spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Kettler <mkettler...@verizon.net>
Subject Re: Understanding spamhaus FP
Date Fri, 08 Mar 2013 04:24:58 GMT
On 3/7/2013 1:51 PM, Alex wrote:
> Hi,
>
> I received an email that was tagged with KHOP_SPAMHAUS_DROP, which
> means it was listed in the "Spamhaus Don't Route Or Peer List".
> However, I've checked every IP and domain in the email, and none are
> listed on any spamhaus list, even as of a minute ago. What is it in
> this message that is being tagged?
>
> http://pastebin.com/qPq9ah7P
>
>
First, I'll disclaim I'm a bit rusty here... It's been a year or two
since I've had time to contribute to SpamAssassin much. But perhaps I
can be of some help.

The SPAMHAUS_DROP list is only available from them as a text file or as
a BGP feed.. it is not a live DNS query like their other lists.

http://www.spamhaus.org/drop/drop.txt

However, I agree none of the IPs seem to be in the drop list.

It looks like the rule in question is published by khopesh.com, not the
SA core ruleset... I'm assuming you are using an update channel from
http://khopesh.com/wiki/Anti-spam.

Regardless, since the list is a text file, it looks like it is being
auto-converted to a SpamAssassin rule, but that makes it semi-static..
generally this is ok, as the DROP list doesn't change very fast.
However, it does change, and what's on your SpamAssassin box may not
reflect the current drop list. I'm not really up to speed on the khopesh
feed, so I'm not sure how often that rule gets regenerated. For that
matter, I'm also not sure how often you are fetching sa-updates from
them....

I *think* if you run the message through spamassassin -D it might show
you which text matched the rule when it hits.. which should give you
some answers...







Mime
View raw message