Topic: spamassassin and RBLs

[DeanB]

SME 6.01 and spamassassin-3.1.1-1

     I'm having problems receiving email from Japan to an SME Server in the USA.  I believe any RBL I use blocks Japanese email.  I've tried several different conservative lists, one at a time and still no mail from Japan.  RBL set, overall spam reduced but no email from Japan.  Remove RBL, Japanese email comes in but also lots of extra spam.  The "SpamAssassin Sensitivity" and "Automatic deletion of spam above specific score" settings are working OK but a lot of other junk sneaks in without an RBL set.


Did this help me any?
I edited the /var/qmail/.spamassassin/user_prefs file according to notes within the file, but does this file have anything to do with the decision made by an RBL list comparison?
-----------------------------------------------------------------------------------
# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost
# definitely want to uncomment the following lines.  They will switch off some
# rules that detect 8-bit characters, which commonly trigger on mails using CJK
# character sets, or that assume a western-style charset is in use.
#
 score HTML_COMMENT_8BITS       0
 score UPPERCASE_25_50          0
 score UPPERCASE_50_75          0
 score UPPERCASE_75_100 0
 score OBSCURED_EMAIL          0

# Speakers of any language that uses non-English, accented characters may wish
# to uncomment the following lines.   They turn off rules that fire on
# misformatted messages generated by common mail apps in contravention of the
# email RFCs.

 score SUBJ_ILLEGAL_CHARS      0
-------------------------------------------------------------------------------------

Within the same /var/qmail/.spamassassin/user_prefs file is a comment:

# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from        someone@somewhere.com
So I added:
whitelist_from         *@japanese-sending-domain.com

Will this whitelist japanese-sending-domain.com if it's blacklisted in an RBL?

Thanks for reading this post.
Regards,
Dean

[Knuddi]

Dean,

When you enable the RBL filter SpamAssassin is never seeing the emails rejected. They are rejected already at SMTP level meaning before entring the queues. Your only change is to disable RBL and configure SA.

[raem]

DeanB

Which RBL's are you using that you feel DO block mail from Japan.

Have you found any RBL's that DO NOT block mail from Japan.

You should be able to see all the rejected messages in
/var/log/smtpfront-qmail/current

You can run a filter on "rblsmtpd" in server manager view log files panel
See this howto for more details

http://mirror.contribs.org/smeserver//contribs/rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

Logs look like this and will show you the IP of the rejected blacklisted sender. Just check the IPs at http://openrbl.org/ to see where they originate from

2006-05-17 16:51:37.340621500 rblsmtpd: 222.61.160.43 pid 18589: 451 http://www.spamhaus.org/query/bl?ip=222.61.160.43
2006-05-17 19:04:19.488434500 rblsmtpd: 24.168.54.21 pid 21652: 451 http://www.spamhaus.org/query/bl?ip=24.168.54.21
2006-05-17 19:35:54.156476500 rblsmtpd: 68.84.58.250 pid 22324: 451 http://www.spamhaus.org/query/bl?ip=68.84.58.250

[DeanB]

Thanks Knuddi and Ray.  Good info.  Another question please.

Current RBL entires:
relays.ordb.org
sbl-xbl.spamhaus.org


 Looking at a sample of the output of: grep rblsmtpd /var/log/smtpfront-qmail/current | tai64nlocal

2006-05-17 14:39:02.454339500 rblsmtpd: 200.121.79.41 pid 21552: 451 This mail was handled by an open relay - please visit <http://ORDB.org/lookup/?host=200.121.79.41>

2006-05-17 14:47:19.011708500 rblsmtpd: 81.48.218.69 pid 22166: 451 http://www.spamhaus.org/query/bl?ip=81.48.218.69

2006-05-17 14:47:32.575740500 rblsmtpd: 206.82.185.242 pid 22175: 451 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL41635

What is the difference between these three lines?  I'm assuming the email on line 1 failed (due to being sent from an open relay), line 2 passed (just a query) and the third failed (matched an RBL record)?

Thanks again,
Dean

[raem]

DeanB

They are ALL rejected messages. Any entry with rblsmtpd is a rejection.
If you click  on the link for the second line it takes you to spamhaus site which says this.

IP Address Lookup
81.48.218.69 is not listed in the SBL
81.48.218.69 is listed in the XBL, because it appears in:
CBL
With a hyperlink to here
http://cbl.abuseat.org/lookup.cgi?ip=81.48.218.69

The messages are getting rejected because the sender IS on a RBL list that you have selected.
If the policy of using those lists causes you to lose email you really want, then you have to change your list usage policy, ie try different lists or stop using RBL altogether.

spamhaus is a good quality list though and conservative, you could just specify the sbl list and not the xbl list, see their site for details of list names.

[DeanB]

Thanks Ray.  You've been a big help.  It looks like I'm beginning to get a handle on the spam problem.  Customer reports that Japanese email is flowing successfully (utilizing your suggestion of sbl.spamhaus).  Stats below are from ~50 user network.  As you can see, this customer has been taking a beating from the spammers.

Period Beginning : Wed May 17 00:00:00 2006
Period Ending    : Thu May 18 00:00:00 2006
SpamAssassin Version : SpamAssassin version 3.1.1
  running on Perl version 5.6.1

Reporting Period : 24.00 hrs
--------------------------------------------------

Total spam rejected   :     2598 ( 68.40%)
       RBL rejected   :     2165 ( 57.00%)
     Score above 15   :       45 (  1.73%)
Total ham accepted    :     1200 ( 31.60%)
                        -------------------
Total emails processed:     3798 (  158/hr)

[kruhm]

As you can see, this customer has been taking a beating from the spammers.

welcome to mail administration.    You'll find this is true of all mail servers. much spam originates from the APNIC. this is why much of the APNIC range is blacklisted.