Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 07:36:05 Karsten Bräckelmann wrote: On Tue, 2011-08-16 at 01:07 +0930, Rodney Baker wrote: On Tue, 16 Aug 2011 00:48:13 Bowie Bailey wrote: * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... Yes, filtering on the SA X-Spam Status or Level headers is the way to go. After you found and fixed where SA gets called a second time (actually the first time), these won't be harmed and overwritten -- and useful for filtering. Anyway, the secret why the above procmail recipe doesn't work is simply, because procmail uses a rather limited sub-set of REs and its own flavor. It's not PCRE. In particular procmail does not understand {x,y} range quantifiers, but treats that part as a plain string to match. Which doesn't. (Caveat: From memory, not actually looked it up again for verification.) Ah, thankyou. Despite googling for lots of stuff on procmail I've not been able to find a definitive reference for what can and can't be used in a procmail recipe. Maybe I just haven't use the right search terms (or maybe I just haven't understood what I've read). Anyway, thanks for the clarification. 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS Oh, yeah, these do ring quite some bells... ;) After you fixed your mail processing chain to not have SA chew twice on the spam -- you should manually train Bayes, feeding it a lot of hand classified spam, and possibly ham. Check your 'sa-learn --dump magic' numbers. The Bayes score of 0.1 is way out of line. Agreed. I do run sa-learn --spam (actually now have it scheduled to run weekly on a folder into which I drop all the non-classified spam messages) and --ham (on a folder with messages that were false-positives). Note though, that a previous site-wide SA filter might use a site-wide user, not the one owning the procmail recipe. Thus Bayes scores might suddenly change once it's run per user. Check the numbers and performance for the user you'll use after fixing the chain issue. You need to fix whatever is causing the message to be scanned twice. OK - that makes sense. Now I'm wondering if there is a global mail config somewhere that is routing the message through SA, and then my local .procmailrc is doing it again. Time to go digging... Site-wide /etc/procmailrc, SMTP server milter, transport or similar, or even something like Amavis in the chain? There is no /etc/procmailrc, no milter that I'm aware of, running fetchmail/sendmail/dovecot. This machine doubles as my home mail server/file server and desktop machine. The only reason I'm running IMAP is so that I can access the same mail from my laptop or netbook when I need to (and I used to run squirrelmail to allow access remotely via https webmail, but not any more). That then leaves the question as to why my procmail recipe isn't triggering on the rewritten subject, but that is probably not for this list. It's sufficiently related. ;) See above. Thanks again. :-) -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 05:02:20 John Hardin wrote: On Tue, 16 Aug 2011, Rodney Baker wrote: :0fw: spamassassin.lock : | spamc Just as a test, if you comment that bit out of your personal .procmailrc does everything work they way you'd expect (i.e. one SA pass, the correct score in the X- headers)? Yep,that was the first thing that I did. Somehow spamassassin is still checking the messages, even though they're not being piped through spamc via procmail. I'm sure that fetchmail isn't doing it, so that leaves sendmail, dovecot or kmail. So begins the process of elimination (or maybe I just leave it out of procmailrc and be done with it...). Thanks, Rodney. -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On 8/16/2011 8:55 AM, Rodney Baker wrote: On Tue, 16 Aug 2011 07:36:05 Karsten Bräckelmann wrote: After you fixed your mail processing chain to not have SA chew twice on the spam -- you should manually train Bayes, feeding it a lot of hand classified spam, and possibly ham. Check your 'sa-learn --dump magic' numbers. The Bayes score of 0.1 is way out of line. Agreed. I do run sa-learn --spam (actually now have it scheduled to run weekly on a folder into which I drop all the non-classified spam messages) and --ham (on a folder with messages that were false-positives). When you are trying to fix a Bayes problem, it can be useful to feed it as much as possible. Put *all* your ham and *all* your spam (properly classified or not) into those folders and let Bayes learn from it. -- Bowie
