On Mon, 29 May 2017, Robert Kudyba wrote:
For the past few days lots of missed spam has been getting through, running
SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with
URIBL_RHS_DOB, i.e., domains registered in the last five days. Since we
are not running our own DNS server (yet--need permission from our CISO)
URIBL_BLOCKED is also being triggered. Is there a way to update this?
Update what how?
I note that message hit BAYES_00. If content like that is getting a
"strong ham" Bayes score, you should review your training processes and
Bayes corpora - you *do* keep copies of messages you train Bayes with,
right? :)
If you trust URIBL_RHS_DOB to not hit your ham, you can increase the score
of URIBL_RHS_DOB in your local rules file.
If you'd prefer a more-focused solution, use a meta rule; perhaps:
meta LCL_DOB_FROM_INFO __FROM_DOM_INFO && URIBL_RHS_DOB
score LCL_DOB_FROM_INFO 2.500 # or whatever you're comfortable with
But: fixing your Bayes and getting a non-forwarding DNS server for your
mail system so that you're not hitting RBL query limits are the biggest
things you need to do to address this.
I have't seen an update in sa-update since 03-May-2017 01:52:05:
Masscheck and updates are *almost* back.
Here's a typical mail header & message content:
https://pastebin.com/Rw1S7mWe
Thanks for that.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #2: Anything worth shooting
is worth shooting twice. Ammo is cheap. Your life is expensive.
-----------------------------------------------------------------------
Today: Memorial Day - honor those who sacrificed for our liberty
