> -----Original Message-----
> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 12, 2004 5:14 PM
> To: users@spamassassin.apache.org
> Subject: Re: RBL Misfires?
>
>
> It would be useful if you could forward the messages that falsely
> trigger on RBLs, along with name resolution results on the specific
> RBL nearby in time, such as:
>
> > % dig vantagemobility.com.ws.surbl.org
The message is attached.
I ran that exact query against my DNS server, and both my ISPs servers at the
time it happened. Got basically this (nadda):
; <<>> DiG 9.2.1 <<>> vantagemobility.com.ws.surbl.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;vantagemobility.com.ws.surbl.org. IN A
;; AUTHORITY SECTION:
ws.surbl.org. 900 IN SOA a.surbl.org. zone.surbl.org.
1097682081 900 450 604800 900
;; Query time: 247 msec
;; SERVER: 10.10.3.2#53(10.10.3.2)
;; WHEN: Wed Oct 13 09:17:27 2004
;; MSG SIZE rcvd: 93
> (and similar lookups on numeric RBLs like
> dig 2.0.0.127.sbl.spamhaus.org)
; <<>> DiG 9.2.1 <<>> 2.0.0.127.sbl.spamhaus.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48647
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.sbl.spamhaus.org. IN A
;; ANSWER SECTION:
2.0.0.127.sbl.spamhaus.org. 7200 IN A 127.0.0.2
;; AUTHORITY SECTION:
sbl.spamhaus.org. 172800 IN NS n.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS r.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS s.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS u.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS v.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS z.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS a.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS b.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS c.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS d.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS e.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS f.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS m.ns.spamhaus.org.
;; Query time: 409 msec
;; SERVER: 10.10.3.2#53(10.10.3.2)
;; WHEN: Wed Oct 13 09:25:29 2004
;; MSG SIZE rcvd: 271
>
> There have been other sporadic reports of RBL misfires, which
> leads me to wonder about the possibility of a rarely hit bug
> somewhere in the RBL code. Unfortunately this kind of thing
> seems hard to debug given the dynamic nature of messages and
> RBLs, but there are enough reports to make me wonder....
>
Yeah... I know. I'm not even sure if I have a problem or not. I just recently
turned on the report header for all mail, so that I could at least get a little
more information without getting lost in constant debug output. I'm keeping an
eye on it for now.
The system, btw, is Red Hat 7.3, Sendmail 8.12.11, Spamass-Milter 0.2.0, SA 3.0
(but I also noticed questionable RBL hits with 2.64), and Net::DNS 0.46.
The SA system is configured to use our internal DNS server, which has the
typical default settings, afaik.
I do see cached entries for the RBLs in my DNS system, but when I actually
catch what I believe to be a misfire on an RBL check, I don't see a cache
record for it in my DNS.
One other thing that may be worth mentioning is that all messages come into
sendmail from localhost. MessageWall listens on the wire as a proxy. The only
obvious issue I saw with this is that SPF doesn't work.
> Jeff C.
> --
> Jeff Chan
> mailto:[EMAIL PROTECTED]
> http://www.surbl.org/
>
>
From "Karl Wein" Tue Oct 12 09:55:51 2004
Microsoft Mail Internet Headers Version 2.0
Received: from blacksheep.riconcorp.com ([10.10.3.5]) by pnork.ricon.us with
Microsoft SMTPSVC(6.0.3790.0);
Tue, 12 Oct 2004 09:56:43 -0700
Received: from riconcorp.com (blacksheep.riconcorp.com [127.0.0.1])
by blacksheep.riconcorp.com (8.12.11/8.12.11) with ESMTP id
i9CB3Iu1012753
for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 09:56:32 -0700
X-MessageWall-Score: 0 (riconcorp.com)
X-MessageWall-Warning: MIME/REJECT: body part contains disallowed string:
text/html
Received: from [165.251.41.49] by riconcorp.com (MessageWall 1.0.8md) with
SMTP; 12 Oct 2004 16:56:22 -0000
Received: from jcmwsc09.mwjc.easylink.com (mwsmout-vip-1.mwjc.easylink.com
[165.251.41.105])
by jcmwsm02.mwjc.easylink.com (8.12.9/8.12.9) with ESMTP id
i9CGuLiJ008577
for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 12:56:21 -0400 (EDT)
Received: from mail pickup service by jcmwsc09.mwjc.easylink.com with Microsoft
SMTPSVC;
Tue, 12 Oct 2004 12:56:21 -0400
Received: from 165.251.41.100 ([165.251.41.100]) by jcmwsc09.mwjc.easylink.com
with SMTP id 000300098b4f780f-5ab7-4e02-8194-ab80a93fd27d;
Tue, 12 Oct 2004 12:56:21 -0400
Received: from Exchange.VantageMobility.com (66-193-202-220.gen.twtelecom.net
[66.193.202.220])
by jcmwsm17.mwjc.easylink.com (8.12.9/8.12.9) with ESMTP id
i9CGuKhS015588
for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 12:56:21 -0400 (EDT)
Received: by NTSERVER04 with Internet Mail Service (5.5.2653.19)
id <TXX4B3XS>; Tue, 12 Oct 2004 09:55:51 -0700
Message-ID: <[EMAIL PROTECTED]>
From: Karl Wein <[EMAIL PROTECTED]>
To: "'Ericka Acevedo'" <[EMAIL PROTECTED]>
Subject: 224301
Date: Tue, 12 Oct 2004 09:55:51 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C4B07C.5463DAC0"
X-MW-BTID: 093325000020042866098100000
X-MW-CTIME: 1097600180
X-MW-SENDING-MTA: 66.193.202.220
HOP-COUNT: 1
X-MAILWATCH-INSTANCEID: 010300098b4f780f-5ab7-4e02-8194-ab80a93fd27d
X-OriginalArrivalTime: 12 Oct 2004 16:56:21.0638 (UTC)
FILETIME=[66904260:01C4B07C]
X-Spam-Status: No, score=-101.1 required=5.0 tests=BAYES_00,HTML_90_100,
HTML_MESSAGE,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no
version=3.0.0
X-Spam-Report:
* -100 USER_IN_WHITELIST From: address is in the user's white-list
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_90_100 BODY: Message is 90% to 100% HTML
* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
* [score: 0.0000]
* 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: vantagemobility.com]
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
blacksheep.riconcorp.com
Return-Path: [EMAIL PROTECTED]
Hi Ericka-
I need the lift on this Order Number changed to a UL2806-2P01000. This order is
on Will Call.
Thanks a bunch.
Karl Wein
National Sales Coordinator
VMI
5202 South 28th Place
Phoenix, AZ 85040
800.348.8267 x5848
602.243.9843 fax
www.vantagemobility.com
