On 1/10/2013 4:12 PM, John Hardin wrote: > On Thu, 10 Jan 2013, Ben Johnson wrote: > >> So, at this point, I'm struggling to understand how the following >> happened. >> >> Over the course of 15 minutes, I received the same exact message four >> times. Each time, the message was sent to the same recipient mailbox. >> The "From" and "Return-Path" headers changed slightly each time, but the >> message bodies appear to be identical. >> >> Here are the X-Spam-Status headers for each message: >> >> 1:28 PM >> >> Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, >> HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, >> RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, >> T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, >> URIBL_WS_SURBL=1.608] autolearn=disabled >> >> 1:35 PM >> >> No, score=-0.374 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, >> HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RDNS_NONE=0.793, >> SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01] autolearn=disabled >> >> 1:36 PM >> >> Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, >> HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, >> RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, >> T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, >> URIBL_WS_SURBL=1.608] autolearn=disabled >> >> 1:41 PM >> >> Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, >> HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, >> RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, >> T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, >> URIBL_WS_SURBL=1.608] autolearn=disabled >> >> Questions: >> >> 1.) I have a fairly well-trained Bayes DB; why on earth does a message >> with the subject "Cash Quick? Get up to 1500 Now", and an equally >> nefarious body, trigger BAYES_00? >> >> 2.) Why weren't network tests performed on message 2 of 4? This seems to >> be evidence of the fact that network tests are not being performed some >> percentage of the time, which could very well be at the root of this >> whole problem. > > How many MTAs do you have? Is it possible the low-scoring one went via a > different MTA?
Just one; there should be no possibility of that. > Have you sotpped amavisd, killed all of the amavis processes, and > restarted it? > > I have now. And I enabled amavis's $sa_debug option, so we should see a lot more in the way of useful SA debugging information now. In fact, I was just able to capture the out that I believe we're after, and I'll paste a link in my response to RW's message (shortly forthcoming). Thanks, -Ben
