I have set up the following configuration in my user_prefs:
header RCVD_IN_RBL_PLUS rbleval:check_rbl('rblplus',
'rbl-plus.mail-abuse.org.')
describe RCVD_IN_RBL_PLUS Received via RBLed relay, see
http://www.mail-abuse.org/rbl/
header X_RBL_OPS rbleval:check_rbl_results_for('rblplus', '127.1.0.8')
describe X_RBL_OPS Received via RBLed relay, see http://www.mail-abuse.org/rbl
score X_OPS 2
When I feed a message that has come via an open proxy that has been
listed in MAPS OPS, SpamAssassin seems to ignore my configuration.
The headers of the spam message are following:
Return-Path: <teversgp at ucla edu>
Received: from smtp.tut.fi (smtp1.tut.fi [130.230.1.109])
by butler.cc.tut.fi (8.12.9/8.12.5) with ESMTP id h6KM1PFL016437
for <mjs at butler cc tut fi>; Mon, 21 Jul 2003 01:01:25 +0300 (EEST)
Received: by smtp.tut.fi (Postfix)
id 0B371382DA; Mon, 21 Jul 2003 01:01:25 +0300 (EEST)
Delivered-To: matti j saarinen at tut fi
Received: by smtp.tut.fi (Postfix, from userid 3500)
id EAD57382CC; Mon, 21 Jul 2003 01:01:24 +0300 (EEST)
Received: from mail.cc.tut.fi (mail.cc.tut.fi [130.230.1.105])
by smtp.tut.fi (Postfix) with ESMTP id B2D2D382B9
for <vikailmoitus at tut fi>; Mon, 21 Jul 2003 01:01:23 +0300 (EEST)
Received: from videotron.ca (c213-89-159-169.cm-upc.chello.se [213.89.159.169])
by mail.cc.tut.fi (8.12.9/8.12.5) with ESMTP id h6KM1IPX004347
for <vikailmoitus at cc tut fi>; Mon, 21 Jul 2003 01:01:22 +0300
Message-ID: <[EMAIL PROTECTED]>
From: "Tybie Evers" <teversgp at ucla edu>
To: vikailmoitus at cc tut fi
Subject: New movie award
Date: Sun, 20 Jul 2003 22:03:48 +0000
MIME-Version: 1.0
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Content-Type: text/html
Content-Transfer-Encoding: 8bit
The IP address 213.89.159.169 is listed in MAPS OPS:
% host 169.159.89.213.rbl-plus.mail-abuse.org.
169.159.89.213.rbl-plus.mail-abuse.org A 127.1.0.8
But when I feed the message to SpamAssassin it doesn't adjust the
score based on the result of the RBL lookup. Below is a result of
"spamassassin -D rbl=-3 -t -C huu -p user_prefs". (In the directory
huu, I have a modified configuration dir in which all the RBL-like
related checks are disabled.)
The interesting part is that it gives a score 1 for the RBL+ match but
I haven defined any. The other thing that makes me wonder is that
according to the debug messages SpamAssassing checks the set rblplus
before it has even initialised it.
So, could somebody point me my mistake or tell what I have
misunderstood?
debug: Score set 0 chosen.
debug: running in taint mode? no
debug: using "huu" for site rules dir
debug: using "/home/mjs/.spamassassin" for user state dir
debug: using "user_prefs" for user prefs file
debug: using "/home/mjs/.spamassassin" for user state dir
debug: bayes: 13883 tie-ing to DB file R/O /home/mjs/.spamassassin/bayes_toks
debug: bayes: 13883 tie-ing to DB file R/O /home/mjs/.spamassassin/bayes_seen
debug: Score set 3 chosen.
debug: Initialising learner
debug: checking RBL results in set rblplus for 127.1.0.8
debug: is Net::DNS::Resolver available? yes
debug: trying (3) yahoo.com...
