Incorrect DNSBL evaluation - SpamAssassin

This is a discussion on Incorrect DNSBL evaluation - SpamAssassin ; Hello, I just received an e-mail with the following report: > X-Spam-Report: Content analysis details: > 0.0 URIBL_RED Contains an URL listed in the URIBL redlist > [URIs: unclassified.de] > 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 39

Thread: Incorrect DNSBL evaluation

  1. Incorrect DNSBL evaluation

    Hello,

    I just received an e-mail with the following report:

    > X-Spam-Report: Content analysis details:
    > 0.0 URIBL_RED Contains an URL listed in the URIBL redlist
    > [URIs: unclassified.de]
    > 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
    > [URIs: unclassified.de]
    > 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
    > [URIs: unclassified.de]
    > 5.0 BOTNET Relay might be a spambot or virusbot
    > [botnet0.8,ip=(...)]
    > 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
    > [89.183.23.141 listed in zen.spamhaus.org]
    > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
    > [score: 0.0000]
    > 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
    > dynamic-looking rDNS
    > -1.6 AWL AWL: From: address is in the auto white-list


    (...) contains information about the sending host that should not matter
    here.

    The message is a reply to a message from me. It contains my text quoted,
    complete with my previous signature that also has the link to
    http://unclassified.de. I was a bit surprised about the high spam score
    of 5.0 and looked at the report. It says that "unclassified.de" is on
    URIBL. I could not believe that and checked in at their site. But they
    say it is *not* on the list. So what happened here? How can SA (3.2.4)
    give spam points for a problem that is completely wrong?

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  2. Re: Incorrect DNSBL evaluation

    On Sun, 2008-07-20 at 16:03 +0200, Yves Goergen wrote:
    > Hello,
    >
    > I just received an e-mail with the following report:
    >
    > > X-Spam-Report: Content analysis details:
    > > 0.0 URIBL_RED Contains an URL listed in the URIBL redlist
    > > [URIs: unclassified.de]
    > > 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
    > > [URIs: unclassified.de]
    > > 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
    > > [URIs: unclassified.de]


    It strikes me as odd that the URI should be listed in all these BLs. DNS
    hiccup?

    > > 5.0 BOTNET Relay might be a spambot or virusbot
    > > [botnet0.8,ip=(...)]
    > > 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
    > > [89.183.23.141 listed in zen.spamhaus.org]


    This is your real problem that accounts for the lions share of the
    score. +5.9 because the sender MUA directly sent to your MX.

    > > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
    > > [score: 0.0000]
    > > 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
    > > dynamic-looking rDNS
    > > -1.6 AWL AWL: From: address is in the auto white-list

    >
    > (...) contains information about the sending host that should not matter
    > here.


    Doesn't matter for the URIBL / DNS issue, right. But it indeed DOES
    matter for the total score and the reason why this particular mail ended
    up classified as spam -- and triggered your attention in the first
    place.

    The full Received headers would be necessary to track down this.


    > The message is a reply to a message from me. It contains my text quoted,
    > complete with my previous signature that also has the link to
    > http://unclassified.de. I was a bit surprised about the high spam score
    > of 5.0 and looked at the report. It says that "unclassified.de" is on
    > URIBL. I could not believe that and checked in at their site. But they
    > say it is *not* on the list. So what happened here? How can SA (3.2.4)
    > give spam points for a problem that is completely wrong?


    Bad DNS response? That probably would explain why the domain ended up on
    RED, GRAY and BLACK. See above. Do you see hits like these with other
    mail, too? Does it happen frequently / occasionally or is it an isolated
    incident? Necessary info to start hunt this down.

    However, even though that result indeed is odd, appears to be a bug, and
    is worth investigation -- it is not the reason for the mail being
    classified spammy. Bayes and AWL single-handedly would have gotten the
    score back below 0.

    The reason this mail ended up flagged as spam is because the sender sent
    it from a dial-up IP directly to your MX. Resulting score for this
    alone: 6.0.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  3. Re: Incorrect DNSBL evaluation

    Yves Goergen wrote:
    > [snip]
    > The message is a reply to a message from me. It contains my text quoted,
    > complete with my previous signature that also has the link to
    > http://unclassified.de. I was a bit surprised about the high spam score
    > of 5.0 and looked at the report. It says that "unclassified.de" is on
    > URIBL. I could not believe that and checked in at their site. But they
    > say it is *not* on the list. So what happened here? How can SA (3.2.4)
    > give spam points for a problem that is completely wrong?
    >


    on the host running SA, try
    $ host 1.0.0.127.zen.spamhaus.org

    if this returns an IP instead of NXDOMAIN, then you have a DNS problem.
    either you're using a "toy" dns server/proxy or you are forwarding DNS
    queries to your ISP and the ISP replaces NXDOMAIN by an IP or their choice.


