SpamAssassin, The query to URIBL was blocked.
I'm trying to work out how to get around this error:
X-Spam-Score: 0
X-Spam-Bar: /
X-Spam-Report: Spam detection software, running on the system "admin.newbyhost.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: new car? compare the best deals. --> the epic way to finance
your new car. the epic way to finance your new car [1] apply now › car
loans from £1,000to £100,000* [...]
Content analysis details: (-0.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: bmetrack.com]
-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[207.8.97.3 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
0.0 HTML_MESSAGE BODY: HTML included in message
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
0.0 LOTS_OF_MONEY Huge... sums of money
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
It's a basic setup using VestaCP, but I can't work out why it gives that error. There is no way my server is sending too much traffic to the RBL checks to warrant a blocking, so it must be something else?
Cheers
Andy
7 Replies
Basically, the URIBL service is free for a few emails (like personal use), but anything above that requires some kind of payment. Linode does not want to pay for such a service to offer to us, so any requests to URIBL (via spamassassin or other similar tool) fail with URIBL_BLOCKED.
There are two things you can do:
1) Keep using linode's DNS servers and just ignore URIBL (you can even disable the check in spamassassin)
2) Setup your own DNS servers, if you have a normal amount of emails then you'll get free service from URIBL, but if you exceed their threshold then you will also be blocked.
Thanks for the reply. Mmm yeah, not too sure I like the idea of setting up my own DNS server. Seems a bit of a faff
What is confusing me though, is why these both match, but don't hold any "score" ?
0.0 LOTS_OF_MONEY Huge... sums of money
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
I would have thought the fact that they matched, would mean it needs to give them some kind of negative score.
Cheers
Andy
TDKIMINVALID is there to tell people that their DKIM implementation is broken. In my servers I always reject emails with an invalid DKIM. In addition, I don't use spamassassin for DKIM checking, but I prefer the check to happen earlier in the process via OpenDKIM milter during postfix processing. Thus, emails will be rejected earlier and spamassassin will have to do less work.
If you want, you can give TDKIMINVALID a score of 100 to just block those broken emails.
In OpenDKIM I use the following settings:
On-BadSignature reject
On-KeyNotFound reject
On-Security reject
Cheers
Andy
score TDKIMINVALID 100
In CentOS, you can look at the rules under /var/lib/spamassassin/