On 03/27/2015 08:20 PM, Amir Caspi wrote:
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas
<uh...@fantomas.sk> wrote:
I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail <kmcgr...@pccc.com>
wrote:
Are you using network tests? These are scoring pretty high for
me.
I presume you're talking about things like Razor, Pyzor, DCC, and
various RBLs? Yes, those are enabled. The reason you're not seeing
them is because they didn't hit when the messages were first
received. I'm getting the same hits NOW that you are seeing, but
those did NOT hit when the messages first arrived.
Remember that these messages were received a number of hours ago, so
they have had plenty of time to be listed on RBLs and hash DBs in the
intervening period. They were clearly not listed there when these
messages were received, which is exactly why these messages are FNs.
If they were received now, they wouldn't be... but they were back
then.
This is why I said in the prior message that it appears my user is
one of the unlucky folks getting these in the very first
distribution, before they've had a chance to be reported to RBLs and
hash DBs. Some poor schmoe has to be in the first distribution, and
it appears that he's one of them. This is why I'm looking for other,
template-like rules that can be used to identify these things,
because right now it seems my user is getting them on the first run
before the network tests are useful.
But, yes, network tests are absolutely enabled.
Are you using Mailscanner? if yes then it's you munging URIS so they
breaking lookups on any hash type as in
http://pastebin.com/LaKT5ZZK
And if you're indeed using MailScanner are you sending it the full
message or some chunk only?
(can't remember the settings's names)
