Wizard IT Products

Here is part of a header for a SPAM that cleared as HAM, with the IP address listed in RBLs that we employ with MagicSpam and WHM:

Content analysis details: (1.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/Dns ... nsbl-block
for more information.

NEW ADDITION: Elsewhere in the header I get the message: X-Ham-Report:

Spam detection software, running on the system "vps.### #.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

I am seeing SPAMHAUS and BARRICUDA listed IP addresses getting passed as HAM to user inboxes; they have this same notice. Can you assist in helping me understand how to get around this to block the SPAM more effectively? Thank you.

Hello Brian,

Thank you for the post.

The message indicates that a DNSRBL list that is enabled was not reachable by your SpamAssassin at the time of the check. It is most likely your server has reached the maximum allowed lookups against one of the DNSRBL lists enabled in your SpamAssassin's settings.

We recommend utilizaing the IP Reputation list in the MagicSpam settings instead of using SpamAssassin's DNSRBL settings.

If you still have the original spam message, please forward it as an attachment to support@magicspam.com and we can examine it to provide further suggestions.

Please let us know if you have any questins.

Thank you for your assistance.

Which other lists (other than the "recommended") should I use in the IP reputation configuration?

The RBL that is being blocked has a pretty consistent record of finding real spam, otherwise missed.

What's really bothering me is that the WHM Exim is delivering mail that eminates from an IP that is on BOTH SPAMCOP and Spamhaus zen, which I am subscribed to, per my earlier email.

Is SpamAssassin "processing" this email before it can run through the verifications, thereby bypassing the RBL checks configured in Exim?

Hello Brian,

While we have answered your questions through email, we would like to mention on the forum here that we recommended enabling the following items to address the spam issues you reported:

- enabling MIPSPACE in the IP Reputation list
- enableing the rule "Block Mail Servers on Dynamic/Dial-up Addresses"

With regards to the agressiveness of MIPSPACE reputation list, we have been talking with the MIPSPACE operators. They are currently planning on breaking up the single list into multiple subsets. This should allow for greater customization and fewer false positives, such as those you experienced. For more information please see the link below

http://mipspace.com/ratings.php

About the dynamic-address rule, it uses the following standards to determine if the email is coming from a spam
source.

http://www.linuxmagic.com/best_practice ... e_dns.html


-- MagicSpam Support Team --