<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font size="-1">I assume you mean bayes_auto_learn in local.cf. I
set it to 0 from 1 and restarted.<br>
<br>
<b> </b></font><br>
<br>
<div class="moz-cite-prefix">On 1/29/18 11:30 AM, Dino Edwards
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:13937A461B5E0A40810939402AE476D6018A16F79C@hdgexchange.deeztek.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">First
of all, please turn off your autolearn in SA. That always
causes more problems than it’s worth.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The
X-Spam Headers come from SA. The weird thing is that your SA
autolearn thinks this email is ham. I think there is
something goofy going on with your bayes. You should clear
your bayes cause it looks poisoned.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
Computer Bob [<a class="moz-txt-link-freetext" href="mailto:bob@inter-control.com">mailto:bob@inter-control.com</a>]
<br>
<b>Sent:</b> Monday, January 29, 2018 12:01 PM<br>
<b>To:</b> Dino Edwards
<a class="moz-txt-link-rfc2396E" href="mailto:dino.edwards@mydirectmail.net"><dino.edwards@mydirectmail.net></a>;
<a class="moz-txt-link-abbreviated" href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a><br>
<b>Subject:</b> [SUSPECTED SPAM]Re: Scoring questions<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:10.0pt">Interestingly, I have been getting
a boatload of these this morning.<br>
They are getting flagged as *****SPAM*****, but the headers
show:</span><o:p></o:p></p>
<pre><span style="font-size:7.5pt">X-Spam-Flag: NO<o:p></o:p></span></pre>
<pre><span style="font-size:7.5pt">X-Spam-Score: 0<o:p></o:p></span></pre>
<pre><span style="font-size:7.5pt">X-Spam-Level:<o:p></o:p></span></pre>
<pre><span style="font-size:7.5pt">X-Spam-Status: No, score=0 tagged_above=-9999 required=5<o:p></o:p></span></pre>
<pre><span style="font-size:7.5pt"> tests=[HTML_MESSAGE=0.001, NO_RELAYS=-0.001]<o:p></o:p></span></pre>
<pre><span style="font-size:7.5pt"> autolearn=ham autolearn_force=no</span><o:p></o:p></pre>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span style="font-size:10.0pt">In the content, it shows
being caught by spamassassin with:</span><o:p></o:p></p>
<pre>Content analysis details: (25.7 points, 4.0 required)<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> pts rule name description<o:p></o:p></pre>
<pre>---- ---------------------- --------------------------------------------------<o:p></o:p></pre>
<pre> 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts<o:p></o:p></pre>
<pre> 0.0 HTML_MESSAGE BODY: HTML included in message<o:p></o:p></pre>
<pre> 2.0 BAYES_50 BODY: Bayes spam probability is 40 to 60%<o:p></o:p></pre>
<pre> [score: 0.4823]<o:p></o:p></pre>
<pre> 1.7 RDNS_DYNAMIC Delivered to internal network by host with<o:p></o:p></pre>
<pre> dynamic-looking rDNS<o:p></o:p></pre>
<pre> 0.0 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag<o:p></o:p></pre>
<pre> 5.0 KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day<o:p></o:p></pre>
<pre> 2.9 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)<o:p></o:p></pre>
<pre> 2.5 PHP_ORIG_SCRIPT Sent by bot & other signs<o:p></o:p></pre>
<pre> 3.7 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr<o:p></o:p></pre>
<pre> 1)<o:p></o:p></pre>
<pre> 1.5 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)<o:p></o:p></pre>
<pre> 1.0 BODY_URI_ONLY Message body is only a URI in one line of text or for<o:p></o:p></pre>
<pre> an image<o:p></o:p></pre>
<pre> 1.8 TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only<o:p></o:p></pre>
<pre> 2.4 TO_NO_BRKTS_DYNIP To: lacks brackets and dynamic rDNS<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<p class="MsoNormal"><span style="font-size:10.0pt">Which is
what I would expect.<br>
Could you enlighten me on where exactly the X-Spam-
headers are coming from ?<br>
</span><br>
On 1/29/18 10:26 AM, Dino Edwards wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Are
you running
</span><span style="font-size:10.0pt">cat {mailfile} |
spamassassin -D –t as root?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
amavis-users [<a
href="mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org"
moz-do-not-send="true">mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org</a>]
<b>On Behalf Of </b>Computer Bob<br>
<b>Sent:</b> Monday, January 29, 2018 11:22 AM<br>
<b>To:</b> <a href="mailto:amavis-users@amavis.org"
moz-do-not-send="true">amavis-users@amavis.org</a><br>
<b>Subject:</b> Scoring questions</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:10.0pt">Greetings to all,
<br>
<br>
I have an issue with my setup somehow and it seems to be
in amavis-new, most spam gets detected and delt with, some
gets through and the scoring seems odd.
<br>
This one came in this morning and is typical of those that
get through: </span><o:p></o:p></p>
<pre>Return-Path: <a href="mailto:rejuvalex@jodiariastrial.com" moz-do-not-send="true"><rejuvalex@jodiariastrial.com></a><o:p></o:p></pre>
<pre>Subject: Regrow your Hair in 3 Weeks.<o:p></o:p></pre>
<pre>X-Spam-Flag: NO<o:p></o:p></pre>
<pre>X-Spam-Score: 1.995<o:p></o:p></pre>
<pre>X-Spam-Level: *<o:p></o:p></pre>
<pre>X-Spam-Status: No, score=1.995 tagged_above=-9999 required=5<o:p></o:p></pre>
<pre> tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,<o:p></o:p></pre>
<pre> PYZOR_CHECK=1.985, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,<o:p></o:p></pre>
<pre> T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no<o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:10.0pt"><br>
If I run the email through on the command line with: <br>
cat {mailfile} | spamassassin -D -t <br>
The results are:<br>
</span><span style="font-size:7.5pt">Content analysis
details: (7.5 points, 4.0 required)<br>
pts rule name description<br>
---- ----------------------
--------------------------------------------------<br>
5.5 URIBL_DBL_SPAM Contains a spam URL listed in
the DBL blocklist<br>
[URIs: jodiariastrial.com]<br>
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record<br>
0.0 HTML_MESSAGE BODY: HTML included in message<br>
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar
or identical to<br>
background<br>
2.0 PYZOR_CHECK Listed in Pyzor (<a
href="http://pyzor.sf.net/" moz-do-not-send="true">http://pyzor.sf.net/</a>)<br>
0.0 T_REMOTE_IMAGE Message contains an external
image<br>
</span><span style="font-size:10.0pt"><br>
I am running: <br>
Ubuntu 14.04.5 <br>
Postfix mail_version = 2.11.0 milter_macro_v = $mail_name
$mail_version <br>
amavisd-new-2.7.1 (20120429) <br>
ClamAV 0.99.2/24255/Thu Jan 25 11:22:47 2018 <br>
Anti-Virus scanner version: 13.0.3114 <br>
SpamAssassin version 3.4.0 <br>
running on Perl version 5.18.2 </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>