On 30/11/15 16:41, Reindl Harald wrote:
Am 30.11.2015 um 17:24 schrieb Sebastian Arcus:
OK - this might be a basic question, but recently the detection rate on
my SA install has been really unreliable, so I decided that the first
step is to be sure it is using the public dns blocklists and razor. My
setup:
1. Spamassassin 3.4.1
2. I have Bind configured as recursive, non-forwarding, caching DNS
server.
3. spamassassin --lint doesn't return any errors or failures.
5. My init.pre contains "loadplugin
Mail::SpamAssassin::Plugin::URIDNSBL"
Here is the report included in one of the emails which is spam, but
wasn't detected as such:
Content analysis details: (1.4 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
http://www.dnswl.org/, low
trust
[212.227.15.41 listed in list.dnswl.org]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record
(softfail)
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS
0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
Does the above mean that the DNSBL tests were applied, but returned zero
values - or would it mean they were skipped. I'm not sure how to find
out which one is it? I'm happy to attach some sample emails which
weren't detected, or any other useful info. Thank you
RCVD_IN_DNSWL_LOW is the opposite of "returned zero values" but why
not just pass a sample against SA in debug-mode?
spamassassin -D < /path/to/spam-example.eml
Thank you Harald. I did - and it looks like SA does contact lots of
DNSBL's and it receives various messages in reply. Nothing that looks
like failures or errors. I can attach the output here - but it is a lot.
Would this mean that the DNSBL's are working correctly in my setup - but
spammers somehow manage to keep on sending from "clean" domains all the
time - and I should look into some other way of stopping this type of
spam? The messages I'm talking about are typical spam, with one or two
sentences in the email body and one or two links - usually advertising
life insurance, solar panels and similar. None of them are from proper
companies or entities I have ever dealt with.