PDA

View Full Version : SA is tagging my email as "RCVD_IN_SORBS"



dansroka
06-04-2004, 07:10 AM
Hi guys. Here's my question.

I have SA 2.63 set up, following Jalal's great webpage. Now, I just send myself a test email: from my mail client, sent to me, with just "test" in the subject and body. And I noticed that this very clean email is getting a SA score of over 3! Not good, since it means any personal or work emails I send are that more likely to be filtered as spam.

SA is saying that my email is failing the following tests. RCVD_IN_DYNABLOCK, RCVD_IN_NJABL, RCVD_IN_NJABL_DIALUP, RCVD_IN_SORBS.

OK, so RCVD_IN_DYNABLOCK means I am sending from a dynamic IP address. True, I suppose. RCVD_IN_NJABL states "Received via a relay in dnsbl.njabl.org". OK, not sure what that means. But RCVD_IN_SORBS states "sender is listed in SORBS". Ack! Me? In SORBS? Could this mean that somehow I personally am listed in SORBS, or is it more likely that my broadband provider (Optimum Online) is? See my Received header below.


Received: from [10.0.1.3] (ool-4350a342.dyn.optonline.net [67.80.163.66]) by sroka.net (8.11.6/8.11.6) with ESMTP id i54Cse025495 for <mail@sroka.net>; Fri, 4 Jun 2004 06:54:40 -0600

Any thoughts on how to clean up my email so that I don't get scored so badly?

Thanks!

dpfaigin
06-04-2004, 08:04 AM
If 3 is all you are getting, I wouldn't worry. Most people have their levels set to between 7-8, so 3 should make it through.

Both SORBS and NJABL, I believe, are various blacklists. Domains get it them; the administrators might be able to do something -- you can't really.

At least you don't get negative points for the mailer that you use.

dansroka
06-04-2004, 08:52 AM
My assumption is that my ISP (optonline) is routing my mail through its dynamic IP address, which is causing all those flags. I guess there is nothing I can do about that. They are a big ISP, so I guess they get added to blacklists all the time.

What confuses me though is that my received header does not show my static IP (assigned by Westhost). Instead, it just has 10.0.1.3 (my local network IP), and the ISP's IP. Shouldn't my IP be in there somewhere? Would that make a difference for SA? (Or am I just clueless about how this works?)

FZ
06-04-2004, 02:02 PM
I'm a little confused: if you are sending mail using your ISP's SMTP, and not your domain's, then why would your domain's IP address appear in there? Were you using your domain's SMTP, it would definitely appear in there (I just re-checked).

As for that making a difference, I don't think it would... I think SA tests all IP addresses it can find against RBLs (someone correct me if I am wrong).

Mail I send from my ISP to my WestHost account looks the same as yours:


Received: from nudibranch.mweb.co.za (nudibranch.mweb.co.za [196.2.50.74])
by impenetrable.org (8.11.6/8.11.6) with ESMTP id i54K5Tc24117
for <xxx@impenetrable.org>; Fri, 4 Jun 2004 14:05:30 -0600

dansroka
06-04-2004, 07:01 PM
I'm technically sending the email from my mail client direct to my smtp server (smtp.sroka.net). I guess I just assumed that the Received: header would show both my ISP's IP address and and my own (I don't know what that "8.11.6/8.11.6" is that it does show). No big deal, I am just trying to understand it. Especially since my ISP seems to be raising Spam Assassin's cackles a bit!

FZ
06-05-2004, 07:23 AM
I think the 8.11.6/8.11.6 is the Sendmail version.

I think the reason it does NOT show your domain's IP address is because it has no need to: that domain name is added when mail is received by your mail server, so there is no need to confirm with an IP address whether that domain name is forged or not (which [again, I think] is one of the reasons IP addresses are added after every other domain in the Received: header).

dansroka
06-05-2004, 08:04 AM
Ah, makes sense. I was hoping there was a way to tag my IP to the header, because I wanted to ensure that mail I send myself (via Formmail on my site, for example) could always get whitelisted. I thought the IP address would be an ideal way to guarantee it came from me. (SA considers our version of Formmail to be "buggy" and ups its spam score.)

But back to my original problem: I guess then that my ISP is listed in the SORBS, and therefore my email will always have a higher spam score than it should. Like dpfaigin said, it is under the default threshold of 5, but if I ever accidentally utter the word "viagra", I sunk. ;-) Any thoughts around this, or do I just grin-and-bear-it?

dpfaigin
06-05-2004, 08:22 AM
You're dealing with the curse of modern day spam filters -- the bad side effect of spam, so to speak. All our mail is screened, and due to false positive and inactive DWIMers, some of it is mistakenly tagged as spam. That's why I have my spam filters to delete only stuff tagged 7+ and above, and certain clear markers. Other stuff gets forwarded to a mailbox kindly provided by yahoo :wink: for me to periodically scan, rescue what is necessary, and delete the rest. I get 1-2 false positives a day, primarily because I consider 100% HTML email to be a spam-candidate.

FZ
06-05-2004, 10:01 AM
Hmm, I think mail you send via Formmail to yourself (i.e. your WestHost account) should have a Received: header that contains "localhost"... Have you checked?

As for your ISP problems, I agree that it is something just have to "grin-and-bear", as you put it. You could phone up your ISP and ask them about it, and see what they have to say about sending mail from dynamic IP addresses, and why they are blacklisted in more than one "directory".

dansroka
06-05-2004, 10:13 AM
Yeah dpfaigin, that's what I do too. Actually, I created a spam email account on WestHost that I forward anything with a score of 5-10 to, and I delete everything over 10. Works pretty well.

Thanks FZ. I'll check the formmail. For now, I created myself a little code that I add to the subject line, which is easy to scan.

I called the ISP, and their answer was "you could pay us more to have a direct IP..". Yeah, whatever. Oh well. Thanks of listening, guys.