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 2011-08-16 at 22:29 +0930, Rodney Baker wrote: On Tue, 16 Aug 2011 05:02:20 John Hardin wrote: Just as a test, if you comment that bit out of your personal .procmailrc does everything work they way you'd expect (i.e. one SA pass, the correct score in the X- headers)? Yep,that was the first thing that I did. Somehow spamassassin is still checking the messages, even though they're not being piped through spamc via procmail. I'm sure that fetchmail isn't doing it, so that leaves sendmail, dovecot or kmail. So begins the process of elimination (or maybe I just leave it out of procmailrc and be done with it...). If you don't use Delivery Control Options with fetchmail (see that section in the man pages) like an explicit MDA or SMTP, this should not be where SA gets invoked. You don't, do you? The default is to pass it on to port 25, which should just be your Sendmail. A site-wide procmail configuration doesn't exist, as you mentioned in another reply to this thread. Dovecot will not filter messages. It's an IMAP server that serves what has been delivered already. The dovecot MDA could, but you seem to use procmail for direct delivery into the Maildir store. Another one to rule out. Kmail as an MUA must not modify delivered mail (and doesn't), so while it could call SA again, you won't see SA headers. Both Dovecot and Kmail are after the procmail recipe you initially showed anyway, so there's no chance they could cause the matching issues you reported. Leaves us with Sendmail in the chain to dig further... After all, procmail already sees SA headers, without a filter. What you're hunting for is before procmail in the chain. Regarding leaving it out of procmail and being done with it -- maybe. This is likely to bite later, though. If it is before procmail, odds are it's using a site-wide user. Which implies Bayes training has to be done as that user, not the recipient... -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On 8/15/2011 10:57 AM, Rodney Baker wrote: Hi all. I'm running spamassassin 3.3.1 on my openSuse 11.2 box at home. Mail is collected from multiple ISP mail accounts via fetchmail and delivered to local IMAP mail folders via procmail. My user account .procmailrc file begins thus: LOGFILE=$HOME/pm.log :0fw: spamassassin.lock | spamc :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... X-Virus-Flag: no X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on my.local.mailhost.name.removed X-Spam-Level: * X-Spam-Status: No, score=1.5 required=6.5 tests=BAYES_00,IMPOTENCE,NO_RELAYS autolearn=no version=3.3.1 X-Spam-Virus: No Received: from localhost by my.local.mailhost.name.removed with SpamAssassin (version 3.3.1); Mon, 15 Aug 2011 18:58:01 +0930 From: Adele Key spam.address.removed To: another.u...@iinet.net.au Subject: SPAM(10.1) spam-subject-removed Date: Mon, 15 Aug 2011 18:12:48 +0900 Message-Id: 165971112.54106003786840@spamdomain.removed MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4E48E6A1.127A41A2 X-Length: 7330 X-UID: 83487 X-KMail-Filtered: 61220 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Spam detection software, running on the system my.local.mailhost.name.removed, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster for details. Content preview: [...] Content analysis details: (10.1 points, 6.5 required) pts rule name description -- -- 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS I don't get it - the content analysis shows a score of 10.1, the modified subject line shows 10.1, but the X-Spam-Status header shows 1.5! What have I messed up in my configuration? This message is going through SA twice. The first time, it is marked as spam and the message is re-written per your report_safe setting. This generates the analysis shown in the body itself. The second time, the re-written message is scanned by SA. This time, all of the incriminating stuff has been hidden by the rewrite, so it is not marked as spam. This is the analysis shown in the header. You need to fix whatever is causing the message to be scanned twice. -- Bowie
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 00:48:13 Bowie Bailey wrote: On 8/15/2011 10:57 AM, Rodney Baker wrote: Hi all. I'm running spamassassin 3.3.1 on my openSuse 11.2 box at home. Mail is collected from multiple ISP mail accounts via fetchmail and delivered to local IMAP mail folders via procmail. My user account .procmailrc file begins thus: LOGFILE=$HOME/pm.log :0fw: spamassassin.lock : | spamc : :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... X-Virus-Flag: no X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on my.local.mailhost.name.removed X-Spam-Level: * X-Spam-Status: No, score=1.5 required=6.5 tests=BAYES_00,IMPOTENCE,NO_RELAYS autolearn=no version=3.3.1 X-Spam-Virus: No Received: from localhost by my.local.mailhost.name.removed with SpamAssassin (version 3.3.1); Mon, 15 Aug 2011 18:58:01 +0930 From: Adele Key spam.address.removed To: another.u...@iinet.net.au Subject: SPAM(10.1) spam-subject-removed Date: Mon, 15 Aug 2011 18:12:48 +0900 Message-Id: 165971112.54106003786840@spamdomain.removed MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4E48E6A1.127A41A2 X-Length: 7330 X-UID: 83487 X-KMail-Filtered: 61220 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Spam detection software, running on the system my.local.mailhost.name.removed, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster for details. Content preview: [...] Content analysis details: (10.1 points, 6.5 required) pts rule name description -- -- 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS I don't get it - the content analysis shows a score of 10.1, the modified subject line shows 10.1, but the X-Spam-Status header shows 1.5! What have I messed up in my configuration? This message is going through SA twice. The