Re: low score on very spammy email

[Bill Cole]

On 10 Apr 2018, at 18:28, Motty Cruz wrote:


 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client cbl.abuseat.org,


That is redundant. The Zen list includes the CBL and Spamhaus has taken 
over operation of the CBL so there's no lag time between them any more.

Re: low score on very spammy email

[David Jones]

On 04/11/2018 11:14 AM, Matus UHLAR - fantomas wrote:

On 04/10/2018 03:49 PM, Motty Cruz wrote:

I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ


On 10.04.18 16:28, David Jones wrote:

Content analysis details:   (16.0 points, 5.0 required)

pts rule name  description
 -- 
--

4.2 RCVD_IN_IVMBL_LASTEXTERNAL RBL: No description available.
   [178.62.193.238 listed in sip.invaluement.com]
5.2 BAYES_99   BODY: Bayes spam probability is 99 to 100%
   [score: 0.9996]
3.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
   [score: 0.9996]
1.2 ENA_RELAY_IN   Relayed through India
0.0 MISSING_MIME_HB_SEP    BODY: Missing blank line between MIME 
header and

   body
2.2 ENA_RELAY_NOT_US   Relayed from outside the US and not on 
whitelists

0.0 ENA_BAD_SPAM   Spam hitting really bad rules.


Since most ofthose rules are 3rd party and other have tuned scores, it's
quite expected that the mail scored 3.5.

(BAYES_999 was apparently not hit, it would score 3.7 then).

we sometimes must accept that a FP appears.
otherwise, there would be no spam and no discussion here :-)



If you read between the lines above there are two points:

1. the IVM RBL is awesome and well worth it's low price

2. if you follow my practice by whitelist_auth as many sender's based on 
their envelope-from address, then you can aggressively train your Bayes 
DB based on the content and not the sender to get maximum results.


I don't train every piece of junk or UCE as spam in my Bayes DB.  Some 
senders just need to be reported to Spamcop and blacklist_from because 
their content looks just like ham.  I bet many Bayes DBs out there are 
"confused" by improper training.  I train ham first then spam second so 
similar content will go toward the spam classification since most of the 
 trusted senders are already covered by a whitelist_auth entry.


Never let end users decide the ham/spam Bayes training either.  They 
don't understand and will mark anything they don't want at that 
particular moment as spam even if they signed up for it a few hours/days 
ago.


--
David Jones

Re: low score on very spammy email

[Motty Cruz]

Thank you all for your help, suggestions.

per your suggestions MTA and SA tweaked and already seen a huge difference.

Thanks again!

On 04/11/2018 09:14 AM, Matus UHLAR - fantomas wrote:

On 04/10/2018 03:49 PM, Motty Cruz wrote:

I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ


On 10.04.18 16:28, David Jones wrote:

Content analysis details:   (16.0 points, 5.0 required)

pts rule name  description
 -- 
--

4.2 RCVD_IN_IVMBL_LASTEXTERNAL RBL: No description available.
   [178.62.193.238 listed in 
sip.invaluement.com]

5.2 BAYES_99   BODY: Bayes spam probability is 99 to 100%
   [score: 0.9996]
3.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
   [score: 0.9996]
1.2 ENA_RELAY_IN   Relayed through India
0.0 MISSING_MIME_HB_SEP    BODY: Missing blank line between MIME 
header and

   body
2.2 ENA_RELAY_NOT_US   Relayed from outside the US and not on 
whitelists

0.0 ENA_BAD_SPAM   Spam hitting really bad rules.


Since most ofthose rules are 3rd party and other have tuned scores, it's
quite expected that the mail scored 3.5.

(BAYES_999 was apparently not hit, it would score 3.7 then).

we sometimes must accept that a FP appears.
otherwise, there would be no spam and no discussion here :-)

Re: low score on very spammy email

[Matus UHLAR - fantomas]

On 04/10/2018 03:49 PM, Motty Cruz wrote:

I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ


On 10.04.18 16:28, David Jones wrote:

Content analysis details:   (16.0 points, 5.0 required)

pts rule name  description
 -- 
--

4.2 RCVD_IN_IVMBL_LASTEXTERNAL RBL: No description available.
   [178.62.193.238 listed in sip.invaluement.com]
5.2 BAYES_99   BODY: Bayes spam probability is 99 to 100%
   [score: 0.9996]
3.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
   [score: 0.9996]
1.2 ENA_RELAY_IN   Relayed through India
0.0 MISSING_MIME_HB_SEPBODY: Missing blank line between MIME 
header and

   body
2.2 ENA_RELAY_NOT_US   Relayed from outside the US and not on 
whitelists

0.0 ENA_BAD_SPAM   Spam hitting really bad rules.


Since most ofthose rules are 3rd party and other have tuned scores, it's
quite expected that the mail scored 3.5.

