No, i was editing the actual rule file itself. I have done a lookup on several of the IPs that SA is stating are HI on DNSWL, yet they come back as not whitelisted.
http://www.dnswl.org/search.pl?s=98.126.47.12 = IP address 98.126.47.12 is not whitelisted at dnswl.org<http://dnswl.org>. spamassassin -t -D < MSGID = -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, hightrust [98.126.47.12 listed in list.dnswl.org<http://list.dnswl.org>] I am using local dns servers. The server is at SoftLayer's DC. Using their local DNS servers, 10.0.X -- Jeremy McSpadden Flux Labs, Inc On Oct 30, 2011, at 1:50 PM, John Hardin wrote: On Sun, 30 Oct 2011, Jeremy McSpadden wrote: I am editing the local, thanks. sa-update should not touch your local configuration file. Are you saying it is doing so? Letting them know is fine and all, except the mail is still getting through my systems. I have noticed this on several of my MS gateways. The emails are blatant spam. This is for hundreds of emails. DNSWL thinks just because one yahoo/gmail/hotmail account is clean; all are. Does not make sense to me. What upstream DNS are you using for your SA? DNSWL has usage limits absent subscription, and if you're using a busy public DNS (e.g. Google's public DNS servers) for your queries then DNSWL may be returning HI for _all_ queries regardless of how the sender is actually classified in their database. Does running your SA against a local caching DNS server that doesn't forward to an upstream DNS server change the behavior for these messages? -- Jeremy McSpadden Flux Labs, Inc On Oct 30, 2011, at 12:54 PM, John Hardin wrote: On Sun, 30 Oct 2011, Jeremy McSpadden wrote: It seems nightly the rule is re-enabled. Don't edit the files that are deep in the SpamAssassin working directories, they will get overwritten with updates as you have seen. If you want to disable a rule, set its score to zero in your _local_ configuration file, typically under /etc/mail/spamassassin. If you're getting spams from hosts in DNSWL HI, please let the DNSWL people know so they can deal with it. Either the source MTA needs to be cleaned up, or their listing demoted. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org<mailto:jhar...@impsec.org> FALaholic #11174 pgpk -a jhar...@impsec.org<mailto:jhar...@impsec.org> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com<http://www.darwinawards.com> ----------------------------------------------------------------------- Tomorrow: Halloween