first time, it is marked as spam and the message is re-written per your report_safe setting. This generates the analysis shown in the body itself. The second time, the re-written message is scanned by SA. This time, all of the incriminating stuff has been hidden by the rewrite, so it is not marked as spam. This is the analysis shown in the header. You need to fix whatever is causing the message to be scanned twice. OK - that makes sense. Now I'm wondering if there is a global mail config somewhere that is routing the message through SA, and then my local .procmailrc is doing it again. Time to go digging... That then leaves the question as to why my procmail recipe isn't triggering on the rewritten subject, but that is probably not for this list. Thanks for the pointer. Rodney. -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Mon, 15 Aug 2011 11:18:13 -0400, Bowie Bailey wrote: On 8/15/2011 10:57 AM, Rodney Baker wrote: snip :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// snip This message is going through SA twice. Indeed. And by the way, for what it is worth, my .procmailrc says (inter alia) :0: * ^X-Spam-Status: Yes # The trailing slashdot means do it as MH # instead of MBOX (the default) junk/. # Otherwise it falls through May I suggest that that's rather simpler than the regex which you are using? In addition, should I in the future decide for some reason to change or revoke the subject rewriting, I won't need to change .procmailrc.
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 01:15:11 Walter Hurry wrote: On Mon, 15 Aug 2011 11:18:13 -0400, Bowie Bailey wrote: On 8/15/2011 10:57 AM, Rodney Baker wrote: snip :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// snip This message is going through SA twice. Indeed. And by the way, for what it is worth, my .procmailrc says (inter alia) :0: * ^X-Spam-Status: Yes # The trailing slashdot means do it as MH # instead of MBOX (the default) junk/. # Otherwise it falls through May I suggest that that's rather simpler than the regex which you are using? Of course, and that's what I wanted to do, except that if you have a look at my X-Spam-Status header it says No, which is the opposite of what I expect for a message marked as spam (apparently due, as already suggested, to spamassassin processing the message twice). In addition, should I in the future decide for some reason to change or revoke the subject rewriting, I won't need to change .procmailrc. Of course, if I can just get the message flagged as Spam in the headers, I'll be able to do the same. ;-) -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011, Rodney Baker wrote: :0fw: spamassassin.lock | spamc Just as a test, if you comment that bit out of your personal .procmailrc does everything work they way you'd expect (i.e. one SA pass, the correct score in the X- headers)? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...for a nation to tax itself into prosperity is like a man standing in a bucket and trying to lift himself up by the handle. -- Winston Churchill --- Today: the 66th anniversary of the end of World War II
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 2011-08-16 at 01:07 +0930, Rodney Baker wrote: On Tue, 16 Aug 2011 00:48:13 Bowie Bailey wrote: * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... Yes, filtering on the SA X-Spam Status or Level headers is the way to go. After you found and fixed where SA gets called a second time (actually the first time), these won't be harmed and overwritten -- and useful for filtering. Anyway, the secret why the above procmail recipe doesn't work is simply, because procmail uses a rather limited sub-set of REs and its own flavor. It's not PCRE. In particular procmail does not understand {x,y} range quantifiers, but treats that part as a plain string to match. Which doesn't. (Caveat: From memory, not actually looked it up again for verification.) 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS Oh, yeah, these do ring quite some bells... ;) After you fixed your mail processing chain to not have SA chew twice on the spam -- you should manually train Bayes, feeding it a lot of hand classified spam, and possibly ham. Check your 'sa-learn --dump magic' numbers. The Bayes score of 0.1 is way out of line. Note though, that a previous site-wide SA filter might use a site-wide user, not the one owning the procmail recipe. Thus Bayes scores might suddenly change once it's run per user. Check the numbers and performance for the user you'll use after fixing the chain issue. You need to fix whatever is causing the message to be scanned twice. OK - that makes sense. Now I'm wondering if there is a global mail config somewhere that is routing the message through SA, and then my local .procmailrc is doing it again. Time to go digging... Site-wide /etc/procmailrc, SMTP server milter, transport or similar, or even something like Amavis in the chain? That then leaves the question as to why my procmail recipe isn't triggering on the rewritten subject, but that is probably not for this list. It's sufficiently related. ;) See above. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Inconsistent Spam scores?
