Re: Marking HAM as good mail
Mário Gamito wrote: Hi, now, take one of the messages and run "spamassassin -t" on it and show these tests (at the end of the report). Strange, it has only 4.1 points, but is marked as SPAM! not now, but it was marked as spam when it was delivered. maybe dcc/razor (or spamcops?) was hit at that time. Unfortunately, it's too late to know (unless the infos are in your logs). you'll need to modify your filter as I said before (add the list of rules to the X-Spam-Status header, so that you know what matched at the filtering time). # spamassassin -t 1173748887.M111529P3626V0901I0172197A_86.mail.telbit.pt\,S\=28719\:2\, Content analysis details: (4.1 points, 5.0 required) pts rule name description -- -- 1.0 MIME_BOUND_EQ_REL MIME_BOUND_EQ_REL 0.3 FROM_STARTS_WITH_NUMS From: starts with many numbers 0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 1.3 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 HTML_MESSAGE BODY: HTML included in message 0.6 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words Warm Regards
Re: Marking HAM as good mail
Hi, > now, take one of the messages and run "spamassassin -t" on it and show > these tests (at the end of the report). Strange, it has only 4.1 points, but is marked as SPAM! # spamassassin -t 1173748887.M111529P3626V0901I0172197A_86.mail.telbit.pt\,S\=28719\:2\, Content analysis details: (4.1 points, 5.0 required) pts rule name description -- -- 1.0 MIME_BOUND_EQ_REL MIME_BOUND_EQ_REL 0.3 FROM_STARTS_WITH_NUMS From: starts with many numbers 0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 1.3 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 HTML_MESSAGE BODY: HTML included in message 0.6 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words Warm Regards -- :wq! Mário Gamito
Re: Marking HAM as good mail
Mário Gamito wrote: Hi, Thank you for your answers. Look at the config documentation for the whitelist_from_rcvd and whitelist_from_spf options. Humm... where are they ? Couldn't find it :( Can you post the list of rules that these mails are hitting (the X-Spam_Status header)? Here it is: X-Spam-Status: Yes, score=5.6 required=5.0 you should configure your filter so that the X-Spam-Status header shows the tests that were hit. now, take one of the messages and run "spamassassin -t" on it and show these tests (at the end of the report). X-Spam-Level: + Received: from unknown (HELO mx1.netcanvas.com) ([81.92.203.3]) (envelope-sender <[EMAIL PROTECTED]>) by 0 (qmail-ldap-1.03) with SMTP for <[EMAIL PROTECTED]>; 13 Mar 2007 18:43:32 - Received: (qmail 18227 invoked by uid 205); 13 Mar 2007 18:43:32 - Received: from 84.18.242.136 by mx1.netcanvas.com (envelope-from <[EMAIL PROTECTED]>, uid 202) with qmail-scanner-1.24st (clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st. Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):. Processed in 2.395852 secs); 13 Mar 2007 18:43:32 - X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=-0.3 required=5.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gauguin.netcanvas.com X-Qmail-Scanner-MOVED-X-Spam-Level: X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00, HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0 you may want to disable AWL.
