Spamassassin blacklist checks missing?

I’ve recently switched my e-mail from using my own server to Runbox, and I’ve found quite a lot more spam is getting through. Having piped spam e-mails through my server’s Spamassassin, I’ve found that the main reason for this seems to be that Runbox is missing URL blacklist checks. Here’s an example spam mail that was run through my server’s Spamassassin filter:

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.5 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: erikaboros.net]
 2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the Spamhaus DBL
                            blocklist
                            [URIs: erikaboros.net]
 0.1 BAYES_05               BODY: Bayes spam probability is 1 to 5%
                            [score: 0.0307]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid
 0.0 LOTS_OF_MONEY          Huge... sums of money
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
 0.0 T_REMOTE_IMAGE         Message contains an external image
 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
                            information

Runbox equivalent:

-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 0.0 HTML_MESSAGE BODY: HTML included in message
 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
      valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
     author's domain
 0.0 LOTS_OF_MONEY Huge... sums of money
 0.5 T_REMOTE_IMAGE Message contains an external image

It’s missing URIBL and Spamhaus checks. Why don’t you have these checks?

Hello Jeremy,

Thanks for raising this with us. Spam systems are implemented differently and often for good reasons so it isn’t always useful to compare. Also, spam threshold scores can be different.

That said, we are already looking in to why we see fewer messages compared to Spamhaus lists as we do subscribe to those services but see fewer messages scoring against them than we might expect.

But it’s pretty simple - the URL has to match against the blacklist. I’m not sure how your system would operate differently and miss this URL, other than to just not be checking against these lists.

I agree in principle :slight_smile:

Out of interest, what are the spam threshold scores in your system for when a message is regarded as spam?

I think I set mine to 3, but I was being quite aggressive. 5 is probably OK if the URL blacklists are being checked.

We’ve made some changes to the configuration in the last 24 hours. Hopefully this helps identify these URLs now. We will monitor the situation in case there are any negative effects observed.