Description of problem: Just installed 3.1.7 test update. Suddenly, SA is much too aggressive and is erroneously classifying non-spam as spam. My setup IIRC is as installed by rpm, not customized. Here's an example: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on nbecker X-Spam-Level: ***** X-Spam-Status: Yes, score=5.6 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO, RCVD_NUMERIC_HELO,URIBL_AB_SURBL,URIBL_PH_SURBL,URIBL_RED autolearn=no version=3.1.7 X-Spam-Report: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.0000] * 2.8 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist * [URIs: techsay.com] * 0.0 URIBL_RED Contains an URL listed in the URIBL redlist * [URIs: techsay.com] * 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: techsay.com] D Version-Release number of selected component (if applicable): spamassassin-3.1.7-1.fc6 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
is it possible you've changed something in your DNS configuration, perhaps using a new third-party DNS server? techsay.com is referred to in almost every mail sent via a sourceforge-hosted list; if those DNS blocklists really were listing it (which AFAICS they're not), then we'd all be seeing a massive FP rate, too. A likely explanation is that something in your DNS config is "correcting" DNS lookups and returning some kind of TXT record for non-existent lookups, which isn't compatible with Spamassassin's use of DNS for DNSBL lookups.
Can you suggest a test I could do? I tried this: nslookup > set type=any > techsay.com Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: techsay.com nameserver = dns04.savvis.net. techsay.com nameserver = dns01.savvis.net. techsay.com nameserver = dns02.savvis.net. techsay.com nameserver = dns03.savvis.net. Authoritative answers can be found from: techsay.com nameserver = dns03.savvis.net. techsay.com nameserver = dns04.savvis.net. techsay.com nameserver = dns01.savvis.net. techsay.com nameserver = dns02.savvis.net. dns01.savvis.net internet address = 209.1.222.244 dns02.savvis.net internet address = 209.1.222.245 dns03.savvis.net internet address = 209.1.222.246 dns04.savvis.net internet address = 209.1.222.247
techsay.com does not show up if you check the SURBL at http://www.rulesemporium.com/cgi-bin/uribl.cgi However, if you are using OpenDNS or a DNS proxy it can change some of the responses resulting in FPs, as described, with a workaround, at http://www.surbl.org/faq.html#opendns
I'm also seeing a false URIBL_AB_SURBL and URIBL_PH_SURBL on my domain. The DNS, spamassassin, sendmail, and spamass-milter are all running on the same FC6 server. All are running the most recent patched versions for FC6. Looking up the domain on the surbl.org site shows no listings for the IP of the mail server or any of the domains it hosts. This only started with the latest SA upgrade. If I don't include my domain name in the body of the e-mail it goes through OK without the warning. If I include my standard signature which includes the four domain names I am responsible for, I get the error.
Problem was opendns. Excellent detective work!