I just got a complaint from a user because of a false positive that was filtered into their spam folder. A very small part of the score came from the rule
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS * [81.136.151.191 listed in dnsbl.sorbs.net]
Looking at the headers (see below) I do not understand why this rule comes into effect. The sender sent the email validly through her ISP (yahoo.com). I thought if you did that then that rule did not kick in. Am I missing something here?
This is actually a byproduct of how SORBS works, and how SA handles RBLS.
However, it's very much intentional that the rule only scores 0.1 points. It's because of the exact case you ran into here, and it's to prevent it from causing a false positive for this specific case.
In short, it's a non-issue that SA's already designed to handle. In detail.. read on.
The deal is that SORBS is an aggregate list of many RBLs. Some of those RBLs are "standard" RBLs that get checked against every IP address in the headers. One of those RBLs is a "dialup" listing, which only gets checked against the relays.
In order to be more efficient, all of these RBLs are checked as a single query per IP, and SA interprets the answers it gets to decide if a particular RBL within SORBS hit.
However, that means there has to be a "root" rule that generates the DNS query that all of the sub-tests use. Since some of the RBLS in sorbs are non-dailup, the root rule has to be checked against every IP in the message, and the difference gets split-up in the sub-tests. Since the root rule fires off when *any* of the SORBS RBLS match, it will always fire off on dialup email, regardless of wether or not it was properly relayed, because the root rule is always checked on all IPs. The SA-devs *know* about the issue here, which is why the score of the root rule is forced low. If it was set to 3.0 or something, we'd have a real problem.
Now, if that email had NOT been relayed properly, it would have also matched the RCVD_IN_DYNABLOCK test (renamed into SORBS_DUL in 3.0), which is where the real score would be applied. That rule would have scored 2.5 points, but that rule is configured for "notfirsthop" to not trigger on legitamate dialup email.
Basicaly, all of the following are sub-tests of the RCVD_IN_SORBS test, and the original rule itself is more-or-less a placeholder:
score RCVD_IN_SORBS_BLOCK 0 score RCVD_IN_SORBS_HTTP 0 1.101 0 1.101 score RCVD_IN_SORBS_MISC 0 1.101 0 0.687 score RCVD_IN_SORBS_SMTP 0 1.522 0 2.700 score RCVD_IN_SORBS_SOCKS 0 1.101 0 1.204 score RCVD_IN_SORBS_WEB 0 2.800 0 0 score RCVD_IN_SORBS_ZOMBIE 0 2.596 0 2.599 score RCVD_IN_DYNABLOCK 0 2.546 0 2.599