Re: Marking HAM as good mail
Are you using the Botnet plugin? If so, I'd add an exemption for their IP address to your Botnet.cf file. It looks like what you'd need, if you are using Botnet, is either: botnet_skip_ip^81\.92\.203\.3$ and/or botnet_skip_ip^84\.18\.242\.136$ Depending on whether your scanning machine is the mx1.netcanvas.com/gauguin.netcanvas.com machine. If it is, then use the 2nd config line I gave, if it's not, then use the first one. If you're not using Botnet, then ignore this message :-) Mário Gamito wrote: Hi, Thank you for your answers. Look at the config documentation for the whitelist_from_rcvd and whitelist_from_spf options. Humm... where are they ? Couldn't find it :( Can you post the list of rules that these mails are hitting (the X-Spam_Status header)? Here it is: X-Spam-Status: Yes, score=5.6 required=5.0 X-Spam-Level: + Received: from unknown (HELO mx1.netcanvas.com) ([81.92.203.3]) (envelope-sender <[EMAIL PROTECTED]>) by 0 (qmail-ldap-1.03) with SMTP for <[EMAIL PROTECTED]>; 13 Mar 2007 18:43:32 - Received: (qmail 18227 invoked by uid 205); 13 Mar 2007 18:43:32 - Received: from 84.18.242.136 by mx1.netcanvas.com (envelope-from <[EMAIL PROTECTED]>, uid 202) with qmail-scanner-1.24st (clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st. Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):. Processed in 2.395852 secs); 13 Mar 2007 18:43:32 - X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=-0.3 required=5.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gauguin.netcanvas.com X-Qmail-Scanner-MOVED-X-Spam-Level: X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00, HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0 Warm Regards
Re: Marking HAM as good mail
On Fri, 13 Apr 2007, Mário Gamito wrote: > > Look at the config documentation for the whitelist_from_rcvd and > > whitelist_from_spf options. > Humm... where are they ? Couldn't find it :( perldoc Mail::SpamAssassin::Conf perldoc Mail::SpamAssassin::Plugin::SPF or http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_SPF.html > > Can you post the list of rules that these mails are hitting (the > > X-Spam_Status header)? > Here it is: > X-Spam-Status: Yes, score=5.6 required=5.0 > ... qmail-scanner-1.24st > (clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st. > Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):. > X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0 > tests=AWL,BAYES_00, > HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0 ...oookay, someone better-versed in qmail-scanner will have to interpret this. I can't. It sure looks to me like it shouldn't be classified as spam. Also: you may want to upgrade your SpamAssassin install to 3.1.8, 3.1.0 is rather old and is subject to DoS attack. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference between ignorance and stupidity is that the stupid desire to remain ignorant. -- Jim Bacon --- Today: Thomas Jefferson's 264th Birthday
Re: Marking HAM as good mail
Hi, Thank you for your answers. > Look at the config documentation for the whitelist_from_rcvd and > whitelist_from_spf options. Humm... where are they ? Couldn't find it :( > Can you post the list of rules that these mails are hitting (the > X-Spam_Status header)? Here it is: X-Spam-Status: Yes, score=5.6 required=5.0 X-Spam-Level: + Received: from unknown (HELO mx1.netcanvas.com) ([81.92.203.3]) (envelope-sender <[EMAIL PROTECTED]>) by 0 (qmail-ldap-1.03) with SMTP for <[EMAIL PROTECTED]>; 13 Mar 2007 18:43:32 - Received: (qmail 18227 invoked by uid 205); 13 Mar 2007 18:43:32 - Received: from 84.18.242.136 by mx1.netcanvas.com (envelope-from <[EMAIL PROTECTED]>, uid 202) with qmail-scanner-1.24st (clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st. Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):. Processed in 2.395852 secs); 13 Mar 2007 18:43:32 - X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=-0.3 required=5.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gauguin.netcanvas.com X-Qmail-Scanner-MOVED-X-Spam-Level: X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00, HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0 Warm Regards -- :wq! Mário Gamito
Re: Marking HAM as good mail
On Fri, 13 Apr 2007, Mário Gamito wrote: > My boss is getting HAM mails from two addresses which are always > marked as SPAM. > > Is there a way to configure SA to stop marking those two specific > addresses as SPAM ? Look at the config documentation for the whitelist_from_rcvd and whitelist_from_spf options. Can you post the list of rules that these mails are hitting (the X-Spam_Status header)? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- Today: Thomas Jefferson's 264th Birthday
Re: Marking HAM as good mail
Mário Gamito schrieb: Hi, My boss is getting HAM mails from two addresses which are always marked as SPAM. I've seen that lowering the sa-learn threshold is not an option. Is there a way to configure SA to stop marking those two specific addresses as SPAM ? Any help would be appreciated. Warm Regards how do you call sa i call it from procmail and i use my own whitelist system with procmail , maybe this is a option for you Matthias
Marking HAM as good mail
Hi, My boss is getting HAM mails from two addresses which are always marked as SPAM. I've seen that lowering the sa-learn threshold is not an option. Is there a way to configure SA to stop marking those two specific addresses as SPAM ? Any help would be appreciated. Warm Regards -- :wq! Mário Gamito
