Initial results indicate that the culpit was DoBombHeaderRe. I disabled
that test and message scoring started working again. Tests that blocked
outright worked fine (ForgedHELO set to 1, Virus) during this whole
period. It was Message Scoring (tests set to 3) that failed to register
anything when DoBombHeaderRe was active.
If it is relevant, in bombHeaderRE and bombCharSets, I had the
recommended eaxmples installed. Thanks so much and good eye, Jerome.
I've turned most of my filters back to scoring mode and it's still
stopping spam! Looks like it's all back to normal now.
Here's a sample of what's getting stopped now!
The log snippet:
Jul-22-07 21:33:51 id-8031c9870 62.135.93.244 <[EMAIL PROTECTED]> to: [EMAIL
PROTECTED] recipient accepted: [EMAIL PROTECTED]
Jul-22-07 21:33:52 Commencing DNSBL checks on 62.135.93.244
Jul-22-07 21:33:52 Completed DNSBL checks on 62.135.93.244
Jul-22-07 21:33:52 id-8031c9870 62.135.93.244 <[EMAIL PROTECTED]> to: [EMAIL
PROTECTED] Received-RWL: not listed (yams.urigubu.com: local policy) rwl=none;
client-ip=62.135.93.244
Jul-22-07 21:33:52 [MissingMXA][pass] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] scoring PTR missing for 62.135.93.244
Jul-22-07 21:33:52 [MissingMXA][pass] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] Message-Score: 0+12 (PTRmissing)
Jul-22-07 21:33:52 [MissingMXA][pass] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] PB: 62.135.93.244 score: 0+12 => 12
reason:PTRmissing
Jul-22-07 21:33:52 [SPF][scoring] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] Received-SPF: softfail (yams.urigubu.com:
transitioning domain of [EMAIL PROTECTED] does not designate 62.135.93.244 as
permitted sender) client-ip=62.135.93.244; [EMAIL PROTECTED];
helo=[62.135.93.244];
Jul-22-07 21:33:52 [SPF][scoring] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] Message-Score: 12+8 (SPF-softfail)
Jul-22-07 21:33:52 [SPF][scoring] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] PB: 62.135.93.244 score: 12+8 => 20
reason:SPF-softfail
Jul-22-07 21:33:52 Commencing DNSBL checks on 62.135.93.244
Jul-22-07 21:33:52 [DNSBL][scoring] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] Message-Score: 20+35 (DNSBL-failed)
Jul-22-07 21:33:52 [DNSBL][scoring] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] PB: 62.135.93.244 score: 20+35 => 55
reason:DNSBL-failed
Jul-22-07 21:33:52 id-8031c9870 62.135.93.244 <[EMAIL PROTECTED]> to: [EMAIL
PROTECTED] DNSBL scoring Received-DNSBL: fail (combined.njabl.org->127.0.0.3;
zen.spamhaus.org->127.0.0.4; )
Jul-22-07 21:33:52 [MessageLimit] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] Message Limit
Drugs_online_It_s_not_a_problem_ -> nocollect:freq
Jul-22-07 21:33:52 [MessageLimit] id-8031c9870 62.135.93.244 <[EMAIL
PROTECTED]> to: [EMAIL PROTECTED] is disconnected
The headers:
From - Sun Jul 22 22:07:21 2007
X-Account-Key: account9
X-UIDL: UID1949-1184735017
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
>From [EMAIL PROTECTED] Sun Jul 22 21:33:52 2007
Received: from localhost ([127.0.0.1]:49332 helo=yams.urigubu.com)
by yams.urigubu.com with smtp (Exim 4.66)
(envelope-from <[EMAIL PROTECTED]>)
id 1ICnk8-0007OU-Ms
for [EMAIL PROTECTED]; Sun, 22 Jul 2007 21:33:52 -0500
Received: from [62.135.93.244] ([62.135.93.244] helo=[62.135.93.244]) by
yams.urigubu.com; 22 Jul 2007 21:33:42 -0500
Received: from [62.135.93.244] by mxs.mail.ru; Mon, 23 Jul 2007 02:32:35
-0200
Date: Mon, 23 Jul 2007 02:32:35 -0200
From: Berry Hooker <[EMAIL PROTECTED]>
X-Mailer: The Bat! (v3.81.14 Beta) Educational
Reply-To: [EMAIL PROTECTED]
X-Priority: 3 (Normal)
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Drugs online? It's not a problem!
MIME-Version: 1.0
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Assp-Received-RWL: not listed (yams.urigubu.com: local policy) rwl=none;
client-ip=62.135.93.244
X-Assp-Score: 12 (PTRmissing)
X-Assp-Received-SPF: softfail (yams.urigubu.com: transitioning domain of
[EMAIL PROTECTED] does not designate 62.135.93.244 as permitted
sender)
client-ip=62.135.93.244; [EMAIL PROTECTED];
helo=[62.135.93.244];
X-Assp-Score: 8 (SPF-softfail)
X-Assp-Score: 35 (DNSBL-failed)
X-Assp-Received-DNSBL: fail (combined.njabl.org->127.0.0.3;
zen.spamhaus.org->127.0.0.4; )
X-Assp-Tag: MessageLimit
X-Assp-Version: 1.3.2(53)
X-Assp-Spam: YES
X-SMSMSE-SCL: 9
X-Assp-ID: id-8031c9870
X-Assp-Spam-Reason: Message Limit
X-Assp-Totalscore: 55
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