(BAYES_999 was apparently not hit, it would score 3.7 then).

we sometimes must accept that a FP appears.
otherwise, there would be no spam and no discussion here :-)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler

Re: low score on very spammy email

[Jari Fredriksson]

> Motty Cruz  kirjoitti 10.4.2018 kello 23.49:
> 
> I apologize here is the email headers and body
> 
> https://pastebin.com/bgXrfKaQ
> 
> Thanks,
> 
> 

Oh my.

X-Spam-Report:
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
*  [score: 0.]


I’ll be damned :(




signature.asc
Description: Message signed with OpenPGP

Re: low score on very spammy email

[David Jones]

On 04/10/2018 05:28 PM, Motty Cruz wrote:
Thank you very much for your suggestions David. MTA is configured to use 
RBLs,


reject_rbl_client b.barracudacentral.org

worked really well for me at one point. Also,

  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client multi.uribl.com,
  reject_rbl_client rabl.nuclearelephant.com,



That is too risky to block on a single RBL hit above.

Since you are running Postfix, enable postscreen and postwhite 
(https://github.com/stevejenkins/postwhite) to get MUCH better results 
from combining the power of many RBLs:


/etc/postfix/main.cf:


postscreen_access_list =
  permit_mynetworks,
  cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
  cidr:/etc/postfix/postscreen_access.cidr

postscreen_dnsbl_threshold   = 8
postscreen_dnsbl_action  = enforce

postscreen_dnsbl_sites =
  dnsbl.sorbs.net=127.0.0.[10;14]*9
  zen.spamhaus.org=127.0.0.[10;11]*8
  dnsbl.sorbs.net=127.0.0.5*7
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  zen.spamhaus.org=127.0.0.[4..7]*7
  bl.mailspike.net=127.0.0.[10;11;12]*7
  zen.spamhaus.org=127.0.0.3*6
  hostkarma.junkemailfilter.com=127.0.0.2*4
  dnsbl.sorbs.net=127.0.0.7*4
  bl.spamcop.net=127.0.0.2*4
  bl.spameatingmonkey.net=127.0.0.[2;3]*4
  dnsrbl.swinog.ch=127.0.0.3*4
  ix.dnsbl.manitu.net=127.0.0.2*4
  psbl.surriel.com=127.0.0.2*4
  bl.mailspike.net=127.0.0.2*4
  ubl.unsubscore.com=127.0.0.2*4
  bl.fmb.la=127.0.0.2*4
  zen.spamhaus.org=127.0.0.2*3
  dnsbl-1.uceprotect.net=127.0.0.2*2
  dnsbl.sorbs.net=127.0.0.6*3
  dnsbl.sorbs.net=127.0.0.9*2
  dnsbl.sorbs.net=127.0.0.8*2
  recent.dnsbl.sorbs.net=127.0.0.6*3
  recent.dnsbl.sorbs.net=127.0.0.9*2
  recent.dnsbl.sorbs.net=127.0.0.8*2
  score.senderscore.com=127.0.4.[0..29]*2
  hostkarma.junkemailfilter.com=127.0.0.4*2
  all.spamrats.com=127.0.0.[36;38]*2
  bl.nszones.com=127.0.0.[2;3]*1
  dnsbl-2.uceprotect.net=127.0.0.2*1
  dnsbl.sorbs.net=127.0.0.2*1
  dnsbl.sorbs.net=127.0.0.4*1
  score.senderscore.com=127.0.4.[30..69]*1
  dnsbl.sorbs.net=127.0.0.3*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  dnsbl.sorbs.net=127.0.0.15*1
  ips.backscatterer.org=127.0.0.2*1
  bl.nszones.com=127.0.0.5*-1
  score.senderscore.com=127.0.4.[80..89]*-2
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
  ips.whitelisted.org=127.0.0.2*-2
  safe.dnsbl.sorbs.net=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].0*-2
  dnswl.inps.de=127.0.[0;1].[2..10]*-2
  score.senderscore.com=127.0.4.[90..100]*-3
  list.dnswl.org=127.0.[0..255].1*-3
  list.dnswl.org=127.0.[0..255].2*-4
  list.dnswl.org=127.0.[0..255].3*-5


You may adjust the weights above based on your particular mail flow if 
needed but they should be pretty good/safe as is.


