Chris Santerre wrote: >>None of the URIBLs is psychic. None can list a domain faster >>than it can be >>reported to them. This means that some spam will arrive and >>not match the test. >>Time of check is a factor when you talk about URIBLs. It's a >>MAJOR factor. > > > Actually thats not quite true :) > > You report one domain, we research it. We find others connected to that > domain. How we do that is our business ;) But you might report one, and we > add 30-50 from it. Those haven't been used in the spam run yet.
True, you might list associated domains. However, URIBLs still aren't psychic, they're just smart enough to do research :) However, the important point still remains: Time of check IS a major factor when talking about URIBLs. You cannot assume that two URIBL checks are comparable if they are made at different times. In particular, you can't assume a URIBL is being bypassed because you got a negative result when a message came in, but you get a positive result when hand checking the domain 1 hour later. You've changed two variables, time of scan and method of scan. It *might* be a strangely encoded message that's fooling SA, but more likely that 1hour was enough time for it to get listed. If strange encodings are a concern, you should be running SA 3.0.4 not 2.63. If that's not an option, make sure your Mail::SpamCopURI module is v 0.25. That won't cover as many obfuscation tricks as 3.0.4 covers, but it will get some that 0.24 misses.
