URIDNSBL Scores

[Scott Schaffer <ss...@owzw.com>]

Hi.

I am migrating spamassassin from my perimeter firewall to another server to lighten the load on the firewall. I have installed SA3.0 on the new machine and have done some testing. I am getting different results on each SA install.

Configuration for both machines: Windows 2000 all hotfixes and services packs installed, same amount of memory, cpu etc,. SA 3.0 on each. Spamassassin is called through Guinevere 2.17, the Groupwise Av scanner integration.

If I run the same email through each install, the firewall implementation will pick up scores from the URIDNSBL tests and add it to the total where the SA implementation behind the firewall will not. I have included the relevant portions of each SA run from the two installs. The first is the machine behind the firewall, and the second is the firewall machine. As you can see there is a large difference in the scores. Is this a timing issue, perhaps? If so, where do I increase the time for dnsbl look ups. What else could it be?

Thanks for any help anyone can give me.

Scott Schaffer

Machine behind the firewall results
---------------------------------------------------------------------------------------------------------
debug: bayes: score = 0.505530427067805
debug: bayes: 276 untie-ing
debug: bayes: 276 untie-ing db_toks
debug: bayes: 276 untie-ing db_seen
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2954eac) implements '
check_tick'
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_AB_SURBL): 127.0.0.10
2
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_WS_SURBL): 127.0.0.10
2
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_SC_SURBL): 127.0.0.10
2
debug: URIDNSBL: query for blahblahcutie.info took 2 seconds to look up (multi.s
urbl.org.:blahblahcutie.info)
debug: URIDNSBL: queries completed: 2 started: 2
debug: URIDNSBL: queries active:  at Thu May 12 15:14:52 2005
debug: running raw-body-text per-line regexp tests; score so far=0.001
debug: running full-text regexp tests; score so far=0.001
debug: DCCifd is not available: no r/w dccifd socket found.
debug: Running tests for priority: 500
debug: URIDNSBL: queries completed: 1 started: 1
debug: URIDNSBL: queries active: A=1 at Thu May 12 15:14:52 2005
debug: RBL: success for 1 of 1 queries
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2954eac) implements '
check_post_dnsbl'
debug: URIDNSBL: queries completed: 0 started: 0
debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:52 2005
debug: waiting 2 seconds for URIDNSBL lookups to complete
debug: URIDNSBL: queries completed: 0 started: 0
debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:52 2005
debug: running meta tests; score so far=0.001
debug: running header regexp tests; score so far=0.001
debug: running body-text per-line regexp tests; score so far=0.001
debug: running uri tests; score so far=0.001
debug: URIDNSBL: queries completed: 0 started: 0
debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:53 2005
debug: running raw-body-text per-line regexp tests; score so far=0.001
debug: running full-text regexp tests; score so far=0.001
debug: Running tests for priority: 1000
debug: running meta tests; score so far=0.001
debug: running header regexp tests; score so far=0.001
debug: running body-text per-line regexp tests; score so far=0.001
debug: running uri tests; score so far=0.001
debug: URIDNSBL: queries completed: 0 started: 0
debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:53 2005
debug: running raw-body-text per-line regexp tests; score so far=0.001
debug: running full-text regexp tests; score so far=0.001
-------------------------------------------------------------------------
firewall machine results
--------------------------------------------------------------------------
debug: bayes: score = 0.505912963129377
debug: bayes: 96 untie-ing
debug: bayes: 96 untie-ing db_toks
debug: bayes: 96 untie-ing db_seen
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x292e8b8) implements '
check_tick'
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_AB_SURBL): 127.0.0.10
2
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_WS_SURBL): 127.0.0.10
2
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_SC_SURBL): 127.0.0.10
2
debug: URIDNSBL: query for blahblahcutie.info took 3 seconds to look up (multi.s
urbl.org.:blahblahcutie.info)
debug: URIDNSBL: queries completed: 2 started: 2
debug: URIDNSBL: queries active:  at Thu May 12 15:13:53 2005
debug: running raw-body-text per-line regexp tests; score so far=0.001
debug: running full-text regexp tests; score so far=0.001
debug: DCCifd is not available: no r/w dccifd socket found.
debug: Running tests for priority: 500
debug: URIDNSBL: queries completed: 2 started: 2
debug: URIDNSBL: queries active:  at Thu May 12 15:13:53 2005
debug: RBL: success for 1 of 1 queries
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x292e8b8) implements '
check_post_dnsbl'
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_SBL): "http://www.spa
mhaus.org/SBL/sbl.lasso?query=SBL23549"
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_SBL): "http://www.spa
mhaus.org/SBL/sbl.lasso?query=SBL26010"
debug: URIDNSBL: query for blahblahcutie.info took 3 seconds to look up (sbl.spa
mhaus.org.:233.112.7.218)
debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_SBL): "http://www.spa
mhaus.org/SBL/sbl.lasso?query=SBL26851"
debug: URIDNSBL: query for blahblahcutie.info took 4 seconds to look up (sbl.spa
mhaus.org.:190.131.3.221)
debug: URIDNSBL: queries completed: 2 started: 0
debug: URIDNSBL: queries active:  at Thu May 12 15:13:54 2005
debug: running meta tests; score so far=7.139