debug: looking up MX for 'yahoo.com'
debug: MX for 'yahoo.com' exists? 1
debug: MX lookup of yahoo.com succeeded => Dns available (set dns_available to
hardcode)
debug: is DNS available? 1
debug: checking RBL results in set njabl for 127.0.0.2
debug: checking RBL dnsbl.njabl.org., set njabl
debug: Got the following IPs: 130.230.1.109, 130.230.1.105, 213.89.159.169
debug: But only inspecting the following IPs: 130.230.1.105, 213.89.159.169
debug: Launching DNS query for 105.1.230.130.dnsbl.njabl.org. in the background
debug: Got 0 on 130.230.1.105 (item 1)
debug: Launching DNS query for 169.159.89.213.dnsbl.njabl.org. in the background
debug: Got 0 on 213.89.159.169 (item 2)
debug: Check_rbl returning 0
debug: checking RBL rbl-plus.mail-abuse.org., set rblplus
debug: Got the following IPs: 130.230.1.109, 130.230.1.105, 213.89.159.169
debug: But only inspecting the following IPs: 130.230.1.105, 213.89.159.169
debug: Launching DNS query for 105.1.230.130.rbl-plus.mail-abuse.org. in the background
debug: Got 0 on 130.230.1.105 (item 1)
debug: Launching DNS query for 169.159.89.213.rbl-plus.mail-abuse.org. in the
background
debug: Got 0 on 213.89.159.169 (item 2)
debug: Check_rbl returning 0
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: Razor2 is not available
debug: bayes corpus size: nspam = 3737, nham = 12702
debug: tokenize: header tokens for *p = "<teversgp at ucla edu>"
debug: tokenize: header tokens for *M = " 2 2 32 200307202203480097270a ucla edu "
debug: tokenize: header tokens for *F = ""Tybie Evers" <teversgp at ucla edu>"
debug: tokenize: header tokens for To = "vikailmoitus at cc tut fi"
debug: tokenize: header tokens for MIME-Version = ""
debug: tokenize: header tokens for *x = "Windows Eudora Pro Version 2.2 (32)"
debug: tokenize: header tokens for *c = "/html"
debug: tokenize: header tokens for Content-Transfer-Encoding = "8bit"
debug: tokenize: header tokens for *r = " videotron.ca
(c213-89-159-169.cm-upc.chello.se [213.89.159]) by mail.cc.tut.fi (8.12.9/8.12.5)
<vikailmoitus at cc tut fi>; "
[snip]
debug: tokenize: header tokens for *r = " videotron.ca
(c213-89-159-169.cm-upc.chello.se [213.89.159]) by mail.cc.tut.fi (8.12.9/8.12.5)
<vikailmoitus at cc tut fi>; mail.cc.tut.fi (mail.cc.tut.fi [130.230.1]) by
smtp.tut.fi (Postfix) <vikailmoitus at tut fi>; "
debug: all '*From' addrs: teversgp at ucla edu
debug: all '*To' addrs: mjs at butler cc tut fi vikailmoitus at cc tut fi matti j
saarinen at tut.fi
debug: forged_rcvd_trail: entry 0: by=tut.fi from=tut.fi mismatches=0
debug: forged_rcvd_trail: entry 1: by=tut.fi from=(undef) mismatches=0
debug: forged_rcvd_trail: entry 2: by=tut.fi from=(undef) mismatches=0
debug: forged_rcvd_trail: entry 3: by=tut.fi from=tut.fi mismatches=0
debug: checking RBL results in set rblplus for 127.1.0.8
debug: checking RBL results in set njabl for 127.0.0.2
debug: checking RBL dnsbl.njabl.org., set njabl
debug: Got the following IPs: 130.230.1.109, 130.230.1.105, 213.89.159.169
debug: But only inspecting the following IPs: 130.230.1.105, 213.89.159.169
debug: Got 0 on 130.230.1.105 (item 1)
debug: Query for 169.159.89.213.dnsbl.njabl.org. yielded: 127.0.0.9
debug: RBL check: found 169.159.89.213.dnsbl.njabl.org., type: 127.0.0.9
debug: Got 1 on 213.89.159.169 (item 2)
debug: Check_rbl returning 1
debug: Ran run_rbl_eval_test rule RCVD_IN_NJABL ======> got hit
debug: checking RBL rbl-plus.mail-abuse.org., set rblplus
debug: Got the following IPs: 130.230.1.109, 130.230.1.105, 213.89.159.169
debug: But only inspecting the following IPs: 130.230.1.105, 213.89.159.169
debug: Got 0 on 130.230.1.105 (item 1)
debug: Query for 169.159.89.213.rbl-plus.mail-abuse.org. yielded: 127.1.0.8
debug: RBL check: found 169.159.89.213.rbl-plus.mail-abuse.org., type: 127.1.0.8
debug: Got 1 on 213.89.159.169 (item 2)
debug: Check_rbl returning 1
debug: Ran run_rbl_eval_test rule RCVD_IN_RBL_PLUS ======> got hit
debug: running meta tests; score so far=4.4
debug: auto-learn? safety=4, ham=-2, spam=15, body-hits=4.4, head-hits=1.8
debug: auto-learn: currently using scoreset 3. recomputing score based on scoreset 1.
