Why was this message not hit on zen?

evil_smurf

Verified User
Joined
Mar 3, 2006
Messages
123
Here is the analysis of a message that was dropped in my spam folder:

Content analysis details: (3.8 points, 3.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.9 TVD_RCVD_IP TVD_RCVD_IP
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
-1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
[score: 0.0256]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[201.213.96.13 listed in zen.spamhaus.org]
0.1 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
0.5 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML




Notice "RCVD_IN_PBL" was hit. zen.spamhaus.org has been working great so far, but I'm just curious as to why this message made it through to spamassassin to begin with instead of being blocked at the smtp level like all the other addresses that are hit on PBL.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Here's what a check of zen.spamhaus.org shows right now:
Code:
$ nslookup 13.96.213.201.zen.spamhaus.org
Server:         206.13.30.12
Address:        206.13.30.12#53

Non-authoritative answer:
Name:   13.96.213.201.zen.spamhaus.org
Address: 127.0.0.4
Name:   13.96.213.201.zen.spamhaus.org
Address: 127.0.0.11

$
Check your exim.conf file to see if you're looking for a specific return from zen. If it still looks as if it should have worked, then perhaps it hit zen between the time exim checked zen and the time SpamAssassin did.

Jeff
 

evil_smurf

Verified User
Joined
Mar 3, 2006
Messages
123
nslookup:

[root@server1 ~]# nslookup 13.96.213.201.zen.spamhaus.org
Server: 208.116.30.21
Address: 208.116.30.21#53

Non-authoritative answer:
Name: 13.96.213.201.zen.spamhaus.org
Address: 127.0.0.4
Name: 13.96.213.201.zen.spamhaus.org
Address: 127.0.0.11


Here's the entry in exim.conf for zen:

# deny using spamhaus
deny message = Email blocked by SPAMHAUS - to unblock contact us at http://www.example.com/support.php
# only for domains that do want to be tested against RBLs
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = zen.spamhaus.org



I'm not quite sure where the section in exim.conf would be for what to do on specific returns of zen. Can you clarify a little bit on what to look for?

Thanks!
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
By default all current SpamBlocker's exim.conf files block on either return by zen.

You can easily make this change (for example, to only block if 127.0.0.4 is returned):

Change the following:
Code:
dnslists = zen.spamhaus.org
to
Code:
dnslists = zen.spamhaus.org=127.0.0.4
Jeff
 

evil_smurf

Verified User
Joined
Mar 3, 2006
Messages
123
Okay, well it looks like it is setup correctly then. I suppose it was just a fluke!

Thanks
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,285
If you had something in exim whitelisted then it will bypass the exim filters and then spamassassin might be allowed to catch it.
 
Top