<div dir="ltr"><div class="gmail_default" style="font-size:small">These headers are from SpamAssassin not from amavis. Here is an example of headers from amavisd-new:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><div class="gmail_default">X-Spam-Flag: YES</div><div class="gmail_default">X-Spam-Score: 4.426</div><div class="gmail_default">X-Spam-Level: ****</div><div class="gmail_default">X-Spam-Status: Yes, score=4.426 tag=4 tag2=4 kill=4 tests=[DKIM_SIGNED=0.1,</div><div class="gmail_default">        DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001,</div><div class="gmail_default">        HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.365,</div><div class="gmail_default">        RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729, SPF_PASS=-0.001,</div><div class="gmail_default">        URIBL_BLOCKED=0.001] autolearn=disabled</div><div class="gmail_default"><br></div><div class="gmail_default">Is it possible you are running spamassassin separately *after* amavis, and spamassassin (when called independently, not via amavis) is clearing out amavis headers and substituting its own?<br></div><div class="gmail_default"><br></div><div class="gmail_default">My understanding (and I am not an expert) is that spamassassin should be called *by* amavis and should not be adding any of its headers to the email, the headers should be added by amavis based on all its testing results (including from spamassassin). I do not know the exact relationship between the hit score of amavis and the score that it gets back from spamassassin, I would expect that amavis uses spamassassin score and adds some more tests of its own to make an overall total. Someone more expert will know.</div><div class="gmail_default"><br></div><div class="gmail_default"><br></div><div class="gmail_default"><br></div></div><div class="gmail_extra"><div class="gmail_quote">On 20 July 2017 at 14:58, Scappatura Rocco <span dir="ltr"><<a href="mailto:Rocco.Scappatura@infracom.it" target="_blank">Rocco.Scappatura@infracom.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="IT" link="blue" vlink="purple"><div class="m_8542630924316269271WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hello.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thank you for the anwer. $sa_tag_level_deflt  is already set to 2.0. Here the headers of the message relative the score:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on <a href="http://av9.infracom.it" target="_blank">av9.infracom.it</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">X-Spam-Level: *<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">X-Spam-Status: No, score=1.9 required=5.0 tests=BASE64_LENGTH_79_INF,<wbr>BAYES_00,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">        HTML_IMAGE_ONLY_20,HTML_<wbr>MESSAGE,MIME_HTML_ONLY,<wbr>MISSING_MIME_HB_SEP,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">        MPART_ALT_DIFF,RCVD_IN_DNSWL_<wbr>NONE,RCVD_IN_MSPIKE_H2,SPF_<wbr>HELO_PASS,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">        TO_NO_BRKTS_HTML_IMG,T_REMOTE_<wbr>IMAGE autolearn=no autolearn_force=no<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">        version=3.4.0<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Delivered-To: spam-quarantine<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">X-Envelope-To: <<a href="mailto:iagrossi@example.net" target="_blank"><span style="color:#1f497d;text-decoration:none">iagrossi@example.net</span></a>><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">X-Envelope-To-Blocked: <<a href="mailto:iagrossi@example.net" target="_blank"><span style="color:#1f497d;text-decoration:none">iagrossi@example.net</span></a>><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">X-Quarantine-ID: <BknEtFAN2Yh1><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not UTF-8)<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">        (char B0 hex): Subject: Annullamento Ordine n\x{B0} 217026098 del<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">        [...]<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">So the thing to be clarified is the difference between the ‘score’ reported by spamassassin (and X-Spam-Status header) and the Hits reported by the amavisd log.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Could someone explain the difference?