Re: Debugging rules and tests: how to interpret them?

Thu, 09 Jun 2011 00:00:10 -0700 

Thanks Mark,

On Wed, Jun 08, 2011 at 07:05:20PM +0200, Mark Martinec wrote:
> Sandro,
> 
> > As an example I have a message that include a link to "ow (dot) ly (/)
> > 57lle". Querying host ow.ly.dbl.spamhaus.org clearly shows that it's s
> > spammer redirector.
> > 
> > If I feed the message to 'spamassassin -t' I get:
> >    Content analysis details:   (0.0 points, 5.0 required)
> 
> > and feeding it to 'spamassassing -D|grep ow.ly I get:
> >
> > dbg: dns: providing a callback for id: 34472/ow.ly.dbl.spamhaus.org/A/IN
> > dbg: async: starting: URI-DNSBL, DNSBL:dbl.spamhaus.org.:ow.ly (timeout 
> > 15.0s, min 3.0s)
> > dbg: dns: providing a callback for id: 57784/ow.ly/NS/IN
> > dbg: async: starting: URI-NS, NS:ow.ly (timeout 15.0s, min 3.0s)
> > dbg: async: completed in 0.018 s: URI-DNSBL, DNSBL:dbl.spamhaus.org.:ow.ly
> > dbg: async: timing: 0.018 . DNSBL:dbl.spamhaus.org.:ow.ly
> 
> > I'm not able to read the response, i.e. I cant' understand if it's possible
> > to understand from these lines if the test shows or not that it really a
> > spam redirector.
> 
> The log shows a successful query for ow.ly.dbl.spamhaus.org,
> and an almost instant answer - received in 18 ms.
> 
> The answer was probebly 127.0.1.3. I guess you do not have any rules
> to hit on this value.
> 
> Try adding the following rules to your local.cf:
> 
> if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains_only)
> urirhssub       URIBL_DBL_REDIR   dbl.spamhaus.org.       A   127.0.1.3
> body            URIBL_DBL_REDIR   eval:check_uridnsbl('URIBL_DBL_REDIR')
> describe        URIBL_DBL_REDIR   Spamhaus spammed redirector domain
> tflags          URIBL_DBL_REDIR   net domains_only
> score           URIBL_DBL_REDIR   2.0
> endif

this rule just works, thanks.

Isn't it a pretty normal check to be done?  I ask since my fear is that my
setup is someway wrong, or at least poor. I just use default rules from
debian spamassassin + sa-update but many times I see spam messages pass
throught that are clearly spam and hit very few rules.

> The answer was probebly 127.0.1.3. I guess you do not have any rules
> to hit on this value.

Why should it issue the query and neglect the answer?

sandro
*:-)



-- 
Sandro Dentella  *:-)
http://www.reteisi.org             Soluzioni libere per le scuole
http://sqlkit.argolinux.org        SQLkit home page - PyGTK/python/sqlalchemy

Reply via email to