Re: X-Spam-Status/content analysis details inconsistencies.

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


there's an upstream server *also* running SpamAssassin, and defanging
the message in some way so that your SpamAssassin server doesn't
get a chance to get the full hits.   

- --j.

jeffrey.arnold writes:
> Hi users,
> 
> I have a weird problem here that i know i am not the only one to 
> encounter, and have yet to see (in much searching) a solution for.
> 
> I am running spamassassin for all mail via spamd/spamc, and filtering on 
> the "X-Spam-Status: Yes" header. The majority of my spam is getting 
> caught, but quite a bit is getting through. The vast majority of the 
> spam that gets through is tagged as spam in the subject line (i enable 
> rewrite_header), but not tagged as spam in the X-Spam-Status header 
> line. In an example spam, i get the following spamass header:
> 
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
>  phase.nyc.analogue.net
> X-Spam-Level: 
> X-Spam-Status: No, score=4.8 required=5.0 testsºYES_50,HTML_10_20,
>  HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_SBL
>  autolearn=no version=3.0.2
> 
> The subject/body, on the other hand, contains:
> 
> Subject: SPAM(10.9) Become the man that women desire
> 
> Content analysis details:   (10.9 points, 5.0 required)
> 
>   pts rule name  description
>  -- --
>   0.0 HTML_MESSAGE   BODY: HTML included in message
>   0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
>  [score: 0.5508]
>   0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
>  50%
>  [cf: 100]
>   0.2 HTML_10_20 BODY: Message is 10% to 20% HTML
>   0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>   3.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
>   2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
>  address
>  [218.80.35.217 listed in dnsbl.sorbs.net]
>   3.8 RCVD_IN_DSBL   RBL: Received via a relay in list.dsbl.org
>  []
>   0.1 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
>  [218.80.35.217 listed in combined.njabl.org]
>   1.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
>  [URIs: heavenlyitemsbutique.com]
> 
> So it appears that spamassassin tagged this as spam with 10.9 points, 
> but left out some of the rules when writing the X-Spam-Status header, 
> claiming the email only received 4.8 points. Spamassassin is installed 
> directly out of freebsd ports on a fbsd4.11 box with perl 5.8.5. My 
> local.cf is included below. Why would spamassassin be dropping rules 
> like this?
> 
> Thanks much,
> -jba
> 
> __
>   [EMAIL PROTECTED] :: analogue.networks.nyc :: http://analogue.net
> 
> -- local.cf --
> 
> rewrite_header Subject SPAM(_SCORE_)
> skip_rbl_checks 0
> 
> use_razor2 1
> bayes_auto_learn 1
> use_bayes 1
> use_pyzor 1
> auto_learn 1
> use_dcc 1
> dcc_add_header 1
> dns_available yes
> dcc_timeout 10
> dcc_path /my/path/to/dccproc
> 
> rbl_timeout 3
> num_check_received 3
> 
> bayes_path /path/to/my/spamass/
> auto_whitelist_path /path/to/my/auto-whitelist
> 
> header   ARIX_DF rbleval:check_rbl('arix-df', 'fresh.dict.rbl.arix.com.')
> describe ARIX_DF Recent dictionary spammer
> tflags   ARIX_DF net
> 
> header   ARIX_DS rbleval:check_rbl('arix-ds', 'stale.dict.rbl.arix.com.')
> describe ARIX_DS Sender has a history of dictionary spamming
> tflags   ARIX_DS net
> 
> scoreARIX_DF 3.0
> scoreARIX_DS 0.5
> 
> trusted_networks (my trusted nets)
> internal_networks (my internal nets)
> lock_method flock
> 
> ## Optional Score Increases
> score DCC_CHECK 4.000
> score RAZOR2_CHECK 3.500
> score BAYES_99 4.300
> score BAYES_90 3.500
> score BAYES_80 3.000
> score RCVD_IN_SORBS_WEB 2.000
> score RCVD_IN_SBL 3.000
> score URIBL_SBL 1.00
> score ALL_TRUSTED 0.000
> score RCVD_IN_BL_SPAMCOP_NET 2.0
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCJaR1MJF5cimLx9ARAqU9AKCnqCft6TZ4Z77DeMBfdoscRTuuHwCgqyO0
wo3Y4UEiL+1dx5PeaNoxLWU=
=SXRJ
-END PGP SIGNATURE-

Re: X-Spam-Status/content analysis details inconsistencies.

[jeffrey.arnold]

On Wed, 2 Mar 2005, Alan Premselaar wrote:

::   This type of symptom seems to be common to mail being scanned twice (or
:: more) by spamassasin.  how do you have the call to spamd/spamc implemented?
:: 

Hi Alan,

I am running qmail-1.0.3, and run spamc piped through to qmail-queue by 
replacing the qmail-queue binary with a shell script that does the 
following:

#!/bin/sh
/usr/local/bin/spamc -f -s 1024000 | /var/qmail/bin/qmail-queue.orig

I have spamd logging turned up, and i haven't seen any dupes so far. Any 
clues?

Thanks much,
-jba
__
 [EMAIL PROTECTED] :: analogue.networks.nyc :: http://analogue.net

Re: X-Spam-Status/content analysis details inconsistencies.

[Alan Premselaar]

jeffrey.arnold wrote:
Hi users,
I have a weird problem here that i know i am not the only one to 
encounter, and have yet to see (in much searching) a solution for.

I am running spamassassin for all mail via spamd/spamc, and filtering on 
the "X-Spam-Status: Yes" header. The majority of my spam is getting 
caught, but quite a bit is getting through. The vast majority of the 
spam that gets through is tagged as spam in the subject line (i enable 
rewrite_header), but not tagged as spam in the X-Spam-Status header 
line. In an example spam, i get the following spamass header:

X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
phase.nyc.analogue.net
X-Spam-Level: 
X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_50,HTML_10_20,
HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_SBL
autolearn=no version=3.0.2

The subject/body, on the other hand, contains:
Subject: SPAM(10.9) Become the man that women desire
Content analysis details:   (10.9 points, 5.0 required)
...snip...
So it appears that spamassassin tagged this as spam with 10.9 points, 
but left out some of the rules when writing the X-Spam-Status header, 
claiming the email only received 4.8 points. Spamassassin is installed 
directly out of freebsd ports on a fbsd4.11 box with perl 5.8.5. My 
local.cf is included below. Why would spamassassin be dropping rules 
like this?

Thanks much,
-jba
Jeffrey,
  This type of symptom seems to be common to mail being scanned twice 
(or more) by spamassasin.  how do you have the call to spamd/spamc 
implemented?

alan