spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <>
Subject Re: lots of missed spam/false negatives from .info TLD being marked with URIBL_RHS_DOB
Date Tue, 30 May 2017 03:24:40 GMT
On Mon, 29 May 2017, Robert Kudyba wrote:

> For the past few days lots of missed spam has been getting through, running
> SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with
> URIBL_RHS_DOB, i.e.,  domains registered in the last five days. Since we
> are not running our own DNS server (yet--need permission from our CISO)
> URIBL_BLOCKED is also being triggered. Is there a way to update this?

Update what how?

I note that message hit BAYES_00. If content like that is getting a 
"strong ham" Bayes score, you should review your training processes and 
Bayes corpora - you *do* keep copies of messages you train Bayes with, 
right? :)

If you trust URIBL_RHS_DOB to not hit your ham, you can increase the score 
of URIBL_RHS_DOB in your local rules file.

If you'd prefer a more-focused solution, use a meta rule; perhaps:

   score LCL_DOB_FROM_INFO   2.500  # or whatever you're comfortable with

But: fixing your Bayes and getting a non-forwarding DNS server for your 
mail system so that you're not hitting RBL query limits are the biggest 
things you need to do to address this.

> I have't seen an update in sa-update since 03-May-2017 01:52:05:

Masscheck and updates are *almost* back.

> Here's a typical mail header & message content:

Thanks for that.

  John Hardin KA7OHZ              FALaholic #11174     pgpk -a
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
   USMC Rules of Gunfighting #2: Anything worth shooting
   is worth shooting twice. Ammo is cheap. Your life is expensive.
  Today: Memorial Day - honor those who sacrificed for our liberty

View raw message