Jake Colman wrote: >Forgive my ignorance... > >I assume that "negatively-scored" means that it is less likely to be spam, >correct? > >Here is an example of a message that should have been flagged: > >X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,HTML_10_20, >HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK, >SARE_RECV_IP_218071,SPF_HELO_PASS,TW_GK,URIBL_SBL autolearn=no version=3.0.2 > >How do I read this and what do I do with this? I assume this is what you >were asking me to look at, right? > > > Yes, that's exactly what he wants you to look at. You can match up all those tests names with scores by greping in 50_scores.cf. Since you have bayes and network checks in use, it will be using the last score in each line.
For example $grep RAZOR2_CHECK 50_scores.cf score RAZOR2_CHECK 0 0.150 0 1.511 This tells you that of the 4.7 total points. 1.511 came from this test. You also are using some SARE rules, those won't show up in 50_scores.cf, they'll be in /etc/mail/spamassassin/*.cf, but the same tactic applies. I can tell you from experience that none of the above rules have a significant negative score. (SPF_HELO_PASS is negative, but it's -0.001 points) The one thing that sticks out to me is that it hit BAYES_50.. this suggests that while you have bayes enabled, it's not trained to recognize this kind of spam. BAYES_50 specifically means that SA's bayes result is undecided for this message, and believes there's a 50/50 chance of the email being spam or nonspam. Had this message scored on the spam side the BAYES_ rankings, it would have also had a higher total score, and probably have been tagged as spam.