  4. Re: Incorrect DNSBL evaluation

    On 20.07.2008 17:10 CE(S)T, mouss wrote:
    > on the host running SA, try
    > $ host 1.0.0.127.zen.spamhaus.org


    It says:

    1.0.0.127.zen.spamhaus.org does not exist (Authoritative answer)

    The server is located in a well-known computing centre in Nuremberg,
    Germany. I assume they know how to handle DNS services.

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  5. Re: Incorrect DNSBL evaluation

    On 20.07.2008 16:39 CE(S)T, Karsten Bräckelmann wrote:
    > It strikes me as odd that the URI should be listed in all these BLs. DNS
    > hiccup?


    Maybe.

    > Bad DNS response? That probably would explain why the domain ended up on
    > RED, GRAY and BLACK. See above. Do you see hits like these with other
    > mail, too? Does it happen frequently / occasionally or is it an isolated
    > incident? Necessary info to start hunt this down.


    This is the first time I see it, but I don't look into the report very
    often because only very few messages get flagged as spam in error. I let
    my server flag anything from 5.0 points on and deny anything from a
    higher score that is defined per incoming mail address.

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  6. Re: Incorrect DNSBL evaluation

    On Sun, 2008-07-20 at 20:07 +0200, Yves Goergen wrote:
    > On 20.07.2008 16:39 CE(S)T, Karsten Bräckelmann wrote:
    > > It strikes me as odd that the URI should be listed in all these BLs. DNS
    > > hiccup?

    >
    > Maybe.
    >
    > > Bad DNS response? That probably would explain why the domain ended up on
    > > RED, GRAY and BLACK. See above. Do you see hits like these with other
    > > mail, too? Does it happen frequently / occasionally or is it an isolated
    > > incident? Necessary info to start hunt this down.

    >
    > This is the first time I see it, but I don't look into the report very
    > often because only very few messages get flagged as spam in error. I let
    > my server flag anything from 5.0 points on and deny anything from a
    > higher score that is defined per incoming mail address.


    Oh, I didn't mean to ask if you have seen it before, but if it happened
    before. You asked about an anomaly, so start investigating and hunting
    down this issue... Go grep your logs.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  7. Re: Incorrect DNSBL evaluation

    On Sun, 20 Jul 2008, Yves Goergen wrote:

    > On 20.07.2008 17:10 CE(S)T, mouss wrote:
    >> on the host running SA, try
    >> $ host 1.0.0.127.zen.spamhaus.org

    >
    > It says:
    >
    > 1.0.0.127.zen.spamhaus.org does not exist (Authoritative answer)
    >
    > The server is located in a well-known computing centre in Nuremberg, Germany.
    > I assume they know how to handle DNS services.


    Are you sure it's 127.0.0.1? This is at the top of all Spamhaus zones:

    :127.0.0.2:http://www.spamhaus.org/SBL/

    Which does yield correct results:

    smtpgate# host 2.0.0.127.zen.spamhaus.org
    2.0.0.127.zen.spamhaus.org has address 127.0.0.10
    2.0.0.127.zen.spamhaus.org has address 127.0.0.4
    2.0.0.127.zen.spamhaus.org has address 127.0.0.2

    -d


  8. Re: Incorrect DNSBL evaluation

    On 20.07.2008 20:21 CE(S)T, Karsten Bräckelmann wrote:
    > On Sun, 2008-07-20 at 20:07 +0200, Yves Goergen wrote:
    >> On 20.07.2008 16:39 CE(S)T, Karsten Bräckelmann wrote:
    >>> Bad DNS response? That probably would explain why the domain ended up on
    >>> RED, GRAY and BLACK. See above. Do you see hits like these with other
    >>> mail, too? Does it happen frequently / occasionally or is it an isolated
    >>> incident? Necessary info to start hunt this down.

    >> This is the first time I see it, but I don't look into the report very
    >> often because only very few messages get flagged as spam in error. I let
    >> my server flag anything from 5.0 points on and deny anything from a
    >> higher score that is defined per incoming mail address.

