Strange Spamassassin scores
Simon Brereton
simon.brereton at buongiorno.com
Fri May 18 21:23:07 CEST 2012
On 18 May 2012 15:11, Mark Martinec <Mark.Martinec+amavis at ijs.si> wrote:
> Simon,
>
>> I use log-watch to summarize my postfix and amavis log on a daily basis.
>> The amavis one is never and issue but the postfix one occasionally
>> triggers spamassassin and so amavis flags it (never higher enough to
>> outright discard it.
>>
>> For example, this morning..
> [...]
>> SPAM-TAG, <root at example.net> -> <postmaster at example.net>, Yes, score=5.365
>> tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, DRUGS_ERECTILE=1.994,
>> NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, SPOOF_COM2COM=2.048,
>> SPOOF_COM2OTH=2.723, URI_NOVOWEL=0.5] autolearn=no
>>
>> Now, I see nothing in the mail about erectile drugs, so I'm confused why
>> that one is there. Also the spoofing seems strange.
>>
>> Both mails are injected with:
>> cat postfix.logwatch | /usr/sbin/sendmail -t postmaster at example.net
>>
>> So, if that were responsible for the spoofing, I'd expect to see it on
>> both.
>>
>> The spam-tag for the amavis mail for example is:
>> May 18 06:26:12 mail amavisd-new[5072]: (05072-04) SPAM-TAG,
>> <root at example.net> -> <postmaster at example.net>, No, score=-0.777
>> tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, FILL_THIS_FORM=0.001,
>> NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, URI_HEX=1.122] autolearn=no
>>
>> Why is my very boring log-file analysis triggering SA test for drugs and
>> spoofing? :)
>
> Log files (from a web server or alike) often contain domain names
> which are otherwise indicative of spam, so mailing log files with
> URLs or domain names is likely to cause false positives.
>
> You either need to whitelist your source of such mail messages, or
> scramble their contents, e.g. by ziping attachments and encrypting
> them with some trivial password.
Which reminds me of the other question I meant to include in that first email..
How can I get injected mails to be added to the autolearn function?
These mails go out daily, so it would be nice for amavis to start
tagging them automatically as ham.
Simon
More information about the amavis-users
mailing list