debug: Score set 1 chosen.
debug: auto-learn: original score: 7.7, recomputed score: 6.726
debug: Score set 3 chosen.
debug: auto-learn? no: inside auto-learn thresholds or safety zone around required_hits
debug: is spam? score=12 required=8
tests=BAYES_80,CLICK_BELOW,HTML_70_80,HTML_FONT_BIG,MIME_HTML_ONLY,OBFUSCATING_COMMENT,PENIS_ENLARGE2,RCVD_IN_NJABL,RCVD_IN_RBL_PLUS
Received: from localhost [127.0.0.1] by butler
with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
Mon, 15 Sep 2003 14:35:42 +0300
From: "Tybie Evers" <teversgp at ucla edu>
To: vikailmoitus at cc tut fi
Subject: New movie award
Date: Sun, 20 Jul 2003 22:03:48 +0000
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=12.0 required=8.0
tests=BAYES_80,CLICK_BELOW,HTML_70_80,HTML_FONT_BIG,
MIME_HTML_ONLY,OBFUSCATING_COMMENT,PENIS_ENLARGE2,
RCVD_IN_NJABL,RCVD_IN_RBL_PLUS
version=2.55
X-Spam-Level: ************
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_3F65A40E.5881C12A"
This mail is probably spam. The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: PEF-RX will take your sex life to new levels...
Guaranteed! Your penis will grow up to 3 inches Your erections will be
rock hard [...]
Content analysis details: (12.00 points, 8 required)
PENIS_ENLARGE2 (2.1 points) BODY: Information on getting a larger penis or
breasts (2)
BAYES_80 (4.3 points) BODY: Bayesian classifier says spam probability is 80
to 90%
[score: 0.8579]
HTML_FONT_BIG (0.2 points) BODY: FONT Size +2 and up or 3 and up
HTML_70_80 (0.3 points) BODY: Message is 70% to 80% HTML
RCVD_IN_NJABL (0.8 points) RBL: Received via a relay in dnsbl.njabl.org
[RBL check: found 169.159.89.213.dnsbl.njabl.org., type: 127.0.0.9]
RCVD_IN_RBL_PLUS (1.0 points) RBL: Received via RBLed relay, see
http://www.mail-abuse.org/rbl/
[RBL check: found 169.159.89.213.rbl-plus.mail-abuse.org., type:
127.1.0.8]
CLICK_BELOW (0.0 points) Asks you to click below
MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts
OBFUSCATING_COMMENT (3.2 points) HTML comments which obfuscate text
The original message did not contain plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
[snip]
This mail is probably spam. The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: PEF-RX will take your sex life to new levels...
Guaranteed! Your penis will grow up to 3 inches Your erections will be
rock hard [...]
Content analysis details: (12.00 points, 8 required)
PENIS_ENLARGE2 (2.1 points) BODY: Information on getting a larger penis or
breasts (2)
BAYES_80 (4.3 points) BODY: Bayesian classifier says spam probability is 80
to 90%
[score: 0.8579]
HTML_FONT_BIG (0.2 points) BODY: FONT Size +2 and up or 3 and up
HTML_70_80 (0.3 points) BODY: Message is 70% to 80% HTML
RCVD_IN_NJABL (0.8 points) RBL: Received via a relay in dnsbl.njabl.org
[RBL check: found 169.159.89.213.dnsbl.njabl.org., type: 127.0.0.9]
RCVD_IN_RBL_PLUS (1.0 points) RBL: Received via RBLed relay, see
http://www.mail-abuse.org/rbl/
[RBL check: found 169.159.89.213.rbl-plus.mail-abuse.org., type:
127.1.0.8]
CLICK_BELOW (0.0 points) Asks you to click below
MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts
OBFUSCATING_COMMENT (3.2 points) HTML comments which obfuscate text
Cheers,
--
- Matti -
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
