URIBL sometimes it doesn't work

E

envagyok

New Member
Mar 21, 2023
3
0
1
When investigating spam, I noticed several times that URIBL scores sometimes do not work on proxmox. And the mail server behind proxmox scores the URIBL for the same letter. According to the log, scoring works for other letters.

Here is an example,
on proxmox: SA score=0/5 time=3.467 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),HTML_MESSAGE(0.001),HTTPS_HTTP_MISMATCH(0.1),KAM_INFOUSMEBIZ(0.75),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)

on mail server behind proxmox same latter:
X-Spam-Status: No, score=5.561 tagged_above=2 required=6.2
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, FROM_FMBLA_NEWDOM14=1, HTML_MESSAGE=0.001,
HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
T_SCC_BODY_TEXT_LINE=-0.01, [B]URIBL_ABUSE_SURBL=1.948,
URIBL_DBL_SPAM=2.5, URIBL_PH_SURBL=0.224[/B]]


Other logos that the scoring works:
cat /var/log/mail.log | grep -i --color="always" "URIBL_"
"
Apr 17 05:24:36 pmg pmg-smtp-filter[212905]: 3013BD643CBBF0354D9: SA score=17/5 time=3.808 bayes=undefined autolearn=disabled hits=CBJ_GiveMeABreak(1.75),DMARC_MISSING(0.1),GOOG_REDIR_NORDNS(3.099),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.635),KAM_2TLD_PROBLEMS(2),KAM_DMARC_STATUS(0.01),KAM_SA_ZA_ABUSE(4.5),MIME_HTML_ONLY(0.1),RDNS_NONE(2.5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),URIBL_ABUSE_SURBL(3)
Apr 17 05:24:48 pmg pmg-smtp-filter[212933]: 3013BD643CBBFEE900C: SA score=17/5 time=1.981 bayes=undefined autolearn=disabled hits=CBJ_GiveMeABreak(1.75),DMARC_MISSING(0.1),GOOG_REDIR_NORDNS(3.099),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.635),KAM_2TLD_PROBLEMS(2),KAM_DMARC_STATUS(0.01),KAM_SA_ZA_ABUSE(4.5),MIME_HTML_ONLY(0.1),RDNS_NONE(2.5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),URIBL_ABUSE_SURBL(3)
Apr 17 05:27:23 pmg pmg-smtp-filter[212905]: 3013BD643CBC0B8B243: SA score=8/5 time=144.285 bayes=undefined autolearn=disabled hits=DMARC_MISSING(0.1),FSL_BULK_SIG(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_MANYCOMMENTS(1.2),MIME_HTML_ONLY(0.1),RAZOR2_CF_RANGE_51_100(2.43),RAZOR2_CHECK(1.729),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_KAM_HTML_FONT_INVALID(0.01),URIBL_ABUSE_SURBL(3),URIBL_PH_SURBL(0.001)
Apr 17 07:44:46 pmg pmg-smtp-filter[216738]: 301720643CDCCB9CD94: SA score=11/5 time=2.944 bayes=undefined autolearn=disabled hits=AWL(-1.500),DMARC_MISSING(0.1),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.635),KAM_2TLD_PROBLEMS(2),KAM_DMARC_STATUS(0.01),KAM_SA_ZA_ABUSE(4.5),MIME_HTML_ONLY(0.1),MIME_QP_LONG_LINE(0.001),RDNS_NONE(2.5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_ABUSE_SURBL(3)
Apr 17 08:16:47 pmg pmg-smtp-filter[217687]: 3016F0643CE44E7B9F5: SA score=14/5 time=1.113 bayes=undefined autolearn=disabled hits=DKIM_INVALID(0.1),DKIM_SIGNED(0.1),DMARC_MISSING(0.1),EWG_CIALIS(1),EWG_VIAGRA(1),FONT_INVIS_MSGID(0.001),HTML_MESSAGE(0.001),HTML_TEXT_INVISIBLE_FONT(1.999),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),RAZOR2_CF_RANGE_51_100(2.43),RAZOR2_CHECK(1.729),RDNS_NONE(2.5),SPF_HELO_NONE(0.001),SPF_NONE(0.001),T_REMOTE_IMAGE(0.01),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_ABUSE_SURBL(3),WORD_INVIS_MANY(0.001)
Apr 17 08:52:08 pmg pmg-smtp-filter[218964]: 3016F7643CEC94A6800: SA score=16/5 time=3.330 bayes=undefined autolearn=disabled hits=AWL(2.156),DATE_IN_PAST_06_12(1.103),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),HTML_MESSAGE(0.001),KAM_BODY_URIBL_PCCC(9),KAM_TRACKIMAGE(0.2),MIME_HTML_ONLY(0.1),RAZOR2_CF_RANGE_51_100(2.43),RAZOR2_CHECK(1.729),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),T_SCC_BODY_TEXT_LINE(-0.01)
"
How can i investigate this further?
 
do the pmg and the server behind use the same dns servers? maybe there is some dns caching going on for one of them but not the other?
 
mhmm... is it always this way around? or does it happen that pmg find hits that the other one doesn't?

maybe it's just a timing issue that pmg does not find any hits when making lookups, but it would a few seconds after? though i must admit that sound too specific to happen by chance
 
dcsapak said:
mhmm... is it always this way around? or does it happen that pmg find hits that the other one doesn't?
Click to expand...
It seems there is also the opposite, pmg found 'URIBL_ABUSE_SURBL' the other is not

on pmg:
SA score=1/5 time=0.846 bayes=undefined autolearn=disabled hits=AWL(-1.641),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),URIBL_ABUSE_SURBL(3)

on mail server:
Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.001,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,T_SCC_BODY_TEXT_LINE=-0.01], autolearn=ham autolearn_force=no, autolearnscore=-0.108,
 
how is the server behind configured? same spamassassin config and version? (i.e. the config should be in '/usr/share/spamassassin/25_uribl.cf')
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom