On Sat, 22 Jun 2013, Robert S wrote:
I am running spamassassin_3.3.2-5 on debian Wheezy on a small business server
(x86). I am getting numerous complaints about mail
being falely categorised as spam/ham. I also use version 3.3.2 on my home
server using gentoo (amd64) and don't have these
problems. I have removed all customisations and have reinstalled spamassassin
on my debian machine. There still seem to be problems
- here's an example using the provided sample files. Can anybody help?
This message seems to get blocked in a lot of blocklists (which also seem to
happen to my users' messages).
Options for SA are:
# ps ax |grep spam
22408 ? Ss 0:02 /usr/sbin/spamd --create-prefs --max-children 5
--helper-home-dir -d --pidfile=/var/run/spamd.pid
/etc/procmailrc includes this:
* < 256000
| /usr/bin/spamc
$ spamc < sample-nonspam.txt
Received: from localhost by debian.myserver.net.au
with SpamAssassin (version 3.3.2);
Sat, 22 Jun 2013 12:06:12 +1000
From: Keith Dawson <daw...@world.std.com>
To: t...@world.std.com
Subject: TBTF ping for 2001-04-20: Reviving
Date: Fri, 20 Apr 2001 16:59:58 -0400
Message-Id: <v0421010eb70653b14e06@[208.192.102.193]>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
debian.myserver.net.au
X-Spam-Flag: YES
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.5 required=5.0 tests=RP_MATCHES_RCVD,SAGREY,
URIBL_AB_SURBL,URIBL_BLOCKED,URIBL_GREY,URIBL_MW_SURBL,URIBL_PH_SURBL,
URIBL_RED,URIBL_WS_SURBL autolearn=no version=3.3.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_51C50694.B9FC2455"
This is a multi-part message in MIME format.
------------=_51C50694.B9FC2455
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "debian.myserver.net.au", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: -----BEGIN PGP SIGNED MESSAGE----- TBTF ping for 2001-04-20:
Reviving T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t [...]
Content analysis details: (8.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.5 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
0.0 URIBL_RED Contains an URL listed in the URIBL redlist
[URIs: tbtf.com]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: tbtf.com]
1.1 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: tbtf.com]
0.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist
[URIs: tbtf.com]
4.5 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: tbtf.com]
1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: tbtf.com]
1.7 URIBL_MW_SURBL Contains a Malware Domain or IP listed in the MW
SURBL
blocklist
[URIs: tbtf.com]
1.0 SAGREY Adds 1.0 to spam from first-time senders
------------=_51C50694.B9FC2455
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
[snip..]
clearly the bulk of those points come from those URI-RBL type rules,
which look like FPs. At least that "tbtf.com" domain isn't listed right
now, it -might- have been when this message was processed. However given
that "URIBL_BLOCKED" rule fired, it looks more like there's something
wrong with your setup which is causing all those URI-RBLs to FP.
Have you looked at the web page that URIBL_BLOCKED rule references?
Have you investigated why it fired? Have you tried taking any
of the advice on that page as to how to deal with this problem?
To go beyond the advice on that page we'd need to know more details about
how your DNS/network is configured on your SA scanner machine (are you
running a local caching DNS server? Are you using some explicit DNS
forwarder? Does your ISP do anything special with DNS queries? ...
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
