On Tue, 2009-03-10 at 10:05 -0500, Chris Barnes wrote:
> Karsten Bräckelmann wrote:
> > The AWL score for this message is minimal (one can tell by calculating
> > the stock rules' scores without it). Your problem here is BAYES_00 and
> > RCVD_IN_DNSWL_MED.
> >
> > BAYES_00 means your Bayes DB is pretty skewed. You should train sa-learn
> > on these messages.
>
> I do. Daily.
Then it should be scoring like BAYES_50 at worst...
> Note, I train on my personal account. But is there also a system-wide
> Bayes db that might be causing this score?
You tell us. We didn't set up your system. By default, with a stock SA,
there is no site-wide Bayes. If you call spamassassin or spamc by your
MDA (e.g. procmail), it most likely is per-user only. If you are running
some MTA integrating glue, there might be site-wide.
In either case, you must be training as the user running SA, doing the
scanning and using Bayes. Check your Bayes DB values by running the
command
$ sa-learn --dump magic
and keep an eye on the values (in particular nspam, nham and ntokens)
before and after training. Also ensure it is the scanning user.
> > RCVD_IN_DNSWEL_MED is a -4 alone. So either (a) your trusted_networks
> > should be expanded, or (b) the IP in question needs to be removed from
> > DNSWL.org. Can't tell without seeing the full headers.
>
> Here is another, almost identical header, spam that got through with a
> nearly identical SA report. Does this help?
>
> Return-Path: <off...@itsjss.com>
> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
> vmmail.physics.tamu.edu
> X-Spam-Level:
> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,
> DATE_IN_PAST_06_12, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,
> HTML_TAG_BALANCE_BODY, MIME_HTML_ONLY, RCVD_IN_DNSWL_MED,SPF_FAIL
> autolearn=disabled version=3.2.5
> X-Original-To: cbar...@mail.physics.tamu.edu
> Delivered-To: cbar...@mail.physics.tamu.edu
> Received: from tr-2-int.cis.tamu.edu (tamu-relay.tamu.edu
> [165.91.22.121]) by mail.physics.tamu.edu (Postfix) with ESMTP
> id 2D8B8950C1 for <cbar...@mail.physics.tamu.edu>; Tue, 10 Mar
> 2009 01:22:52 -0500 (CDT)
Listed in DNSWL MED. Appears trustworthy and internal. Should not have
been checked here, but instead be part of your trusted_networks.
> Received: from localhost (localhost.tamu.edu [127.0.0.1])
> by tr-2-int.cis.tamu.edu (Postfix) with ESMTP id DF2CA1FD92
> for <chris-bar...@tamu.edu>; Tue, 10 Mar 2009 01:22:51 -0500(CDT)
*boggle*
> X-Virus-Scanned: amavisd-new at tamu.edu
> X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
> Received: from Outbound-four.nuos.com (outbound-four.nuos.com
> [63.149.233.44]) by tr-2-int.cis.tamu.edu (Postfix) with SMTP
> id 37F521FD65 for <chris-bar...@tamu.edu>; Tue, 10 Mar 2009 01:22:50
> -0500 (CDT)
NOT listed at dnswl.org.
Looks like it is about option (a), and your trusted and internal
networks setting is borked.
Any chance you are getting a hit on RCVD_IN_DNSWL_MED for *any* mail?
That's a whopping -4 offset, and renders most of the positive scoring
RBL network tests useless.
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