Setup postwhite and add any domains that need to be bypassed on RBL 
checks to /etc/postwhite.conf in the custom_hosts.


custom_hosts="authsmtp.com"



On 04/10/2018 03:14 PM, David Jones wrote:

On 04/10/2018 05:04 PM, Leandro wrote:
2018-04-10 18:52 GMT-03:00 David Jones >:


    On 04/10/2018 04:47 PM, Leandro wrote:

    2018-04-10 17:49 GMT-03:00 Motty Cruz  >>:

     I apologize here is the email headers and body

    https://pastebin.com/bgXrfKaQ



    You should not take this domain mrface.com 
     seriously because it is a TLD used for free
    dynamic IP service (changeip.com 
    ).

    There is even a fake Windows Update domain in this TLD:

    ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com
    
    >

    185.133.40.63




     Thanks,



    I noticed it was listed on the DBL dnsbl.spfbl.net
     and was just working to add that to my
    local rules.  Anyone know how to set this DBL up in SA?  I am trying
    to find an example in the stock SA rules now...



Yes. We list any IP using any free dynamic TLD.

A legit mail server never uses crap, or shouldn't use.

Documentation to set this DNSBL at SA:

https://spfbl.net/en/dnsbl/


    --     David Jones




I found an example in KAM.cf:

[root@server spamassassin]# pwd
/etc/mail/spamassassin
[root@server spamassassin]# cat 99_spfbl.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header    __RCVD_IN_SPFBL    eval:check_rbl('spfbl', 
'dnsbl.spfbl.net')

tflags    __RCVD_IN_SPFBL    net

header    __RCVD_IN_SPFBL_3    eval:check_rbl_sub('spfbl', 
'127.0.0.3')

meta    RCVD_IN_SPFBL    __RCVD_IN_SPFBL_3 && !RCVD_IN_SPFBL_LASTEXT
describe    RCVD_IN_SPFBL    Received is listed in SPFBL.net RBL
score 

Re: low score on very spammy email

[Motty Cruz]

Thank you very much for your suggestions David. MTA is configured to use 
RBLs,


reject_rbl_client b.barracudacentral.org

worked really well for me at one point. Also,

 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client cbl.abuseat.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client multi.uribl.com,
 reject_rbl_client rabl.nuclearelephant.com,


On 04/10/2018 03:14 PM, David Jones wrote:

On 04/10/2018 05:04 PM, Leandro wrote:
2018-04-10 18:52 GMT-03:00 David Jones >:


    On 04/10/2018 04:47 PM, Leandro wrote:

    2018-04-10 17:49 GMT-03:00 Motty Cruz  >>:

     I apologize here is the email headers and body

    https://pastebin.com/bgXrfKaQ



    You should not take this domain mrface.com 
     seriously because it is a TLD used for free
    dynamic IP service (changeip.com 
    ).

    There is even a fake Windows Update domain in this TLD:

    ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com
    
    >

    185.133.40.63




     Thanks,



    I noticed it was listed on the DBL dnsbl.spfbl.net
     and was just working to add that to my
    local rules.  Anyone know how to set this DBL up in SA?  I am trying
    to find an example in the stock SA rules now...



Yes. We list any IP using any free dynamic TLD.

A legit mail server never uses crap, or shouldn't use.

Documentation to set this DNSBL at SA:

https://spfbl.net/en/dnsbl/


    --     David Jones




I found an example in KAM.cf:

[root@server spamassassin]# pwd
/etc/mail/spamassassin
[root@server spamassassin]# cat 99_spfbl.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header    __RCVD_IN_SPFBL    eval:check_rbl('spfbl', 
'dnsbl.spfbl.net')

tflags    __RCVD_IN_SPFBL    net

header    __RCVD_IN_SPFBL_3    eval:check_rbl_sub('spfbl', 
'127.0.0.3')

meta    RCVD_IN_SPFBL    __RCVD_IN_SPFBL_3 && !RCVD_IN_SPFBL_LASTEXT
describe    RCVD_IN_SPFBL    Received is listed in SPFBL.net RBL
score    RCVD_IN_SPFBL    1.2
tflags    RCVD_IN_SPFBL    net

header    RCVD_IN_SPFBL_LASTEXT 
eval:check_rbl('spfbl-lastexternal', 'dnsbl.spfbl.net')
describe RCVD_IN_SPFBL_LASTEXT    Last external is listed in 
SPFBL.net RBL

score    RCVD_IN_SPFBL_LASTEXT    2.2
tflags    RCVD_IN_SPFBL_LASTEXT    net

endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns    SENDER_IN_SPFBL    _SENDERDOMAIN_.dnsbl.spfbl.net A 
/^127\.0\.0\.3$/

tflags    SENDER_IN_SPFBL    nice net
describe    SENDER_IN_SPFBL    Sending domain listed in SPFBL.net DBL
score    SENDER_IN_SPFBL    2.2

endif

Re: low score on very spammy email

[David Jones]

