Strange Spamassassin scores

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri May 18 21:11:02 CEST 2012


Simon,

> I use log-watch to summarize my postfix and amavis log on a daily basis. 
> The amavis one is never and issue but the postfix one occasionally
> triggers spamassassin and so amavis flags it (never higher enough to
> outright discard it.
> 
> For example, this morning..
[...]
> SPAM-TAG, <root at example.net> -> <postmaster at example.net>, Yes, score=5.365
> tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, DRUGS_ERECTILE=1.994,
> NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, SPOOF_COM2COM=2.048,
> SPOOF_COM2OTH=2.723, URI_NOVOWEL=0.5] autolearn=no
> 
> Now, I see nothing in the mail about erectile drugs, so I'm confused why
> that one is there.  Also the spoofing seems strange.
> 
> Both mails are injected with:
> cat postfix.logwatch | /usr/sbin/sendmail -t  postmaster at example.net
> 
> So, if that were responsible for the spoofing, I'd expect to see it on
> both.
> 
> The spam-tag for the amavis mail for example is:
> May 18 06:26:12 mail amavisd-new[5072]: (05072-04) SPAM-TAG,
> <root at example.net> -> <postmaster at example.net>, No, score=-0.777
> tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, FILL_THIS_FORM=0.001,
> NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, URI_HEX=1.122] autolearn=no
> 
> Why is my very boring log-file analysis triggering SA test for drugs and
> spoofing? :)

Log files (from a web server or alike) often contain domain names
which are otherwise indicative of spam, so mailing log files with
URLs or domain names is likely to cause false positives.

You either need to whitelist your source of such mail messages, or
scramble their contents, e.g. by ziping attachments and encrypting
them with some trivial password.

  Mark


More information about the amavis-users mailing list