Changing a score, or removing a flag entirely

northtones

Verified User
Joined
May 2, 2013
Messages
19
As most of you probably know dnsbl.ahbl.org was shut down the other day, and was basically hitting on everything. We also used it as an RBL and found out it was blocking nearly 75% of the email coming into one of our servers. We removed it from the RBL list and it's been fine.

However, today I noticed I was getting more spam than usual dumped into my spam folder, and took a look at one of the emails that was flagged as spam. It is a Bing Rewards email that usually comes through just fine so I thought it was odd.

Notice the line * 2.4 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org below which I assume is due to them shutting down, and the reason it's getting flagged on so many emails coming in. Below is the full score breakdown.

My question is, where can I just remove the DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org rule entirely so these emails aren't getting flagged as false positives? I have done a ton of searching, and many posts pointed to /etc/mail/spamassassin/local.cf but I don't see anything in there regarding this rule. I have been grepping all over the server, but not able to find that rule anywhere.. anyone know where it would be located?

X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.3 required=3.1 tests=DNS_FROM_AHBL_RHSBL,
HTML_IMAGE_RATIO_02,HTML_MESSAGE,T_DKIM_INVALID autolearn=no version=3.3.1
X-Spam-Report:
* 2.4 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
* 0.8 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
Received: from blugmehub14.msn.com ([65.55.234.213] helo=smtpi.msn.com)
by abra.northtone.com with esmtps (TLSv1:AES128-SHA:128)
(Exim 4.72)
(envelope-from <bingrewards@e.microsoft.com>)
id 1Y9Ldd-0005ed-G
 

northtones

Verified User
Joined
May 2, 2013
Messages
19
Is your SpamAssassin up2date? Apparently exim isnt...

I would suggest you first to update softwares

Regards
Regardless of version, there must be a way to change this somewhere. I doubt upgrading to the latest version of Exim is going to fix this problem anyway as it's only a couple days old.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,792
Location
A Coruña, Spain
From your post i read Exim 4.72, latest is Exim 4.84.

Also, SpamAssassin too does have updates...

Those packages can be easly updated from CustomBuild in /usr/local/directadmin/custombuild

Regards
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
Hello,

You can overwrite DNS_FROM_AHBL_RHSBL in /etc/mail/spamassassin/local.cf (just add it there with new values).

Default SA settings are located here: /var/lib/spamassassin/ (they will be overwrite on sa-update).

If you wish to disable a test, set the score to 0 by adding a line like this to your ~/.spamassassin/user_prefs or in /etc/mail/spamassassin/local.cf:
Code:
score [COLOR=#333333]DNS_FROM_AHBL_RHSBL[/COLOR] 0
http://spamassassin.apache.org/tests_3_3_x.html
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Alex, do I read correctly from your post that the latest version of SpamAssassin is as pointed to by your SpamAssassin link above? If so, then updating SpamAssassin won't fix this problem :(.

Or am I reading this wrong?

Must we all create local rules? Or is there a more recent version of SpamAssassin which doesn't have the ahbl penalties?

Jeff
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
Alex, do I read correctly from your post that the latest version of SpamAssassin is as pointed to by your SpamAssassin link above?
No, http://spamassassin.apache.org/ is reporting 3.4.0 as the latest. If you think that syntax of local.cf has changed since 3.3.x just let us know. I've never had an issue with it.


If so, then updating SpamAssassin won't fix this problem :(.
You may use any SA version you want: 3.3.x, or 3.4.x. That's up to you to check their compatibility here: http://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.0.txt

Or am I reading this wrong?
My point was to show how to disable a particular test. The link was found with Google. It worked for me. If it does not work for you, then just let us know so we could help you.

Must we all create local rules? Or is there a more recent version of SpamAssassin which doesn't have the ahbl penalties?
No, sa-update should be used to update SA rules. If you can't update rules then you should disable the test. New versions of official SA rules as it seems to me has no the test already.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Thanks, Alex. Since we update SpamAssassin rules as well as SpamAssassin core, I now understand we're okay without changing local rules.

And the thread is now complete for everyone no matter how they use/maintain SpamAssassin.

Jeff
 
Top