Understanding spamhaus FP

[Alex <my...@gmail.com>]

Hi,

I received an email that was tagged with KHOP_SPAMHAUS_DROP, which
means it was listed in the "Spamhaus Don't Route Or Peer List".
However, I've checked every IP and domain in the email, and none are
listed on any spamhaus list, even as of a minute ago. What is it in
this message that is being tagged?

http://pastebin.com/qPq9ah7P

When it was initially received, it was also listed in
RCVD_IN_HOSTKARMA_BL, but checking again just five minutes after
having received it, and it's no longer listed there. The MX for the
originating domain appears to be managed by register.com, although
that appears to have been stripped out of the header by the next hop
(broadviewnet.net)?

Any ideas greatly appreciated.
Thanks,
Alex

Re: Understanding spamhaus FP

[Alex <my...@gmail.com>]

Hi,

>> I received an email that was tagged with KHOP_SPAMHAUS_DROP, which
>> means it was listed in the "Spamhaus Don't Route Or Peer List".
>> However, I've checked every IP and domain in the email, and none are
>> listed on any spamhaus list, even as of a minute ago. What is it in
>> this message that is being tagged?
>>
>> http://pastebin.com/qPq9ah7P
>>
>>
> First, I'll disclaim I'm a bit rusty here... It's been a year or two
> since I've had time to contribute to SpamAssassin much. But perhaps I
> can be of some help.
>
> The SPAMHAUS_DROP list is only available from them as a text file or as
> a BGP feed.. it is not a live DNS query like their other lists.
>
> http://www.spamhaus.org/drop/drop.txt
>
> However, I agree none of the IPs seem to be in the drop list.
>
> It looks like the rule in question is published by khopesh.com, not the
> SA core ruleset... I'm assuming you are using an update channel from
> http://khopesh.com/wiki/Anti-spam.

Yes, that's exactly it. I should have made it more clear this was from
Adam's rules. Your comments were very helpful, thanks. It looks like
he's just updated his rules to reflect the latest DROP list.

Thanks again,
Alex

Re: Understanding spamhaus FP

[Matt Kettler <mk...@verizon.net>]

On 3/7/2013 1:51 PM, Alex wrote:
> Hi,
>
> I received an email that was tagged with KHOP_SPAMHAUS_DROP, which
> means it was listed in the "Spamhaus Don't Route Or Peer List".
> However, I've checked every IP and domain in the email, and none are
> listed on any spamhaus list, even as of a minute ago. What is it in
> this message that is being tagged?
>
> http://pastebin.com/qPq9ah7P
>
>
First, I'll disclaim I'm a bit rusty here... It's been a year or two
since I've had time to contribute to SpamAssassin much. But perhaps I
can be of some help.

The SPAMHAUS_DROP list is only available from them as a text file or as
a BGP feed.. it is not a live DNS query like their other lists.

http://www.spamhaus.org/drop/drop.txt

However, I agree none of the IPs seem to be in the drop list.

It looks like the rule in question is published by khopesh.com, not the
SA core ruleset... I'm assuming you are using an update channel from
http://khopesh.com/wiki/Anti-spam.

Regardless, since the list is a text file, it looks like it is being
auto-converted to a SpamAssassin rule, but that makes it semi-static..
generally this is ok, as the DROP list doesn't change very fast.
However, it does change, and what's on your SpamAssassin box may not
reflect the current drop list. I'm not really up to speed on the khopesh
feed, so I'm not sure how often that rule gets regenerated. For that
matter, I'm also not sure how often you are fetching sa-updates from
them....

I *think* if you run the message through spamassassin -D it might show
you which text matched the rule when it hits.. which should give you
some answers...