Re: [exim] Advice on a Regexp requested

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim-users
Subject: Re: [exim] Advice on a Regexp requested
Ted Cooper wrote:
> !!!!!!! 131.111.8.0/24 is black listed from queries to URIBL public
> mirrors !!!!!!!!!!!! (tahini .. the cam.ac.uk network .. or part thereof)
>
> W B Hacker wrote:
>> Side issue - NOW we have a mystery - not sure if it is related - *attempting* to
>> copy you directly.
>>
> Quite interesting. My server added the higher than average negative spam
> score on my outbound (I think) so it looks like I'm leaking there ;) But
> since it's less than 5, I'm not adding anything but that single header.
> I received both of these emails and it looks like I didn't have anything
> to do with the rejection of the bounced mail. Mailing list went nuts?
>> My goal was to add spam demerits for that 'race' of MTA (above)
>>
>> CAVEAT: in my environment, and perhaps no other, it has always and only been
>> used to send very obvious UCE or phish.
>>
> I've seen PowerMTA in a lot of spam that's trying to pass off as ok, but
> it's also used by a few people in the travel industry so I can't be very
> abusive towards.
>> But .. on the way to the theatre, both my original post and your reply post were
>> whacked with outrageous SA scores and shunted off to a quarantine folder.
>>
>> Headers appear to show THREE passes thru SA at various points, scores ranging
>> from a high positive to a higher-then-average negative, and a third score in the
>> middle.
>>
>> Given the rather innocent message content, it looks as if at least one of us is
>> already filtering on that very string - the one naming the MTA.
>>
>> I don't see any other content that is out of the ordinary.
>>
>> Relevant headers from my post and your reply below.
>>
>>
> On my post, I'm guessing mxa.outb is adding the -4.1, tahini is adding
> the 1.4 and you're adding the 4.0. The first header is my MUA not an MTA
> even though my rDNS is setup for a mail server. I got that setup and
> then never moved my outbound host ;)
>
> The weird this is the URIBL and URIBL_PH_SURBL hits ... what did I send
> again??
>
> X-Spam-Status: No, score=1.4 required=5.0 tests=AWL=-3.000, BAYES_00=-1.5,
>     FORGED_RCVD_HELO=0.135, URIBL_BLACK=3,
>     URIBL_PH_SURBL=2.8 autolearn=no version=3.1.8

>
>
> !!!!!!! 131.111.8.0/24 is black listed from queries to URIBL public
> mirrors !!!!!!!!!!!!
>
> I'm guessing that might explain the whack scores.
>
>


Perhaps odder yet - my SA applied the highest score, yet is has Bayes OFF and if
it has started doing any form of RBL, I've got to have a go at it and see what
the upgrades have dragged in under the radar.

Did see a mention of filtering for PowerMTA in the SA list, but haven't seen any
code yet. DATA is 'too late' to block on that - I don't want the message on board.

.. and 'travel industry'?

If there is anything left of it after TSA and volcanic ash disruptions, they can
use a more polite MTA - else pack it in, retrain as parasites and run for
public office.

Bill