Been using SA for quite a while and agree it's working great.
Is FROM_STARTS_WITH_NUMS appropriately spammy if it's a legal way to
name a domain?
Is this related to the "suspicious hostname" flags? Or is that
related to the use of webmail? If the former, then they're getting
dinged at least four times for the same issue. If the latter, can I
improve something with the webmail configuration to avoid this since
webmail is a very common tool?
Anything else causing this email to appear particular spammy when it
is a pretty generic and legitimate email?
On Jul 13, 2005, at 5:40 PM, Greg Allen wrote:
If I am reading this correctly it looks like SA is working
perfectly. SA
admins generally don't care much for kids sending email to our
servers from
their mom's computers while she is at work... well u get the idea.
But I am
guessing your friend already knows that.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 13, 2005 3:52 PM
To: users@spamassassin.apache.org
Subject: Rule Advice
We're working with someone who has a domain that starts with a
number: 360skincare.com. So it gets bit by FROM_STARTS_WITH_NUMS. I
also see some for suspicious hostname.
A little more background: the sender appears to come from pacbell.net
isp and using a webmail client.
Are these "suspicious hostname" entries appearing because the
hostname starts with a number? Any other advice on these headers to
help the user not appear as sending spam? I suspect they are out of
luck for the bl rules if pacbell is on a block list.
Here are the full headers (since upgraded to 3.0.4):
From: [EMAIL PROTECTED]
Date: July 9, 2005 2:00:29 PM MST
To: [EMAIL PROTECTED]
Subject: Re: here you go
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29
-0000
Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul
2005 21:00:29 -0000
Received: from adsl-64-165-17-127.dsl.sndg02.pacbell.net
(adsl-64-165-17-127.dsl.sndg02.pacbell.net [64.165.17.127]) by
webmail.360skincare.com (IMP) with HTTP for
<[EMAIL PROTECTED]@localhost>; Sat, 9 Jul 2005 17:00:29 -0400
Message-Id: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.3
X-Originating-Ip: 64.165.17.127
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on hidden2
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.5 required=5.0
tests=FROM_STARTS_WITH_NUMS,
HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR,
RCVD_IN_NJABL_DUL autolearn=no version=3.0.3
X-Spam-Report: * 0.1 HELO_DYNAMIC_DHCP Relay HELO'd using
suspicious hostname (DHCP) * 1.5 HELO_DYNAMIC_HCC Relay HELO'd
using suspicious hostname (HCC) * 2.8 HELO_DYNAMIC_IPADDR Relay
HELO'd using suspicious hostname (IP addr 1) * 1.5
FROM_STARTS_WITH_NUMS From: starts with nums * 1.7
RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
* [64.165.17.127 listed in combined.njabl.org]
