Re: Spam constantly being autolearned as ham

Wed, 23 Oct 2013 14:34:49 -0700 

On 10/23/2013 11:23 PM, Quanah Gibson-Mount wrote:

--On Wednesday, October 23, 2013 5:04 PM -0400 Kris Deugau
<kdeu...@vianet.ca> wrote:


<g>  Well, you didn't post the message body...

*Usually* that indicates that the URI wasn't listed when the message was
originally processed, but checking again even 10-15 minutes later it is.
 This is tricky to confirm unless you have enough access to the raw URI
lists to know when the URI was added.


Ok, that makes sense. ;)


Post a complete example on pastebin - maybe there was something odd in
the message structure that caused the URIs to be skipped, but I can't
say I've ever seen one.  SA goes to great lengths to mimic the idiocy
that many mail clients go to in picking URIs out of the message.  Bad
grammar/typing with something like "... for dinner.It was ..." is enough
to cause "dinner.it" to get looked up, so it's much more likely the URI
simply wasn't listed when the message was first scanned.


<http://ur1.ca/fxhkp>


Run the complete message through "spamassassin -D uridnsbl <message" -
you should get a line like:

Oct 23 16:57:24.845 [12772] dbg: uridnsbl: domains to query:

(hopefully with a list of URIs to actually query)


Yeah, it definitely appears it is querying them correctly.

The updated header even has:

X-Spam-Checker-Version: SpamAssassin 3.4.0-pre3-r1435395 (2013-01-18) on
        edge02-zcs.vmware.com
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=5.0 tests=DKIM_SIGNED,
        HTML_IMAGE_RATIO_02,HTML_MESSAGE,RP_MATCHES_RCVD,T_DKIM_INVALID,
        T_HEADER_FROM_DIFFERENT_DOMAINS,UNPARSEABLE_RELAY,URIBL_BLOCKED,
        URIBL_DBL_SPAM autolearn=no version=3.4.0-pre3-r1435395


Among the other bits, handy things like:

Oct 23 14:18:43.636 [24474] dbg: uridnsbl: domain "pumpery.com" listed
(URIBL_BLOCKED): 127.0.0.1
Oct 23 14:18:43.638 [24474] dbg: uridnsbl: domain "pumpery.com" listed
(URIBL_DBL_SPAM): 127.0.1.2
Oct 23 14:18:43.739 [24474] dbg: uridnsbl: domain "nsports.com.br"
listed (URIBL_BLOCKED): 127.0.0.1

So I guess it wasn't listed at the time the message came in, as you noted.

Still the spam score seems a bit low, I guess I may want to tweak the
URIBL_DBL_SPAM and URIBL_BLOCKED scores.



URIBL_BLOCKED is not good news .-)
I wouldn't touch that score...

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

This why I suggested you run your own recursors....

Reply via email to