Scott Schaffer
Systems & Network Administrator
Olive Waller Zinkhan & Waller
1000 - 2002 Victoria Avenue
Regina, SK  S4P 0R7
Ph: 306-347-2108
Fx:  306-352-0771
Email: sschaffer@owzw.com

This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  Any other distribution, copying or disclosure is strictly prohibited.  If you have received this message in error, please notify us immediately by telephone (306) 347-2108 and reply to the sender via e-mail, confirming deletion of the original e-mail and any attachment(s).

Re: URIDNSBL Scores

[Jeff Chan <je...@surbl.org>]

On Thursday, May 12, 2005, 3:14:13 PM, Scott Schaffer wrote:
> Machine behind the firewall results
> ---------------------------------------------------------------------------------------------------------
> debug: bayes: score = 0.505530427067805
> debug: bayes: 276 untie-ing
> debug: bayes: 276 untie-ing db_toks
> debug: bayes: 276 untie-ing db_seen
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2954eac) implements '
> check_tick'
> debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_AB_SURBL): 127.0.0.10
> 2
> debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_WS_SURBL): 127.0.0.10
> 2
> debug: URIDNSBL: domain "blahblahcutie.info" listed (URIBL_SC_SURBL): 127.0.0.10
> 2
> debug: URIDNSBL: query for blahblahcutie.info took 2 seconds to look up (multi.s
> urbl.org.:blahblahcutie.info)
> debug: URIDNSBL: queries completed: 2 started: 2
> debug: URIDNSBL: queries active:  at Thu May 12 15:14:52 2005

queries completed: 2 looks ok to me, and the SURBL queries got
the right result, but they didn't get scored.  That's indeed odd.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: URIDNSBL Scores

[Matt Kettler <mk...@comcast.net>]

At 06:14 PM 5/12/2005, Scott Schaffer wrote:
>I am migrating spamassassin from my perimeter firewall to another server 
>to lighten the load on the firewall. I have installed SA3.0 on the new 
>machine and have done some testing. I am getting different results on each 
>SA install.

Which EXACT version of SA 3.0 do you have on each? 3.0.0? or 3.0.3?


>debug: URIDNSBL: queries completed: 2 started: 2

<snip>

>debug: URIDNSBL: queries completed: 1 started: 1

<snip>

>debug: URIDNSBL: queries completed: 0 started: 0


The thing that's most suspicious is that the number of queries completed 
keeps going down on the machine behind the firewall.
The firewall itself seems to keep track of this correctly:

>debug: URIDNSBL: queries completed: 2 started: 2
<snip>
>debug: URIDNSBL: queries completed: 2 started: 2

<snip>
>debug: URIDNSBL: queries completed: 2 started: 0


If you're not on 3.0.3, I'd consider trying an upgrade.. that's a pretty 
weird and strange problem, almost certainly a bug in the code somewhere.