Re: spam that only hits the BAYES_99 rule

Sun, 12 Nov 2006 10:16:29 -0800 

Matt Kettler wrote:

Tom H wrote:

Hi,

I was getting hit by a great deal of spam that only hits the BAYES_99

I would be grateful for any ideas on this...

Sounds like the message contains a URI that is now listed in many of the
SURBL and URIBL lists.

 It may be that this got listed after you got the spam, but do you have
network tests enabled?
There is a url in the domain that definitely hits some of the URIBLs (results from the SURBL+ Checker on rulesemporium ) 

   * RBL: skipping uri lookups on ip-based RBLs
   * URIBL: multi.surbl.org: *listed* [Blocked,
     madesucxxxntiondexxxxtunhadesu.com on lists [ab][jp][ob][sc][ws],
     See: http://www.surbl.org/lists.html]
   * URIBL: multi.uribl.com: *listed* [Blacklisted, see
     http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com
     <http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com>]
However I don't seem to get any score for those, even though spamassassin is clearly running the network tests, as I can see from the debug output;
[EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf < /usr/share/doc/spamassassin-3.1.4/sample-spam.txt 

<snip>

[27826] dbg: uridnsbl: domains to query:
[27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl
[27826] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted
[27826] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal
[27826] dbg: dns: checking RBL combined.njabl.org., set njabl
[27826] dbg: dns: checking RBL bl.spamcop.net., set spamcop
[27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal
[27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs
[27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-lastexternal [27826] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [27826] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois 
[27826] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal
[27826] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [27826] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal 
[27826] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted

<snip>

Content analysis details:   (999.9 points, 4.5 required)

pts rule name              description
---- ---------------------- -------------------------------------------------- 
-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
1000 GTUBE                  BODY: Generic Test for Unsolicited Bulk Email
-0.2 BAYES_40               BODY: Bayesian spam probability is 20 to 40%
                           [score: 0.2288]
-0.0 NO_RECEIVED            Informational: message has no Received headers
0.1 AWL                    AWL: From: address is in the auto white-list



my sa-defang.cf is ;


required_hits        4.5
ok_locales        en
rewrite_subject 1
# report_header 1
# use_terse_report 0
# defang_mime 0
# skip_rbl_checks 0
#Enable bayes
auto_learn 1
use_bayes 1
bayes_path  /var/spool/MIMEDefang/.spamassassin/bayes
bayes_file_mode 0666

Reply via email to