I was looking through some eximstats output.. and I recently started
noticing this..
grep -c cbl.abuseat.org /var/log/exim/mainlog
41
grep -c sbl-xbl.spamhaus.org /var/log/exim/mainlog
12152
Where my configure contains this:
dnslists = sbl-xbl.spamhaus.org : combined.njabl.org :
list.dsbl.org : cbl.abuseat.org
sorta strange that the cbl is getting hits.. and things like this in SA
as well..
from [80.232.165.18] (helo=HOME-7YHXCQNK3P.enzz4.net) by c.mx.poklib.org
with esmtp (Exim 4.62; FreeBSD) (envelope-from
<babylonianchoosy@???>) id 1GLb0v-000Mpo-EH ; Fri, 08 Sep 2006
03:43:06 -0400
The following tests were performed:
0.2 MISSING_HEADERS Missing To: header
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[80.232.165.18 listed in sbl-xbl.spamhaus.org]
..
spamd: result: . 6 -
EMPTY_MESSAGE,MISSING_HEADERS,MISSING_SUBJECT,RCVD_IN_XBL,TO_CC_NONE
scantime=4.4,size=320
That email should have never made it to SA..
spamhaus lookup page says this:
80.232.165.18 is not listed in the SBL
80.232.165.18 is listed in the XBL, because it appears in:
* CBL
and then the CBL says..
IP Address 80.232.165.18 was found in the CBL.
It was detected at 2006-09-08 11:00 GMT (+/- 30 minutes).
What am I looking at here? It looks like times are out of sync w/ the
cbl (possibly?) SA happens inside of exim as part of the acl_check_data.
I have a local dnscache server setup on the machine.. etc.
I understand that I could raise the score for the xbl inside of SA.. but
what I'm wondering is how did SA get that the *connecting* ip was in
xbl-sbl and exim doing a direct query did not..
What else could I look at?
This is a small mail server, out of 80 emails today this is *one* and
only one.