Good point. I'd noticed the different tag set. But the ALL_TRUSTED rather distracted me when I noticed it. {^_^} - Original Message - From: Matt Kettler [EMAIL PROTECTED] (Re-post to list. For some reason the post which quoted all of chad's email bounced back with a 10.4 score. No clue why, there's no spam quotes here, only one URIBL listed domain mentioned in the body report. One domain alone shouldn't be 10, even if it's listed in every URIBL in the universe) Chad, based on the difference in hits on the two scores below, it sounds like you're double-scanning the email. Make sure you don't have an MTA integration that's scanning the mail before it gets to procmail. Also, try temporarily disabling both spamc calls in your procmail.rc, see if you still get X-Spam-Status headers. Order of events: The first time it's scanned, the message gets tagged a body report is added, and the whole thing is encapsulated in a new message with new headers, including new Received: headers that show the message as being locally generated. The second time around, the scan will get result because the message headers are different. The X-Spam-Status header gets over-written, but nothing else. Note that in the body (first scan) several RBLs hit (XBL, spamcop and NJABL_DUL) but the second time (X-Spam-Status) they don't fire and in their place ALL_TRUSTED matches, suggesting a locally generated email (such as the encapsulation). At 09:11 PM 11/23/2005, Chad wrote: Hello! I've been googling and searching this list for a little over 2 hours now and have yet to find this problem, or a fix for it. If there is something obvious I'm missing, feel free to point me in that direction, but here goes: I recieve Spam from Doctor with the subject Ultimate Online Pharmaceutical It's subject gets marked up correctly with my [SPAM] subject_rewrite, and I have report_safe set to 1, so the message shows the score as: Content analysis details: (9.2 points, 5.0 required) pts rule name description -- -- 2.3 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [217.217.190.99 listed in dnsbl.sorbs.net] 1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?217.217.190.99] 2.5 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [217.217.190.99 listed in sbl-xbl.spamhaus.org] 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [217.217.190.99 listed in combined.njabl.org] 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: *MUNGED*] As noted, it's a score of 9.2 points total. But, when I check the header, it shows: X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED, DATE_IN_FUTURE_12_24,HTML_40_50,HTML_MESSAGE,MIME_HTML_MOSTLY, URIBL_SBL autolearn=no version=3.0.2-gr1
Re: Inconsistent Spam scores?
Disabling, and checking. I've been going over this thing on and off all night. So far, the best change I made was the internal_networks It seems to work *almost* correctly now, but, as you noted, it seems it's getting checked twice now (from your description anyway :) ) I'll keep you updated. Thanks for the help so far! Chad
Re: Inconsistent Spam scores?
On 11/24/05, Chad [EMAIL PROTECTED] wrote: Disabling, and checking. I've been going over this thing on and off all night. So far, the best change I made was the internal_networks It seems to work *almost* correctly now, but, as you noted, it seems it's getting checked twice now (from your description anyway :) ) I'll keep you updated. Thanks for the help so far! Chad And it gets sorted properly, there are no ALL_TRUSTED issues. Thank you! Now I guess I need to track down where this is happening. I'll plug through my postfix confs. Thanks for the info and the help! Chad
Re: Inconsistent Spam scores?
You need to setup your trusted_networks and internal_networks values to get rid of ALL_TRUSTED. These values are usually stored in the /etc/mail/spamassassin/local.cf file. Read the wiki regarding the trusted_networks setup. Trusted_networks is merely a short list of mailers from when you directly receive email that you can trust not to forge addresses. That is the only trust involved. I use fetchmail and with the headers it places in mail my trusted_networks value can be a simple 127/8. Then I set internal_networks 192.168/16 as rather large overkill for the real setup here. If you receive directly then your smtp server's IP address that it places in the email Received headers would be appropriate for the trusted_networks. And if you have a whole Internet block of addresses they should probably be in your internal_networks values. Of course, this is a topic we've been talking about for the last couple days already. So you probably didn't think of the right search term. {^_-} {^_^} - Original Message - From: Chad [EMAIL PROTECTED] Hello! I've been googling and searching this list for a little over 2 hours now and have yet to find this problem, or a fix for it. If there is something obvious I'm missing, feel free to point me in that direction, but here goes: I recieve Spam from Doctor with the subject Ultimate Online Pharmaceutical It's subject gets marked up correctly with my [SPAM] subject_rewrite, and I have report_safe set to 1, so the message shows the score as: Content analysis details: (9.2 points, 5.0 required) pts