On 1/10/2013 1:06 PM, RW wrote: > On Thu, 10 Jan 2013 12:48:07 -0500 > Ben Johnson wrote: >> pon further consideration, this behavior makes perfect sense if the >> mailbox user has moved the message from Inbox to Junk between scans; >> Dovecot's Antispam filter is in use on this server. This action would >> cause the message tokens to be added to the Bayes database, which >> explains why the SA score is higher on subsequent scans, even with >> network tests disabled. > > Also by turning-off network tests you switch to a different score set so > the score for RDNS_NONE rose. >
Ahh; I didn't realize that disabling network tests changes the score set entirely. Thanks for the clarification there. So, at this point, I'm struggling to understand how the following happened. Over the course of 15 minutes, I received the same exact message four times. Each time, the message was sent to the same recipient mailbox. The "From" and "Return-Path" headers changed slightly each time, but the message bodies appear to be identical. Here are the X-Spam-Status headers for each message: 1:28 PM Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, URIBL_WS_SURBL=1.608] autolearn=disabled 1:35 PM No, score=-0.374 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RDNS_NONE=0.793, SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01] autolearn=disabled 1:36 PM Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, URIBL_WS_SURBL=1.608] autolearn=disabled 1:41 PM Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, URIBL_WS_SURBL=1.608] autolearn=disabled Questions: 1.) I have a fairly well-trained Bayes DB; why on earth does a message with the subject "Cash Quick? Get up to 1500 Now", and an equally nefarious body, trigger BAYES_00? 2.) Why weren't network tests performed on message 2 of 4? This seems to be evidence of the fact that network tests are not being performed some percentage of the time, which could very well be at the root of this whole problem. Thanks, -Ben
