On Sun, 2008-07-20 at 16:03 +0200, Yves Goergen wrote: > Hello, > > I just received an e-mail with the following report: > > > X-Spam-Report: Content analysis details: > > 0.0 URIBL_RED Contains an URL listed in the URIBL redlist > > [URIs: unclassified.de] > > 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist > > [URIs: unclassified.de] > > 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist > > [URIs: unclassified.de]
It strikes me as odd that the URI should be listed in all these BLs. DNS hiccup? > > 5.0 BOTNET Relay might be a spambot or virusbot > > [botnet0.8,ip=(...)] > > 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL > > [89.183.23.141 listed in zen.spamhaus.org] This is your real problem that accounts for the lions share of the score. +5.9 because the sender MUA directly sent to your MX. > > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > > [score: 0.0000] > > 0.1 RDNS_DYNAMIC Delivered to trusted network by host with > > dynamic-looking rDNS > > -1.6 AWL AWL: From: address is in the auto white-list > > (...) contains information about the sending host that should not matter > here. Doesn't matter for the URIBL / DNS issue, right. But it indeed DOES matter for the total score and the reason why this particular mail ended up classified as spam -- and triggered your attention in the first place. The full Received headers would be necessary to track down this. > The message is a reply to a message from me. It contains my text quoted, > complete with my previous signature that also has the link to > http://unclassified.de. I was a bit surprised about the high spam score > of 5.0 and looked at the report. It says that "unclassified.de" is on > URIBL. I could not believe that and checked in at their site. But they > say it is *not* on the list. So what happened here? How can SA (3.2.4) > give spam points for a problem that is completely wrong? Bad DNS response? That probably would explain why the domain ended up on RED, GRAY and BLACK. See above. Do you see hits like these with other mail, too? Does it happen frequently / occasionally or is it an isolated incident? Necessary info to start hunt this down. However, even though that result indeed is odd, appears to be a bug, and is worth investigation -- it is not the reason for the mail being classified spammy. Bayes and AWL single-handedly would have gotten the score back below 0. The reason this mail ended up flagged as spam is because the sender sent it from a dial-up IP directly to your MX. Resulting score for this alone: 6.0. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
