, 24 Sep 2014 10:09:52 +0200 (CEST) (envelope-from ***@wellpack.cz) Received: from Janinka (138.154.broadband15.iol.cz [90.182.154.138]) (Authenticated sender: ***@wellpack.cz) by smtp.cesky-hosting.cz (Postfix) with ESMTPSA; Wed, 24 Sep 2014 10:01:06 +0200 (CEST) I operate mailin.example.org that may receive via IPv4 and IPv6. I wonder why RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS fire up. https://wiki.apache.org/spamassassin/Rules/RCVD_IN_SORBS_SOCKS tell me This check tests the IP address of the *last untrusted relay* for me the last untrusted relay *should be* smtp.cesky-hosting.cz but it looks like sa think it's 90.182.154.138 what settings I should check? Andreas
Re: UTF-8 rule generator script Re: UTF-8 rules, what am I missing?
On 09/27/2014 01:16 PM, John Hardin wrote: On Fri, 26 Sep 2014, Adi wrote: I don't know if SA converts the text on the fly. In my experience it does not. There's been some discussion of charset normalization, but I don't think that's been implemented yet, so SA is still seeing whatever bytes are in the raw message. normalize_charset is documented at least since 3.3.2. I found some list traffic expressing concerns about performance problems, but I've turned it on on (low-to-medium-volume) mail servers I'm responsible for and haven't seen problems. (We get about 25K incoming messages a day at work.) Haven't made extensive use of it, though, and I just recently figured out that my failed attempts to do so were because the rule files themselves weren't being interpreted as UTF-8 (so I need to use Darxus' preprocessing scripts or something similar). Seems like it would be a huge convenience if either (1) turning on normalize_charset forced interpretation of rule files as UTF-8, (2) there were a similar setting to specify the encoding of rule files, or (3) there were a way on a file-by-file basis to say what charset the rules in the file were in (which is probably best since it would facilitate custom rule sharing across sites). That's off the top of my head with no thought so it may be dumb. :-) Jay
Re: what's wrong
On September 29, 2014 8:16:28 PM A. Schulze s...@andreasschulze.de wrote: for me the last untrusted relay *should be* smtp.cesky-hosting.cz but it looks like sa think it's 90.182.154.138 what settings I should check? Trusted network and internal network in local.cf for all your own ipv6, ipv4 :) In case of fine show spamassassin 21 -D -t msgfile on pastebin Maybe a bug, olso make a bug with --lint info so devs can see all installed versions of perl modules Perl 5.18 is in gentoo portage, but there is a number of problems with spampd, dont know if amavisd also have trouples, is amavisd-milter passing origing ipv6 over to spamassassin ? Do you see all-trusted ever hits ?
Re: what's wrong
Benny Pedersen: Trusted network and internal network in local.cf for all your own ipv6, ipv4 :) ups, I had no settings at all for trusted/internal/msa networks :-/ Thanks for the pointer Andreas
Re: what's wrong
On September 29, 2014 10:02:06 PM A. Schulze s...@andreasschulze.de wrote: Trusted network and internal network in local.cf for all your own ipv6, ipv4 :) ups, I had no settings at all for trusted/internal/msa networks :-/ Remember to add non routeble ips aswell this will speedup rbl checking 127.0.0.1 is hardcoded, dont know if the ipv6 variant is, but see --lint -D Settings in local.cf should match mynetworks in amavisd and postconf -d Thanks for the pointer Good its just a config problem
Re: Spamassasin not as effective anymore
On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-help@spamassassin.apache.orgwrote: From: Lorenzo Thurman lore...@thethurmans.com Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .coThe IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. I meant to say I've had to add..., not you've had to add... - Mark
RE: Spamassasin not as effective anymore
From: Mark London [mailto:m...@psfc.mit.edu] Sent: Monday, September 29, 2014 2:59 PM To: users@spamassassin.apache.org Subject: Re: Spamassasin not as effective anymore On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.orgmailto:users-digest-h...@spamassassin.apache.org wrote: From: Lorenzo Thurman lore...@thethurmans.commailto:lore...@thethurmans.com Date: 9/26/2014 10:59 PM I've been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I'm suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin's ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes.. 4.1 Quality Window Replacement Deals 4.4 Find a PhD degree online in the specialty field 2.8 Your background check is Available online 2.4 Perfect vision with one weird trick 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .coThe IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. I meant to say I've had to add..., not you've had to add... - Mark We have also seen an increase in unmarked spam (from 95% to maybe 20%). Last night I did a dump of my bayes DB, which was 10 months since we reset it and started the training process again with 3k know spams and 1k known hams and we're hitting 95% again. It seems that enough hammy looking ones got trained automagically and the snowball effect happened. YMMV Gary
Re: Spamassasin not as effective anymore
On Sep 29, 2014, at 4:58 PM, Mark London m...@psfc.mit.edu wrote: On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org wrote: From: Lorenzo Thurman lore...@thethurmans.com Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .coThe IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. I meant to say I've had to add..., not you've had to add... - Mark I looked at those emails again and tried to resolve the sender’s addresses (dig -x z.z.z.z). They don’t resolve to valid hostnames, which means they should even reach SA. Postfix should reject them outright. I’ve changed a couple of postfix’s reject_rbl_client settings, put a tail on its log and now I see many emails being rejected outright. So I’ll take this to the postfix lists. These are the changes I made: old sbl.spamhaus.org sbl-xbl.spamhaus.org new reject_rbl_client zen.spamhaus.ord reject_rbl_client dns.sorbd.net Thanks all.