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Regards,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">RS<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt"><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Da:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> amavis-users [mailto:<a href="mailto:amavis-users-bounces%2Brocco.scappatura" target="_blank">amavis-users-bounces+<wbr>rocco.scappatura</a>=<a href="mailto:infracom.it@amavis.org" target="_blank">infracom.it@<wbr>amavis.org</a>] <b>Per conto di </b>Dominic Raferd<br><b>Inviato:</b> giovedì 20 luglio 2017 07:18<span class=""><br><b>A:</b> <a href="mailto:amavis-users@amavis.org" target="_blank">amavis-users@amavis.org</a><br><b>Oggetto:</b> Re: R: R: R: R: Message quarantined as SPAM<u></u><u></u></span></span></p></div></div><span class=""><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">You can set $sa_tag_level_deflt (different from $sa_tag2_level_deflt) to lower level - mails with scores above $sa_tag_level_deflt will have spam info header added; this header shows how amavis has calculated the score.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On 19 July 2017 at 14:02, Scappatura Rocco <<a href="mailto:Rocco.Scappatura@infracom.it" target="_blank">Rocco.Scappatura@infracom.it</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thank you for the answer.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Yes, you are right. Anyway I set ‘$sa_kill_level_deflt = 6.31’ too in amavis configuration.</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I could agree for the differnce of the score of the message assigned by amavis and the score of the SA test of the quarantined message..</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">But, I would like to understand why amavis assigns a so high score (</span>7.946<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">) to a harmless message ..</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Regards,</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">RS</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p><div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt"><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Da:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> amavis-users [mailto:<a href="mailto:amavis-users-bounces%2Brocco.scappatura" target="_blank">amavis-users-bounces+<wbr>rocco.scappatura</a>=<a href="mailto:infracom.it@amavis.org" target="_blank">infracom.it@<wbr>amavis.org</a>] <b>Per conto di </b>Dominic Raferd<br><b>Inviato:</b> mercoledì 19 luglio 2017 14:28<br><span class="m_8542630924316269271gmail-"><b>A:</b> <a href="mailto:amavis-users@amavis.org" target="_blank">amavis-users@amavis.org</a></span><br><span class="m_8542630924316269271gmail-"><b>Oggetto:</b> Re: R: R: R: R: Message quarantined as SPAM</span></span><u></u><u></u></p></div></div><p class="MsoNormal"> <u></u><u></u></p><div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p><div><p class="MsoNormal">On 19 July 2017 at 12:56, Scappatura Rocco <<a href="mailto:Rocco.Scappatura@infracom.it" target="_blank">Rocco.Scappatura@infracom.it</a>> wrote:<u></u><u></u></p><div><div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><p class="MsoNormal" style="margin-bottom:12.0pt">Hello.<br><br>Even after the changes done to the amavis configuration, I still notice that some messages has been blocked as SPAM. For example:<br><br>Jul 18 12:04:55 zzz amavis[18242]: (18242-14) Blocked SPAM {DiscardedInbound,Quarantined}<wbr>, [195.245.231.137]:39849 [193.67.127.189] <<a href="mailto:orderfleet@example.org" target="_blank">orderfleet@example.org</a>> -> <<a href="mailto:iagrossi@example.net" target="_blank">iagrossi@example.net</a>>, quarantine: B/spam-BknEtFAN2Yh1.gz, Queue-ID: 31099D5C4B, Message-ID: <<a href="mailto:OF2B08DA46.86F90238-ON80258161.003760D6@leaseplancorp.net" target="_blank">OF2B08DA46.86F90238-<wbr>ON80258161.003760D6@<wbr>leaseplancorp.net</a>>, mail_id: BknEtFAN2Yh1, Hits: 7.946, size: 170434, 551 ms<br><br>while the score I get while testing the messages is much lower that $sa_tag2_level_deflt (1.9 < 6.31):<u></u><u></u></p><div><p class="MsoNormal">​...<u></u><u></u></p></div><p class="MsoNormal"><br><br>Where is the problem? Why the message is tagged as SPAM and quarantined?<u></u><u></u></p></blockquote><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">​It is not $sa_tag2_level_deflt that determines whether message is quarantined, this only determines whether to add 'spam detected' headers in the emails.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Score above $sa_kill_level_deflt​ triggers evasive action (i.e. according to $spam_quarantine_method).<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Also I am not sure you can rely on getting same spam calculation when you re-test a quarantined email as when it arrives from outside, perhaps this is why header shows score of 7.946 but retest only 1.9?<u></u><u></u></p></div></div></div></div></div></div></div></div></div></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></span></div></div></div></blockquote></div><br></div></div>