On 04/10/2018 05:04 PM, Leandro wrote:
2018-04-10 18:52 GMT-03:00 David Jones >:


On 04/10/2018 04:47 PM, Leandro wrote:

2018-04-10 17:49 GMT-03:00 Motty Cruz  >>:

     I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ



You should not take this domain mrface.com 
 seriously because it is a TLD used for free
dynamic IP service (changeip.com 
).

There is even a fake Windows Update domain in this TLD:

ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com

>
185.133.40.63




     Thanks,



I noticed it was listed on the DBL dnsbl.spfbl.net
 and was just working to add that to my
local rules.  Anyone know how to set this DBL up in SA?  I am trying
to find an example in the stock SA rules now...



Yes. We list any IP using any free dynamic TLD.

A legit mail server never uses crap, or shouldn't use.

Documentation to set this DNSBL at SA:

https://spfbl.net/en/dnsbl/


-- 
David Jones





I found an example in KAM.cf:

[root@server spamassassin]# pwd
/etc/mail/spamassassin
[root@server spamassassin]# cat 99_spfbl.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header  __RCVD_IN_SPFBL eval:check_rbl('spfbl', 'dnsbl.spfbl.net')
tflags  __RCVD_IN_SPFBL net

header  __RCVD_IN_SPFBL_3   eval:check_rbl_sub('spfbl', '127.0.0.3')
metaRCVD_IN_SPFBL   __RCVD_IN_SPFBL_3 && !RCVD_IN_SPFBL_LASTEXT
describeRCVD_IN_SPFBL   Received is listed in SPFBL.net RBL
score   RCVD_IN_SPFBL   1.2
tflags  RCVD_IN_SPFBL   net

header		RCVD_IN_SPFBL_LASTEXT	eval:check_rbl('spfbl-lastexternal', 
'dnsbl.spfbl.net')

describeRCVD_IN_SPFBL_LASTEXT   Last external is listed in SPFBL.net RBL
score   RCVD_IN_SPFBL_LASTEXT   2.2
tflags  RCVD_IN_SPFBL_LASTEXT   net

endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns  SENDER_IN_SPFBL _SENDERDOMAIN_.dnsbl.spfbl.net A 
/^127\.0\.0\.3$/
tflags  SENDER_IN_SPFBL nice net
describeSENDER_IN_SPFBL Sending domain listed in SPFBL.net DBL
score   SENDER_IN_SPFBL 2.2

endif

--
David Jones

Re: low score on very spammy email

[Leandro]

2018-04-10 18:52 GMT-03:00 David Jones :

> On 04/10/2018 04:47 PM, Leandro wrote:
>
>> 2018-04-10 17:49 GMT-03:00 Motty Cruz  motty.c...@gmail.com>>:
>>
>> I apologize here is the email headers and body
>>
>> https://pastebin.com/bgXrfKaQ
>>
>>
>>
>> You should not take this domain mrface.com  seriously
>> because it is a TLD used for free dynamic IP service (changeip.com <
>> http://changeip.com>).
>>
>> There is even a fake Windows Update domain in this TLD:
>>
>> ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com <
>> http://windowsupdate.mrface.com>
>> 185.133.40.63
>>
>>
>>
>>
>> Thanks,
>>
>>
>>
> I noticed it was listed on the DBL dnsbl.spfbl.net and was just working
> to add that to my local rules.  Anyone know how to set this DBL up in SA?
> I am trying to find an example in the stock SA rules now...
>


Yes. We list any IP using any free dynamic TLD.

A legit mail server never uses crap, or shouldn't use.

Documentation to set this DNSBL at SA:

https://spfbl.net/en/dnsbl/



>
> --
> David Jones
>

Re: low score on very spammy email

[David Jones]

On 04/10/2018 04:47 PM, Leandro wrote:
2018-04-10 17:49 GMT-03:00 Motty Cruz >:


I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ



You should not take this domain mrface.com  seriously 
because it is a TLD used for free dynamic IP service (changeip.com 
).


