[exim] possible spamhaus oddities..

Top Page
Delete this message
Reply to this message
Author: B. Cook
Date:  
To: Exim users list
Subject: [exim] possible spamhaus oddities..
I was looking through some eximstats output.. and I recently started
noticing this..

grep -c cbl.abuseat.org /var/log/exim/mainlog
41

grep -c sbl-xbl.spamhaus.org /var/log/exim/mainlog
12152

Where my configure contains this:
dnslists       = sbl-xbl.spamhaus.org : combined.njabl.org : 
list.dsbl.org : cbl.abuseat.org


sorta strange that the cbl is getting hits.. and things like this in SA
as well..

from [80.232.165.18] (helo=HOME-7YHXCQNK3P.enzz4.net) by c.mx.poklib.org 
with esmtp (Exim 4.62; FreeBSD)     (envelope-from 
<babylonianchoosy@???>) id 1GLb0v-000Mpo-EH  ; Fri, 08 Sep 2006 
03:43:06 -0400


The following tests were performed:    
0.2 MISSING_HEADERS        Missing To: header    
3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL 
[80.232.165.18 listed in sbl-xbl.spamhaus.org]
..


spamd: result: . 6 -
EMPTY_MESSAGE,MISSING_HEADERS,MISSING_SUBJECT,RCVD_IN_XBL,TO_CC_NONE
scantime=4.4,size=320

That email should have never made it to SA..

spamhaus lookup page says this:
80.232.165.18 is not listed in the SBL

80.232.165.18 is listed in the XBL, because it appears in:

     * CBL


and then the CBL says..

IP Address 80.232.165.18 was found in the CBL.
It was detected at 2006-09-08 11:00 GMT (+/- 30 minutes).

What am I looking at here? It looks like times are out of sync w/ the
cbl (possibly?) SA happens inside of exim as part of the acl_check_data.
I have a local dnscache server setup on the machine.. etc.

I understand that I could raise the score for the xbl inside of SA.. but
what I'm wondering is how did SA get that the *connecting* ip was in
xbl-sbl and exim doing a direct query did not..

What else could I look at?

This is a small mail server, out of 80 emails today this is *one* and
only one.