On 3/7/2013 1:51 PM, Alex wrote: > Hi, > > I received an email that was tagged with KHOP_SPAMHAUS_DROP, which > means it was listed in the "Spamhaus Don't Route Or Peer List". > However, I've checked every IP and domain in the email, and none are > listed on any spamhaus list, even as of a minute ago. What is it in > this message that is being tagged? > > http://pastebin.com/qPq9ah7P > > First, I'll disclaim I'm a bit rusty here... It's been a year or two since I've had time to contribute to SpamAssassin much. But perhaps I can be of some help.
The SPAMHAUS_DROP list is only available from them as a text file or as a BGP feed.. it is not a live DNS query like their other lists. http://www.spamhaus.org/drop/drop.txt However, I agree none of the IPs seem to be in the drop list. It looks like the rule in question is published by khopesh.com, not the SA core ruleset... I'm assuming you are using an update channel from http://khopesh.com/wiki/Anti-spam. Regardless, since the list is a text file, it looks like it is being auto-converted to a SpamAssassin rule, but that makes it semi-static.. generally this is ok, as the DROP list doesn't change very fast. However, it does change, and what's on your SpamAssassin box may not reflect the current drop list. I'm not really up to speed on the khopesh feed, so I'm not sure how often that rule gets regenerated. For that matter, I'm also not sure how often you are fetching sa-updates from them.... I *think* if you run the message through spamassassin -D it might show you which text matched the rule when it hits.. which should give you some answers...
