>From: RW <rwmailli...@googlemail.com> >Sent: Saturday, December 17, 2016 8:02 AM >To: users@spamassassin.apache.org >Subject: Re: recent increase in spam getting through >On Sat, 17 Dec 2016 13:35:16 +0000 >David Jones wrote:
>> That mail server IP above is on a very high number of RBLs: >> http://multirbl.valli.org/lookup/173.230.94.183.html >MultiRBL.valli.org - Results of the query 173.230.94.183 >multirbl.valli.org >DNSBL and FCrDNS test results of the query '173.230.94.183'. >> >> The edge MX server 104.197.242.163 must not be doing any >> MTA checks of RBLs. >As I already mentioned it's normal to get huge scores when retesting >spam because most net rules are reactive. It doesn't imply anything >about RBL results at the time it was received. When I looked at that RBL link above a few hours ago, it was listed on 30 RBLs and now it says 42 so I agree with you that this is not a direct indicator of receive time results. I use that link above after the receive time just to get a quick idea how bad it is. When I see a mail server IP with more than 10 to 12 hits, then it has been sending spam recently. My point was that a mail server doesn't get listed on 30 or 42 RBLs in a few hours. It would have to have been sending a lot of spam for at least a few days so this email would have been blocked by postscreen on my servers for weeks. Looking at the senderscore.org report for that IP, it has been sending spam for about 3 weeks and has a score of 0 out of 100. Trustworthy mail servers should have a score in the 90's. SA comes with a few major RBL rules that should have blocked this message recently. With Postfix postscreen configured with major RBLs weighted high and less reliable RBLs weighted lower, you can get much better blocking at the MTA level using dozens of RBLs' combined scoring. Each mail admin has to assess which RBLs are considered reliable for their location and users. If the edge MX server just had a single zen.spamhaus.org RBL configured and assuming it would be querying under the free limit, then that email most likely would have been rejected before SA and the OP would have never started this thread.
