Strange Spamassassin scores
Simon Brereton
simon.brereton at buongiorno.com
Fri May 18 18:16:55 CEST 2012
Hi
I use log-watch to summarize my postfix and amavis log on a daily basis. The amavis one is never and issue but the postfix one occasionally triggers spamassassin and so amavis flags it (never higher enough to outright discard it.
For example, this morning..
May 18 06:26:05 mail postfix/qmgr[16337]: 444BDDC6001: from=<root at example.net>, size=17897, nrcpt=1 (queue active)
May 18 06:26:05 mail amavisd-new[5033]: (05033-04) ESMTP::10024 /var/lib/amavis/tmp/amavis-20120518T012220-05033: <root at example.net> -> <postmaster at example.net> SIZE=17897 Received: from mail.example.net ([127.0.0.1]) by amavisd.example.net (mail.example.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <postmaster at example.net>; Fri, 18 May 2012 06:26:05 +0000 (UTC)
May 18 06:26:05 mail amavisd-new[5033]: (05033-04) Checking: 0aob5T07+RH8 <root at example.net> -> <postmaster at example.net>
May 18 06:26:05 mail amavisd-new[5033]: (05033-04) p001 1 Content-Type: text/plain, size: 17194 B, name:
May 18 06:26:08 mail postfix/pickup[9282]: D6EA2C8C038: uid=0 from=<root>
May 18 06:26:08 mail postfix/cleanup[9678]: D6EA2C8C038: message-id=<20120518062608.D6EA2C8C038 at mail.example.net>
May 18 06:26:08 mail postfix/qmgr[16337]: D6EA2C8C038: from=<root at example.net>, size=37201, nrcpt=1 (queue active)
May 18 06:26:08 mail amavisd-new[5072]: (05072-04) ESMTP::10024 /var/lib/amavis/tmp/amavis-20120518T041218-05072: <root at example.net> -> <postmaster at example.net> SIZE=37201 Received: from mail.example.net ([127.0.0.1]) by amavi
sd.example.net (mail.example.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <postmaster at example.net>; Fri, 18 May 2012 06:26:08 +0000 (UTC)
May 18 06:26:09 mail amavisd-new[5072]: (05072-04) Checking: G0r86MIrPdKg <root at example.net> -> <postmaster at example.net>
May 18 06:26:09 mail amavisd-new[5072]: (05072-04) p001 1 Content-Type: text/plain, size: 36093 B, name:
May 18 06:26:10 mail amavisd-new[5033]: (05033-04) SPAM-TAG, <root at example.net> -> <postmaster at example.net>, Yes, score=5.365 tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, DRUGS_ERECTILE=1.994, NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, SPOOF_COM2COM=2.048, SPOOF_COM2OTH=2.723, URI_NOVOWEL=0.5] autolearn=no
Now, I see nothing in the mail about erectile drugs, so I'm confused why that one is there. Also the spoofing seems strange.
Both mails are injected with:
cat postfix.logwatch | /usr/sbin/sendmail -t postmaster at example.net
So, if that were responsible for the spoofing, I'd expect to see it on both.
The spam-tag for the amavis mail for example is:
May 18 06:26:12 mail amavisd-new[5072]: (05072-04) SPAM-TAG, <root at example.net> -> <postmaster at example.net>, No, score=-0.777 tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, FILL_THIS_FORM=0.001, NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, URI_HEX=1.122] autolearn=no
Why is my very boring log-file analysis triggering SA test for drugs and spoofing? :)
Thanks.
Simon
More information about the amavis-users
mailing list