Bug 216858 - test update 3.1.7 too aggressive!
Summary: test update 3.1.7 too aggressive!
Alias: None
Product: Fedora
Classification: Fedora
Component: spamassassin
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Warren Togami
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-11-22 12:01 UTC by Neal Becker
Modified: 2007-11-30 22:11 UTC (History)
6 users (show)

Clone Of:
Last Closed: 2006-12-04 00:05:47 UTC

Attachments (Terms of Use)

Description Neal Becker 2006-11-22 12:01:56 UTC
Description of problem:
Just installed 3.1.7 test update.  Suddenly, SA is much too aggressive and is 
erroneously classifying non-spam as spam.  My setup IIRC is as installed by 
rpm, not customized.  Here's an example:

X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on nbecker
 X-Spam-Level: *****
 X-Spam-Status: Yes, score=5.6 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO,
        autolearn=no version=3.1.7
        *  0.1 FORGED_RCVD_HELO Received: contains a forged HELO
        *  1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for 
        * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
        *      [score: 0.0000]
        *  2.8 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist
        *      [URIs: techsay.com]
        *  0.0 URIBL_RED Contains an URL listed in the URIBL redlist
        *      [URIs: techsay.com]
        *  3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
        *      [URIs: techsay.com]

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Justin Mason 2006-11-22 12:17:23 UTC
is it possible you've changed something in your DNS configuration, perhaps using
a new third-party DNS server?

techsay.com is referred to in almost every mail sent via a sourceforge-hosted
list; if those DNS blocklists really were listing it (which AFAICS they're not),
then we'd all be seeing a massive FP rate, too.  A likely explanation is that
something in your DNS config is "correcting" DNS lookups and returning some kind
of TXT record for non-existent lookups, which isn't compatible with
Spamassassin's use of DNS for DNSBL lookups.

Comment 2 Neal Becker 2006-11-22 12:21:51 UTC
Can you suggest a test I could do?

I tried this:
> set type=any
> techsay.com

Non-authoritative answer:
techsay.com     nameserver = dns04.savvis.net.
techsay.com     nameserver = dns01.savvis.net.
techsay.com     nameserver = dns02.savvis.net.
techsay.com     nameserver = dns03.savvis.net.

Authoritative answers can be found from:
techsay.com     nameserver = dns03.savvis.net.
techsay.com     nameserver = dns04.savvis.net.
techsay.com     nameserver = dns01.savvis.net.
techsay.com     nameserver = dns02.savvis.net.
dns01.savvis.net        internet address =
dns02.savvis.net        internet address =
dns03.savvis.net        internet address =
dns04.savvis.net        internet address =

Comment 3 Sidney Markowitz 2006-11-22 12:30:52 UTC
techsay.com does not show up if you check the SURBL at

However, if you are using OpenDNS or a DNS proxy it can change some of the
responses resulting in FPs, as described, with a workaround, at


Comment 4 William H. Haller 2006-12-03 02:12:28 UTC
I'm also seeing a false URIBL_AB_SURBL and URIBL_PH_SURBL on my domain. The 
DNS, spamassassin, sendmail, and spamass-milter are all running on the same 
FC6 server. All are running the most recent patched versions for FC6. Looking 
up the domain on the surbl.org site shows no listings for the IP of the mail 
server or any of the domains it hosts. This only started with the latest SA 

If I don't include my domain name in the body of the e-mail it goes through OK 
without the warning. If I include my standard signature which includes the 
four domain names I am responsible for, I get the error.

Comment 5 Neal Becker 2006-12-04 00:02:22 UTC
Problem was opendns.  Excellent detective work!

Note You need to log in before you can comment on or make changes to this bug.