I've been using SA for years.  I'm running 3.1.6 on a Red Hat box, and 99% of
the time, all is well.

Last week I added a rule to tag those annoying .gif pump-and-dump emails.
Nothing fancy:

rawbody IMG_SRC_CID         /src\=(\"c|c)id\:/i
score IMG_SRC_CID       2.0

Most of the time it works fine.  However, occasionally, I'll get an email that
ONLY sees that rule.  I'm using MimeDefang to rewrite the headers, and all it
shows is

X-Spam-Score: 2 (**) IMG_SRC_CID

But when I do a spamassassin --debug<test with the message, it finds all kinds
of fun things:

Content analysis details:   ( 6.6 points, 9.0 required)
 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
 1.5 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
-0.3 BAYES_40               BODY: Bayesian spam probability is 20 to 40%
                            [score: 0.2631]
 1.9 HTML_IMAGE_ONLY_28     BODY: HTML: images with 2400-2800 bytes of words
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.4 HTML_10_20             BODY: Message is 10% to 20% HTML
 0.0 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 2.0 IMG_SRC_CID            RAW: cid in body

The very next message is the same kind of scam, but sees everything:

X-Spam-Score: 7.967 (*******)

So what obvious mistake am I making?  Thanks for any help...

tim boyer

NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com

Reply via email to