On Wed, 10 Mar 2010, Stephen Carville wrote:
I've been seeing several emails lately that are being scored low that, from what I know of the SA rules should be scored higher. A recent example was a typical spam message: FROM_STARTS_WITH_NUMS,RCVD_IN_DNSWL_LOW,URIBL_AB_SURBL,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no The second message invoked a larger number of body check rules than the first but I don't understand why. Is that normal or do I have something configured incorrectly?
The extra rules are all 'SURBL' blocklist tests which check the embedded URI against internet blocklists. It is not uncommon for the first few spams using a new URI to get through before the blocklists are updated. By the time you reran your tests, they had been updated, and so it scored higher....
- C