Hi Julyusito, thank you!

This log fragment you sent here, where exactly did you get it? Does it look to you like a rule that had a match? Can you see it on the list of rules for this e-mail message in Tracing?

What can be happening is that this particular hit is not by itself decisive in stopping a message from being delivered. I also believe it should, of course. But if this is just one rule and the message didn't have many matches on other rules, it's likely that it didn't get the necessary score to be quarantined.

Some Spamassassin checks have external queries on supported providers, like the URI blacklist verification. But these are also treated as rules.

See if you can get more information. If this phishing fraud is really being shown as a Spamassassin rule, you can just increase the score for such rule and make every e-mail message that matches it be above the score limit, thus being blocked immediately.

Cheers,

Victor.