On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote: > I've gotten a lot of false positives coming into my inbox lately, and > the principle reason for most of them seems to be that they are matching > the following rule: > -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, > medium trust >
Given the connecting IP is listed with an number of anti-spam blocklists: 59.94.13.26 Listed in Spamhaus XBL (CBL Data) 59.94.13.26 Listed in Spamhaus PBL (ISP Maintained) 59.94.13.26 Listed in Barracuda Reputation List 59.94.13.26 Listed in dul.dnsbl.sorbs.net 59.94.13.26 Listed in UCE PROTECT LEVEL 2 59.94.13.26 Listed in UCE PROTECT LEVEL 3 and that bestinternetdancer.com Is listed in Spamhaus domain block list & the multi.uribl.com block list you'd have to wonder why it gets a reduction from: www.dnswl.org I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site that anyone can kind of abuse? The rule is tucked away in 72_active.cf, along with the other 'pay to spam' whitelists from the likes of Return Path. I suggest you add this to your local.cf to deal with such abuse: score RCVD_IN_DNSWL_MED 0 score RCVD_IN_RP_CERTIFIED 0 score RCVD_IN_RP_SAFE 0 But that's just my default settings on every instance of SA that I work on. Sometimes I add points for Return Path as it seems to help BLOCK spam rather than pass ham - but that's a can of worms and a different subject.