Hello,
Apologies if this is a FAQ or old news, but I did a bit of searching
yesterday and didn't find an answer to this one.
I'm using SA (3.2.4) site-wide on a FreeBSD-6.3 box in conjunction with
postfix, using procmail as the LDA. I'm using spamd/spamc, so the individual
spamc processes are run as the recipient's userid (since they're spawned
by procmail). I know this has implications for which bayes db gets
consulted (versus a true "sitewide" with shared bayes db) but I don't
think that's the issue I'm seeing here. Anyway...
It seems like a lot more spam has been getting through in the last couple
of weeks. This prompted me to enable Pyzor, which I had not done in my
initial install. While that seems to work, I noticed that I'm getting
inconsistent scoring results on messages that should be tagged as spam but
which are not.
For example, a message that was just delivered to my inbox contained the
following report from SA:
X-Spam-Status: No, score=4.4 required=5.0
tests=BAYES_99,DATE_IN_FUTURE_03_06,
RAZOR2_CHECK,RDNS_DYNAMIC autolearn=no version=3.2.4
X-Spam-Report:
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.3 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received:
date
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
* dynamic-looking rDNS
If I save the original message and run SA manually (spamassassin -t < msg)
I get the following:
X-Spam-Status: Yes, score=7.3 required=5.0 tests=AWL,BAYES_99,
DATE_IN_FUTURE_03_06,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,
RAZOR2_CHECK,RCVD_IN_DSBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,URIBL_BLACK
autolearn=no version=3.2.4
X-Spam-Report:
* 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
* [88.73.238.103 listed in dnsbl.sorbs.net]
* 1.0 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
* [<http://dsbl.org/listing?88.73.238.103>]
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.3 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received:
date
* 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
level
* above 50%
* [cf: 100]
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
50%
* [cf: 100]
* 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: win-todayoo.com.cn]
* 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
* dynamic-looking rDNS
* -2.9 AWL AWL: From: address is in the auto white-list
I'm going to assume that the score being wrong by 0.1 (should be 7.4, not
7.3) is due to a rounding error or other similar issue. However, I can't
figure out why the results are so different. What's even more interesting
is that if I turn on debugging (spamassassin -D -t < msg) then I get a
*third* different result:
X-Spam-Status: Yes, score=8.7 required=5.0 tests=AWL,BAYES_99,
DATE_IN_FUTURE_03_06,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,
RAZOR2_CHECK,RCVD_IN_DSBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,URIBL_BLACK
autolearn=no version=3.2.4
X-Spam-Report:
* 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
* [88.73.238.103 listed in dnsbl.sorbs.net]
* 1.0 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
* [<http://dsbl.org/listing?88.73.238.103>]
* 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: win-todayoo.com.cn]
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.3 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received:
date
* 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence
level
* above 50%
* [cf: 100]
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
50%
* [cf: 100]
* 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
* dynamic-looking rDNS
* -1.4 AWL AWL: From: address is in the auto white-list
The two commands were run on the same host, by the same user, within
seconds of one another, and yet the scores for the AWL test are 1.5
different.
Any thoughts on what I'm missing or doing wrong?
Thanks!
--Jeff