    >
    > Oh, I didn't mean to ask if you have seen it before, but if it happened
    > before. You asked about an anomaly, so start investigating and hunting
    > down this issue... Go grep your logs.


    Correct. My fault. I've looked through the e-mails that I have received
    today and that contain my quoted signature. All of them I could find
    from today have this issue. All messages from today that contain the
    link show the same 3 matches. The URL would be in all 3 lists.

    I can remember that I have run 'sa-update' sometime the last days, not
    sure when it was exactly. I just ran it again but now it didn't find an
    update.

    I need to think about disabling these rules until the cause has been found.

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  9. Re: Incorrect DNSBL evaluation

    On 20.07.2008 20:54 CE(S)T, Duane Hill wrote:
    > smtpgate# host 2.0.0.127.zen.spamhaus.org
    > 2.0.0.127.zen.spamhaus.org has address 127.0.0.10
    > 2.0.0.127.zen.spamhaus.org has address 127.0.0.4
    > 2.0.0.127.zen.spamhaus.org has address 127.0.0.2


    Same here, for whatever it's worth.

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  10. Re: Incorrect DNSBL evaluation

    On Sun, 2008-07-20 at 22:21 +0200, Yves Goergen wrote:

    > Correct. My fault. I've looked through the e-mails that I have received
    > today and that contain my quoted signature. All of them I could find
    > from today have this issue. All messages from today that contain the
    > link show the same 3 matches. The URL would be in all 3 lists.


    Run such a message through 'spamassassin' again, to see what it reports
    *now*. Do you still see these strange, multiple URIBL hits?
    spamassassin < message > out

    If you don't, it may have been an erroneous listing that has been fixed
    already. After all, that domain currently is *not* listed in URIBL. Or
    it might have been a temporary DNS issue.

    If you still do see these multiple hits however, you will have to
    investigate further why it is hitting.


    Also, check other email (including spam!) for multiple URIBL hits in the
    existing report headers. Does / did it happen for that one domain only?


    > I can remember that I have run 'sa-update' sometime the last days, not
    > sure when it was exactly. I just ran it again but now it didn't find an
    > update.
    >
    > I need to think about disabling these rules until the cause has been found.


    If you find that domain to be the only instance showing such weird
    results, (temporarily) working around it would be easy. Something like
    this -- beware, NOT tested.

    uri __UNCLASSIFIED_DE /unclassified.de/

    meta WORKAROUND URIBL_BLACK && URIBL_RED && URIBL_GRAY && __UNCLASSIFIED_DE
    score WORKAROUND -5.0


    Also, even if you do see these *occasionally* for other domains, too,
    but there also are good (single) URIBL_* hits, something like the above
    without the uri rule constraint might help as a quick fix, too. Without
    losing all URIBL hits. I believe these lists generally should be
    mutually exclusive.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  11. Re: Incorrect DNSBL evaluation

    Duane Hill wrote:
    > On Sun, 20 Jul 2008, Yves Goergen wrote:
    >
    >> On 20.07.2008 17:10 CE(S)T, mouss wrote:
    >>> on the host running SA, try
    >>> $ host 1.0.0.127.zen.spamhaus.org

    >>
    >> It says:
    >>
    >> 1.0.0.127.zen.spamhaus.org does not exist (Authoritative answer)
    >>
    >> The server is located in a well-known computing centre in Nuremberg,
    >> Germany. I assume they know how to handle DNS services.

    >
    > Are you sure it's 127.0.0.1? This is at the top of all Spamhaus zones:
    >
    > :127.0.0.2:http://www.spamhaus.org/SBL/
    >


    the goal aws to test an _unlisted_ IP, to detect NXDOMAIN "hijacking"
    (aka "ISP error page") and 127.0.0.1 is a good example.

    http://blog.wired.com/27bstroke6/200...rror-page.html

    you can of course use any name that is known to return NXDOMAIN.