rule name description -- -- 2.3 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [217.217.190.99 listed in dnsbl.sorbs.net] 1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?217.217.190.99] 2.5 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [217.217.190.99 listed in sbl-xbl.spamhaus.org] 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [217.217.190.99 listed in combined.njabl.org] 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: asciatini.com] As noted, it's a score of 9.2 points total. But, when I check the header, it shows: X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED, DATE_IN_FUTURE_12_24,HTML_40_50,HTML_MESSAGE,MIME_HTML_MOSTLY, URIBL_SBL autolearn=no version=3.0.2-gr1 Which makes procmail NOT do it's job of sorting this into the correct Spam folder. The closest thing I've seen is that a server is underpowered (which I don't think that's my problem) and a work-around for that to call Spamassassin twice, which I tried but it didn't work. So, I really don't know what else to tell you guys, but will include contents of files and version below for additional help. Thanks for any info! ~/.procmailrc: ## Set to yes when debugging VERBOSE=no ## I'm assuming that you are using pine, which means that your mail is ## stored in ~/mail. If not, figure out where your mail is stored ## (for example, ~/Mail or ~/.mail or ~/.Mail), and set MAILDIR ## to that directory. MAILDIR=$HOME/Maildir ## Directory for storing procmail-related files PMDIR=$HOME/.procmail ## Put '#' before LOGFILE if you want no logging (not recommended) LOGFILE=$PMDIR/log ## filter spam INCLUDERC=$PMDIR/spam.rc ~/.procmail/spam.rc: :0fw: spamassassin.lock | /usr/bin/spamc # The following three lines move messages tagged as spam to a folder # called spam-folder If you want mail to stay in your inbox, just # delete the lines # Try a second time if SpamC failed :0fw: spamassassin.lock2 * ! ^X-Spam-Level:.* | spamc # Filter Spam with a level of 15 or higher to Trash: :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* .Trash/ # And finally, filter as noted above: :0: * ^X-Spam-Status: Yes .Spam/ /etc/spam/local.cf: # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # ### # # Set this to 0 to disable altering the subject line # rewrite_subject 1 # The above is commented out, and the below was changed from subject_tag to # rewrite_header Subject in versions above 3.0 # Set this with whatever string wanted to alter subject line with (see above) rewrite_header Subject [SPAM] # This setting is to display the email address to contact for assistance report_contact [EMAIL PROTECTED] # This setting is to set the desired language allowed
Re: Inconsistent Spam scores?
(Re-post to list. For some reason the post which quoted all of chad's email bounced back with a 10.4 score. No clue why, there's no spam quotes here, only one URIBL listed domain mentioned in the body report. One domain alone shouldn't be 10, even if it's listed in every URIBL in the universe) Chad, based on the difference in hits on the two scores below, it sounds like you're double-scanning the email. Make sure you don't have an MTA integration that's scanning the mail before it gets to procmail. Also, try temporarily disabling both spamc calls in your procmail.rc, see if you still get X-Spam-Status headers. Order of events: The first time it's scanned, the message gets tagged a body report is added, and the whole thing is encapsulated in a new message with new headers, including new Received: headers that show the message as being locally generated. The second time around, the scan will get result because the message headers are different. The X-Spam-Status header gets over-written, but nothing else. Note that in the body (first scan) several RBLs hit (XBL, spamcop and NJABL_DUL) but the second time (X-Spam-Status) they don't fire and in their place ALL_TRUSTED matches, suggesting a locally generated email (such as the encapsulation). At 09:11 PM 11/23/2005, Chad wrote: Hello! I've been googling and searching this list for a little over 2 hours now and have yet to find this problem, or a fix for it. If there is something obvious I'm missing, feel free to point me in that direction, but here goes: I recieve Spam from Doctor with the subject Ultimate Online Pharmaceutical It's subject gets marked up correctly with my [SPAM] subject_rewrite, and I have report_safe set to 1, so the message shows the score as: Content analysis details: (9.2 points, 5.0 required) pts rule name description -- -- 2.3 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [217.217.190.99 listed in dnsbl.sorbs.net] 1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?217.217.190.99] 2.5 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [217.217.190.99 listed in sbl-xbl.spamhaus.org] 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [217.217.190.99 listed in combined.njabl.org] 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: *MUNGED*] As noted, it's a score of 9.2 points total. But, when I check the header, it shows: X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED, DATE_IN_FUTURE_12_24,HTML_40_50,HTML_MESSAGE,MIME_HTML_MOSTLY, URIBL_SBL autolearn=no version=3.0.2-gr1