Re: spam that only hits the BAYES_99 rule
Matt Kettler wrote: Tom H wrote: Hi, I was getting hit by a great deal of spam that only hits the BAYES_99 I would be grateful for any ideas on this... Sounds like the message contains a URI that is now listed in many of the SURBL and URIBL lists. It may be that this got listed after you got the spam, but do you have network tests enabled? There is a url in the domain that definitely hits some of the URIBLs (results from the SURBL+ Checker on rulesemporium ) * RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: *listed* [Blocked, madesucxxxntiondetunhadesu.com on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html] * URIBL: multi.uribl.com: *listed* [Blacklisted, see http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com] However I don't seem to get any score for those, even though spamassassin is clearly running the network tests, as I can see from the debug output; [EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf /usr/share/doc/spamassassin-3.1.4/sample-spam.txt snip [27826] dbg: uridnsbl: domains to query: [27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl [27826] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [27826] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal [27826] dbg: dns: checking RBL combined.njabl.org., set njabl [27826] dbg: dns: checking RBL bl.spamcop.net., set spamcop [27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-lastexternal [27826] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [27826] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois [27826] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [27826] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [27826] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal [27826] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted snip Content analysis details: (999.9 points, 4.5 required) pts rule name description -- -- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.2288] -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 AWLAWL: From: address is in the auto white-list my sa-defang.cf is ; required_hits4.5 ok_localesen rewrite_subject 1 # report_header 1 # use_terse_report 0 # defang_mime 0 # skip_rbl_checks 0 #Enable bayes auto_learn 1 use_bayes 1 bayes_path /var/spool/MIMEDefang/.spamassassin/bayes bayes_file_mode 0666
Re: spam that only hits the BAYES_99 rule
Tom H wrote: Matt Kettler wrote: Tom H wrote: Hi, I was getting hit by a great deal of spam that only hits the BAYES_99 I would be grateful for any ideas on this... Sounds like the message contains a URI that is now listed in many of the SURBL and URIBL lists. It may be that this got listed after you got the spam, but do you have network tests enabled? There is a url in the domain that definitely hits some of the URIBLs (results from the SURBL+ Checker on rulesemporium ) * RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: *listed* [Blocked, madesucxxxntiondetunhadesu.com on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html] * URIBL: multi.uribl.com: *listed* [Blacklisted, see http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com] However I don't seem to get any score for those, even though spamassassin is clearly running the network tests, as I can see from the debug output; [EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf /usr/share/doc/spamassassin-3.1.4/sample-spam.txt Is there any chance your init.pre is missing from /etc/mail/spamassassin? Or does it have the URIBL plugin commented out? It looks like you have working network test,s but not working URIBLs. The most common cause would be the plugin isn't being loaded by init.pre. The other possibility is your Net::DNS is too old to support URIBLs, but new enough to handle normal RBLs, however, the -D output would complain if this was the case.
Re: spam that only hits the BAYES_99 rule
Tom H wrote: Hi, I was getting hit by a great deal of spam that only hits the BAYES_99 rule, and maybe gets less than a point or so from elsewhere. But now I'm getting ones through that are basically only hitting the BAYES_99 and nothing else; X-Spam-Score: 3.5 (***) BAYES_99 I tried to send the mail to this list to demonstrate the content but got bounced with 12.9 spam score. I'm running sa-update weekly, and rules_de_jour daily with a big set of rules, and I'm still not hitting loads of obvious spam. Particularly those with the title Re: + good and then a number appended to the end. The only thing I can think of at the moment is to reduce my requried_hits to 3.5 or increase the score for BAYES_99 to 5, but I would prefer not to do the latter as I like a default and automatically updated installation. I would be grateful for any ideas on this... Sounds like the message contains a URI that is now listed in many of the SURBL and URIBL lists. It may be that this got listed after you got the spam, but do you have network tests enabled?
Re: spam that only hits the BAYES_99 rule
From: Tom H [EMAIL PROTECTED] Hi, I was getting hit by a great deal of spam that only hits the BAYES_99 rule, and maybe gets less than a point or so from elsewhere. But now I'm getting ones through that are basically only hitting the BAYES_99 and nothing else; X-Spam-Score: 3.5 (***) BAYES_99 I tried to send the mail to this list to demonstrate the content but got bounced with 12.9 spam score. I'm running sa-update weekly, and rules_de_jour daily with a big set of rules, and I'm still not hitting loads of obvious spam. Particularly those with the title Re: + good and then a number appended to the end. The only thing I can think of at the moment is to reduce my requried_hits to 3.5 or increase the score for BAYES_99 to 5, but I would prefer not to do the latter as I like a default and automatically updated installation. I would be grateful for any ideas on this... Tom, my answer is a cheat. Simply raise Bayes 99 score until you start seeing false positives from it. Then reduce the score a little. It appears that either Bayes 99 is pessimistic of its likelihood of being spam or else one of my few negative scores has saved me from the expected potload of mismarked ham. I run at 5.0001. (The .0001 is just to be obnoxious about it.) {^_^}