    > Which does yield correct results:
    >
    > smtpgate# host 2.0.0.127.zen.spamhaus.org
    > 2.0.0.127.zen.spamhaus.org has address 127.0.0.10
    > 2.0.0.127.zen.spamhaus.org has address 127.0.0.4
    > 2.0.0.127.zen.spamhaus.org has address 127.0.0.2



  12. Re: Incorrect DNSBL evaluation

    On Mon, 21 Jul 2008, mouss wrote:

    > Duane Hill wrote:
    >> On Sun, 20 Jul 2008, Yves Goergen wrote:
    >>
    >>> On 20.07.2008 17:10 CE(S)T, mouss wrote:
    >>>> on the host running SA, try
    >>>> $ host 1.0.0.127.zen.spamhaus.org
    >>>
    >>> It says:
    >>>
    >>> 1.0.0.127.zen.spamhaus.org does not exist (Authoritative answer)
    >>>
    >>> The server is located in a well-known computing centre in Nuremberg,
    >>> Germany. I assume they know how to handle DNS services.

    >>
    >> Are you sure it's 127.0.0.1? This is at the top of all Spamhaus zones:
    >>
    >> :127.0.0.2:http://www.spamhaus.org/SBL/
    >>

    >
    > the goal aws to test an _unlisted_ IP, to detect NXDOMAIN "hijacking" (aka
    > "ISP error page") and 127.0.0.1 is a good example.
    >
    > http://blog.wired.com/27bstroke6/200...rror-page.html
    >
    > you can of course use any name that is known to return NXDOMAIN.


    I figured as much after I hit send.

    >> Which does yield correct results:
    >>
    >> smtpgate# host 2.0.0.127.zen.spamhaus.org
    >> 2.0.0.127.zen.spamhaus.org has address 127.0.0.10
    >> 2.0.0.127.zen.spamhaus.org has address 127.0.0.4
    >> 2.0.0.127.zen.spamhaus.org has address 127.0.0.2


    -d


  13. Re: Incorrect DNSBL evaluation

    On 20.07.2008 22:42 CE(S)T, Karsten Bräckelmann wrote:
    > Run such a message through 'spamassassin' again, to see what it reports
    > *now*. Do you still see these strange, multiple URIBL hits?
    > spamassassin < message > out


    It still reports that.

    > Also, check other email (including spam!) for multiple URIBL hits in the
    > existing report headers. Does / did it happen for that one domain only?


    How can I do that? I don't have any dedicated tools or methods for
    testing a spam filter.

    FYI, I have IMAP accounts in Maildir format on the server, but most of
    my e-mail is stored on my computer, with Thunderbird in mbox format (on
    Windows).

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  14. Re: Incorrect DNSBL evaluation

    On 20.07.2008 16:18 CE(S)T, Yet Another Ninja wrote:
    > This could be a DNS problem returning a .2 (positive response) for all
    > queries.
    >
    > what DNS are you using for your queries?


    What do you mean? My mail server uses the DNS servers of the computing
    centre. What SpamAssassin does, I don't know. The IP addresses are:

    # cat /etc/resolv.conf
    nameserver 213.133.100.100
    nameserver 213.133.99.99
    nameserver 213.133.98.98
    nameserver 213.133.98.97

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  15. Re: Incorrect DNSBL evaluation

    Yves Goergen wrote:
    > On 20.07.2008 22:42 CE(S)T, Karsten Bräckelmann wrote:
    >> Run such a message through 'spamassassin' again, to see what it reports
    >> *now*. Do you still see these strange, multiple URIBL hits?
    >> spamassassin < message > out

    >
    > It still reports that.
    >
    >> Also, check other email (including spam!) for multiple URIBL hits in the
    >> existing report headers. Does / did it happen for that one domain only?

    >
    > How can I do that? I don't have any dedicated tools or methods for
    > testing a spam filter.
    >
    > FYI, I have IMAP accounts in Maildir format on the server, but most of
    > my e-mail is stored on my computer, with Thunderbird in mbox format (on
    > Windows).


    view source (CTRL-U) and copy-paste to a file on your server. then run
    # spamassassin -t < message.eml

    (the .eml part is not important).

    to see debug infos, use -D.


  16. Re: Incorrect DNSBL evaluation

    On 21.07.2008 22:10 CE(S)T, mouss wrote:
    > view source (CTRL-U) and copy-paste to a file on your server. then run
    > # spamassassin -t < message.eml


    Look through each single message from all my folders that I have
    received within the last two weeks, view the source, copy it into a
    file, upload it to the server, and run a command against that file? That
    seems to be a bit too much work, and I really don't have the time for that.

    I have disabled the rules URIBL_{RED,GREY,BLACK} for now and will see
    how it impacts on spam detection. I usually deny messages with more than
    7...12 points and see a lot messages with 20+ points in my filter log.

