On Tue, 2009-03-10 at 10:05 -0500, Chris Barnes wrote: > Karsten Bräckelmann wrote: > > The AWL score for this message is minimal (one can tell by calculating > > the stock rules' scores without it). Your problem here is BAYES_00 and > > RCVD_IN_DNSWL_MED. > > > > BAYES_00 means your Bayes DB is pretty skewed. You should train sa-learn > > on these messages. > > I do. Daily.
Then it should be scoring like BAYES_50 at worst... > Note, I train on my personal account. But is there also a system-wide > Bayes db that might be causing this score? You tell us. We didn't set up your system. By default, with a stock SA, there is no site-wide Bayes. If you call spamassassin or spamc by your MDA (e.g. procmail), it most likely is per-user only. If you are running some MTA integrating glue, there might be site-wide. In either case, you must be training as the user running SA, doing the scanning and using Bayes. Check your Bayes DB values by running the command $ sa-learn --dump magic and keep an eye on the values (in particular nspam, nham and ntokens) before and after training. Also ensure it is the scanning user. > > RCVD_IN_DNSWEL_MED is a -4 alone. So either (a) your trusted_networks > > should be expanded, or (b) the IP in question needs to be removed from > > DNSWL.org. Can't tell without seeing the full headers. > > Here is another, almost identical header, spam that got through with a > nearly identical SA report. Does this help? > > Return-Path: <off...@itsjss.com> > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > vmmail.physics.tamu.edu > X-Spam-Level: > X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00, > DATE_IN_PAST_06_12, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG, > HTML_TAG_BALANCE_BODY, MIME_HTML_ONLY, RCVD_IN_DNSWL_MED,SPF_FAIL > autolearn=disabled version=3.2.5 > X-Original-To: cbar...@mail.physics.tamu.edu > Delivered-To: cbar...@mail.physics.tamu.edu > Received: from tr-2-int.cis.tamu.edu (tamu-relay.tamu.edu > [165.91.22.121]) by mail.physics.tamu.edu (Postfix) with ESMTP > id 2D8B8950C1 for <cbar...@mail.physics.tamu.edu>; Tue, 10 Mar > 2009 01:22:52 -0500 (CDT) Listed in DNSWL MED. Appears trustworthy and internal. Should not have been checked here, but instead be part of your trusted_networks. > Received: from localhost (localhost.tamu.edu [127.0.0.1]) > by tr-2-int.cis.tamu.edu (Postfix) with ESMTP id DF2CA1FD92 > for <chris-bar...@tamu.edu>; Tue, 10 Mar 2009 01:22:51 -0500(CDT) *boggle* > X-Virus-Scanned: amavisd-new at tamu.edu > X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 > Received: from Outbound-four.nuos.com (outbound-four.nuos.com > [63.149.233.44]) by tr-2-int.cis.tamu.edu (Postfix) with SMTP > id 37F521FD65 for <chris-bar...@tamu.edu>; Tue, 10 Mar 2009 01:22:50 > -0500 (CDT) NOT listed at dnswl.org. Looks like it is about option (a), and your trusted and internal networks setting is borked. Any chance you are getting a hit on RCVD_IN_DNSWL_MED for *any* mail? That's a whopping -4 offset, and renders most of the positive scoring RBL network tests useless. guenther -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}