On Wednesday, December 20, 2006, 5:44:09 AM, Dhaval Patel wrote: > Hello all, I have been using spamassassin for quite some time and just > recently I have > seen some false positives. Looking at the content analysis I see that it is > the > URIBL*SURBL rules that is throwing it over the edge. What is surprising is > that in some > of the emails, the URI is not even in the email itself. (see content details > below)
Can you show how the URI is not in the message? If it truly isn't then you may be having the "DNS answers get mixed up" bug, which can be fixed by upgrading to SpamAssassin versions 3.1 or later, and by upgrading your Net::DNS. http://bugzilla.spamassassin.org/show_bug.cgi?id=3997 What versions of SpamAssassin and Net::DNS are you running? > There is another case where the URI that it found to be on the blocklist was > our own > domain. I checked phistank to see if it was part of it, and it turns out that > it isn't. > Where else can I look to make sure that my domain is not part of this list? That sounds like the DNS bug, unless your domain was actually blacklisted. You can look up domains by doing a DNS query: dig mydomain.com.multi.surbl.org or using the web query: http://www.rulesemporium.com/cgi-bin/uribl.cgi > There is another case where the URL that it found to be on the block list was > atwola.com > which is part of AOL. AOL puts this URI in the footer of their e-mails. How > many emails > are going to be blocked because of this? atwola.com is not listed on any SURBLs, nor can it be since we've whitelisted (excluded) it. Perhaps you're using a different list or seeing a DNS error, as mentioned above. > Content analysis details: (6.1 points, 5.0 required) > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally > 0.5 HTML_40_50 BODY: Message is 40% to 50% HTML > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.2 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > [score: 0.4999] > 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > [URIs: socomusicfund.org] socomusicfund.org is likely a false positive. We've removed it from OB. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