    --
    Yves Goergen "LonelyPixel"
    Visit my web laboratory at http://beta.unclassified.de


  17. Re: Incorrect DNSBL evaluation


    Yves Goergen schrieb:

    > # cat /etc/resolv.conf
    > nameserver 213.133.100.100
    > nameserver 213.133.99.99
    > nameserver 213.133.98.98
    > nameserver 213.133.98.97


    Ah, Hetzner. I had a lot less problems since I started to run my own:

    main:~> cat /etc/resolv.conf
    nameserver 127.0.0.1
    #nameserver 213.133.100.100
    #nameserver 213.133.99.99
    #nameserver 213.133.98.97

    and then have the appropriate "allow-recursion" statement in
    /etc/named.conf.

    -- Matthias


  18. Re: Incorrect DNSBL evaluation

    On Mon, 2008-07-21 at 21:50 +0200, Yves Goergen wrote:
    > On 20.07.2008 22:42 CE(S)T, Karsten Bräckelmann wrote:
    > > Run such a message through 'spamassassin' again, to see what it reports
    > > *now*. Do you still see these strange, multiple URIBL hits?
    > > spamassassin < message > out

    >
    > It still reports that.


    You do have a problem. There are pretty much 2 possible reasons left:

    (a) Your DNS is broken. Your domain unclassified.de is not listed on
    URIBL, yet your DNS answers that it is.

    (b) The DNS you're using is a *heavy* hitter on URIBL, and they started
    responding with a positive match on all your queries. URIBL warns the NS
    operators a couple times by mail, and resorts to this only, if their
    mail is being ignored multiple times.

    In both cases, go talk to the guy running your DNS servers.


    > > Also, check other email (including spam!) for multiple URIBL hits in the
    > > existing report headers. Does / did it happen for that one domain only?

    >
    > How can I do that? I don't have any dedicated tools or methods for
    > testing a spam filter.


    grep. You can do this type of checks easily by grepping through your
    mail, possibly using other tools like formail for multi-line header
    wrapping.

    OK, I told you to check previously received mail for the same broken
    URIBL hit pattern. So you could just have a look at the X-Spam headers
    using your MUA. Probably the easiest method anyway, just to spot a few
    other mails showing the same pattern.

    All you need are mail with URLs in the body. Spam and ham. Then check
    the SA headers. I assume they all do have the same multi BL hits.

    Please note that I am really talking about having a look at previously
    received mail. I am not talking about re-running them through SA, just
    to check the existing headers.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  19. Re: Incorrect DNSBL evaluation

    On Mon, 2008-07-21 at 23:17 +0200, Matthias Leisi wrote:
    > Yves Goergen schrieb:


    > > What do you mean? My mail server uses the DNS servers of the computing
    > > centre. What SpamAssassin does, I don't know. The IP addresses are:


    The same as everyone else... Sic.

    > > # cat /etc/resolv.conf
    > > nameserver 213.133.100.100
    > > nameserver 213.133.99.99
    > > nameserver 213.133.98.98
    > > nameserver 213.133.98.97

    >
    > Ah, Hetzner. I had a lot less problems since I started to run my own:
    >
    > main:~> cat /etc/resolv.conf
    > nameserver 127.0.0.1


    Every Hetzner customer using the same DNS by default? Yeah, that indeed
    looks like these DNS servers are being blocked by the BL operators (see
    my previous post). Most likely not only URIBL, but every major BL out
    there...

    I seem to recall that there is an issue with SA using the first DNS
    *exclusively*. If so, again, by default every customer uses that one DNS
    server for SA BL queries. Almost a guarantee to have that one blocked.
    The other DNS servers might be more reliable in this case.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  20. Re: Incorrect DNSBL evaluation

    Yves Goergen wrote:
    > On 21.07.2008 22:10 CE(S)T, mouss wrote:
    >> view source (CTRL-U) and copy-paste to a file on your server. then run
    >> # spamassassin -t < message.eml

    >
    > Look through each single message from all my folders that I have
    > received within the last two weeks, view the source, copy it into a
    > file, upload it to the server, and run a command against that file? That
    > seems to be a bit too much work, and I really don't have the time for that.



    no, try just a few to see if you get the same problem.
    >
    > I have disabled the rules URIBL_{RED,GREY,BLACK} for now and will see
    > how it impacts on spam detection. I usually deny messages with more than
    > 7...12 points and see a lot messages with 20+ points in my filter log.
    >



+ Reply to Thread
Page 1 of 2 1 2 LastLast