Re: SA frequently skipping rules

Thu, 09 Feb 2006 15:46:32 -0800 

Jim Smith wrote:

I'm getting lots of spam that are skipping rules. One that came in recently
with lots of porn only got tagged for SORBS, NUMERIC HELO, and UNPARSEABLE
RELAY (I don't know what unparseable relay means but seems like many emails
have that lately). 


UNPARSEABLE_RELAY means that, wait for it, one of the relays in the 
message headers (Received: headers) weren't parseable.




The full headers & message (uncensored) of that example
is at www.blarneystone.com/spam/spam.txt if that helps.



Full headers?  There's nothing left of those headers.  That sample is 
useless header wise.




If you look at it you can tell that it should have kicked off lots of porn
tags but none were there and it sailed through with a 3.2 score. This has

only happened since I upgraded to SA 3.1.0. 



I don't see a single thing in the body that should have hit any rules. 
Except for some URIDNSBL rules [1] that you may or may not be running, 
but nothing content wise.




I've run SA --lint -D without errors. I thought it might be some
configuration left over from my older SA when I upgraded so I did a clean
install on a new machine and still have the same issue with skipping of
rules. BTW, I know the rules aren't missing from the installation because
they show up in other emails. A sporadic problem... my favorite <sigh>. Any
suggestions?


Sparodic, as in, if you scan it again it hits different rules?


Daryl


[1] My hits on the sample...


Content analysis details:   (11.2 points, 5.0 required)

 pts rule name              description

---- ---------------------- 
--------------------------------------------------
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable 
relay lines

 2.6 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
 1.1 URIBL_SBL              Contains an URL listed in the SBL blocklist
                            [URIs: otrfgrt.com]

 3.4 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL 
blocklist

                            [URIs: otrfgrt.com]

 1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL 
blocklist

                            [URIs: otrfgrt.com]

 2.6 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL 
blocklist

                            [URIs: otrfgrt.com]























					Reply via email to