Any ideas on where else to look for cause of this false positive ?
Its ironic that this email in question was private message notice from site on my server to me
The URIBL_SBL rule hits when the message body contains a URL that is listed in the SBL blocklist, it's nothing to do with the IP address that the message was sent from.
Is that the only URL that is present in the email? As you have mentioned, that domain or its IP address does not appear to be in any block lists currently. If that's the only URL in the email, then I'm afraid I can't really offer any other suggestions or more information.
Are these emails being blocked by other servers using spamassassin, or is your concern just that it is being blocked on your own server? If the latter, then you can modify the score for that SA rule by editing /etc/mail/spamassassin/configserver.cf (if present) and giving that rule a 0 score. If that file is not present, edit /etc/mail/spamassassin/local.cf and add the line:
I dont want to prevent SA from scanning for other badurls - but I couldn't even find a rbl list that lists urls - they all list IPs - in my servers case there are over 50 urls associated with one ip
You could try manually running the mail through spamassassin in debug mode to see exactly what it is hitting on in the email. Save the email in a text file, i.e. email.txt, and do:
