So this spam just sneaked into my inbox with 4.9 points. I hate that, it's the first one in days.
Looking at it, it turns out that a bunch of bogus Received headers are fooling Spamassassin into quitting with the DNSBL checks before it gets to the real meat -- increasing num_check_received to 5 results in hits on five different DNSBL checks. Looking at the first 5 Received lines gets it to the first one inserted by a "trusted" mail server, which has a real IP in it. Now, that's kind of annoying, because increasing it to 5 means I'm doing DNS lookups on 5 Received headers for every mail, and most of those are unnecessary because it'll be well past the point where the headers are showing only trusted mail servers. And, of course, all the spammers have to do is start inserting even more bogus Received headers in order to bypass DNSBL checks. Of course, the repeated DNS lookups on the small set of trusted servers will probably just be coming from local cache, but on a busy server, someone might care about such a performance hit. Random thought: how about a configuration option specifying a regexp which matches Received headers from "trusted" mail servers, indicating that spamassassin should stop when it reaches one? Then you could specify num_check_received as 10, even, and still have it stop when it hits the first trusted server. -Jeremy ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