There is even a fake Windows Update domain in this TLD:

ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com 


185.133.40.63




Thanks,




I noticed it was listed on the DBL dnsbl.spfbl.net and was just working 
to add that to my local rules.  Anyone know how to set this DBL up in 
SA?  I am trying to find an example in the stock SA rules now...


--
David Jones

Re: low score on very spammy email

[Leandro]

2018-04-10 17:49 GMT-03:00 Motty Cruz :

> I apologize here is the email headers and body
>
> https://pastebin.com/bgXrfKaQ



You should not take this domain mrface.com seriously because it is a TLD
used for free dynamic IP service (changeip.com).

There is even a fake Windows Update domain in this TLD:

ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com
185.133.40.63



>
> Thanks,
>
>

Re: low score on very spammy email

[David Jones]

On 04/10/2018 03:49 PM, Motty Cruz wrote:

I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ

Thanks,



Content analysis details:   (16.0 points, 5.0 required)

 pts rule name  description
 -- 
--

 4.2 RCVD_IN_IVMBL_LASTEXTERNAL RBL: No description available.
[178.62.193.238 listed in sip.invaluement.com]
 5.2 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 0.9996]
 3.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 0.9996]
 1.2 ENA_RELAY_IN   Relayed through India
 0.0 MISSING_MIME_HB_SEPBODY: Missing blank line between MIME 
header and

body
 2.2 ENA_RELAY_NOT_US   Relayed from outside the US and not on 
whitelists

 0.0 ENA_BAD_SPAM   Spam hitting really bad rules.


BAYES and IVM RBL would have blocked this on my SA platform.  My Postfix 
MTA setup with weighted postscreen RBLs might have blocked this before SA.


http://multirbl.valli.org/lookup/178.62.193.238.html

IVM is a subscription-based RBL that is very cheap and accurate.

I train my bayes DB daily by splitting a copy of all email to a iRedMail 
hidden mail server that does the initial sort of ham/spam based on 
scores and rule hits while filtering some email from mailing lists and 
facebook/twitter/etc.


# sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  06115847  0  non-token data: nspam
0.000  0   18374916  0  non-token data: nham

So what's the real problem?  Do you feel that amavis is letting through 
too much junk?  You have to tune/tweak your SA rules and plugins to get 
the best accuracy for your specific mail flow.  Everyone's mail flow is 
different so I couldn't give you my config and it work perfectly.


We have mentioned general tuning on this mailing list over the past 
year.  Also spam characteristics change over time as the spammers are 
constantly having to change their tactics as filtering catches up to them.




On 04/10/2018 01:40 PM, David Jones wrote:

On 04/10/2018 03:34 PM, Motty Cruz wrote:

Thanks for your help David,

https://pastebin.com/wsYRfM8K


That email is missing a lot of headers that are critical.  Please post 
the entire email including the Received: headers.




-Motty


On 04/10/2018 01:22 PM, David Jones wrote:

On 04/10/2018 03:05 PM, Motty Cruz wrote:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt



The Bayes setup looks good.  Can you put a lightly redacted version 
of that email on pastbin.com so we can run it through our SA instances?


Amavis should have blocked that message based on the score being 
3.501 and the kill threshhold being 3.1.  This sounds like an amavis 
config issue.


Please post the output of 'grep 723EC1A1706 maillog' to get the full 
message conversation from Postfix.



Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=, size=16883, 
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
 -> 
, Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get 
low score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 
10024)

 with ESMTP id G71jMeOxz-Ha for ;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com 
[178.62.193.238])

 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score 

Re: low score on very spammy email

[Motty Cruz]

I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ

Thanks,


On 04/10/2018 01:40 PM, David Jones wrote:

On 04/10/2018 03:34 PM, Motty Cruz wrote:

Thanks for your help David,

https://pastebin.com/wsYRfM8K


That email is missing a lot of headers that are critical.  Please post 
the entire email including the Received: headers.




-Motty


On 04/10/2018 01:22 PM, David Jones wrote:

On 04/10/2018 03:05 PM, Motty Cruz wrote:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt



The Bayes setup looks good.  Can you put a lightly redacted version 
of that email on pastbin.com so we can run it through our SA instances?


Amavis should have blocked that message based on the score being 
3.501 and the kill threshhold being 3.1.  This sounds like an amavis 
config issue.


Please post the output of 'grep 723EC1A1706 maillog' to get the full 
message conversation from Postfix.



Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=, size=16883, 
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
 -> 
, Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get 
low score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 
10024)

 with ESMTP id G71jMeOxz-Ha for ;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com 
[178.62.193.238])

 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep 
-i bayes' run as the amavis user

Re: low score on very spammy email

[David Jones]

On 04/10/2018 03:34 PM, Motty Cruz wrote:

Thanks for your help David,

https://pastebin.com/wsYRfM8K


That email is missing a lot of headers that are critical.  Please post 
the entire email including the Received: headers.




-Motty


On 04/10/2018 01:22 PM, David Jones wrote:

On 04/10/2018 03:05 PM, Motty Cruz wrote:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt



The Bayes setup looks good.  Can you put a lightly redacted version of 
that email on pastbin.com so we can run it through our SA instances?


Amavis should have blocked that message based on the score being 3.501 
and the kill threshhold being 3.1.  This sounds like an amavis config 
issue.


Please post the output of 'grep 723EC1A1706 maillog' to get the full 
message conversation from Postfix.



Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=, size=16883, 
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
 -> 
, Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get 
low score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 
10024)

 with ESMTP id G71jMeOxz-Ha for ;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com 
[178.62.193.238])

 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep 
-i bayes' run as the amavis user












--
David Jones

Re: low score on very spammy email

[Motty Cruz]

Thanks for your help David,

https://pastebin.com/wsYRfM8K

-Motty


On 04/10/2018 01:22 PM, David Jones wrote:

On 04/10/2018 03:05 PM, Motty Cruz wrote:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt



The Bayes setup looks good.  Can you put a lightly redacted version of 
that email on pastbin.com so we can run it through our SA instances?


Amavis should have blocked that message based on the score being 3.501 
and the kill threshhold being 3.1.  This sounds like an amavis config 
issue.


Please post the output of 'grep 723EC1A1706 maillog' to get the full 
message conversation from Postfix.



Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=, size=16883, 
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
 -> 
, Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get 
low score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 
10024)

 with ESMTP id G71jMeOxz-Ha for ;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com 
[178.62.193.238])

 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep 
-i bayes' run as the amavis user

Re: low score on very spammy email

[Motty Cruz]

Thanks for you help! I'm trying to figure out why this email "get very 
low" score. Yes, Amavisd didn't stop it. I understand that, it is not 
part of the question here.


I fed a lot of similar emails "learn spam" and still get very low score. 
It too thought it was permissions issues.



On 04/10/2018 01:12 PM, Reindl Harald wrote:

this is *amavis* not spamassassin

X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
3.501 is clearly above kill=3.1

Delivered-To: spam-quarantine

so it *does not* get very low score, ask amavis folks, spamassasin is
only one piece of your setup

Am 10.04.2018 um 22:05 schrieb Motty Cruz:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt

Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706:
from=, size=16883, nrcpt=1
(queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN
{RelayedInbound}, [127.0.0.1] [171.61.147.96]
 -> ,
Message-ID:
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>,
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms
root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:

tons of spam fed to my spam-filter and yet very spammy emails get low
score.

zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
  tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
  by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
  with ESMTP id G71jMeOxz-Ha for ;
  Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
  (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
  (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0




Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep -i
bayes' run as the amavis user

Re: low score on very spammy email

[David Jones]

On 04/10/2018 03:05 PM, Motty Cruz wrote:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt



The Bayes setup looks good.  Can you put a lightly redacted version of 
that email on pastbin.com so we can run it through our SA instances?


Amavis should have blocked that message based on the score being 3.501 
and the kill threshhold being 3.1.  This sounds like an amavis config issue.


Please post the output of 'grep 723EC1A1706 maillog' to get the full 
message conversation from Postfix.



Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=, size=16883, nrcpt=1 
(queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
 -> , 
Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get low 
score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id G71jMeOxz-Ha for ;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep -i 
bayes' run as the amavis user







--
David Jones

Re: low score on very spammy email

[Motty Cruz]

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt

Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=, size=16883, nrcpt=1 
(queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
 -> , 
Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get low 
score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id G71jMeOxz-Ha for ;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep -i 
bayes' run as the amavis user

Re: low score on very spammy email

[David Jones]

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get low 
score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
     tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
     by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
     with ESMTP id G71jMeOxz-Ha for ;
     Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
     (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
     (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep -i 
bayes' run as the amavis user


--
David Jones

low score on very spammy email

[Motty Cruz]

tons of spam fed to my spam-filter and yet very spammy emails get low 
score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
    tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
    by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id G71jMeOxz-Ha for ;
    Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
    (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
    (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0