Viagra spam mail autolearned as ham, tagged score -1.64

matt matt at cipixia.com
Fri Oct 19 06:56:32 CEST 2012 

On 10/18/2012 02:03 PM, Tom Hendrikx wrote:
> On 18/10/12 22:05, Nick Rosier wrote:
>> matt wrote:
>>> Hello all.

#####
I had to truncate my reply because mailman bounced the message as "spam", probably due to 
the subject nature of what was being discussed.
#####

In reply to Tom Hendrikx and Nick Rosier:

That's so weird!  When I manually fed the message in with spamassassin -D <
/var/www/html/quack.eml, I get basically the same report as you guys do:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cipixia.com
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.4 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10,
	RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK,
	URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no version=3.3.2
X-Spam-Report:
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
	*      trust
	*      [65.54.190.147 listed in list.dnswl.org]
	*  1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
	*      [URIs: yreyronwuddengeg.com]
	*  1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
	*      [URIs: yreyronwuddengeg.com]
	*  1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
	*      [URIs: yreyronwuddengeg.com]
	*  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	*      (jeffcola2[at]hotmail.com)
	*  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
	*      (jeffcola2[at]hotmail.com
	)
	* -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
	*  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
	*      digit (jeffcola2[at]hotmail.com)
	*  0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  2.9 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
X-Original-To: matt at cipixia.com
##############

But when the mail originally came to me and got sifted through amavisd-new, all that was
reported in the maillog was:

Oct 18 14:12:24 cipixia.com amavis[2072]: (02072-19) SPAM-TAG, <jeffcola2 at hotmail.com> ->
<matt at cipixia.com>, No, score=-1.64 tagged_above=-999 required=6.2
tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25,
FREEMAIL_FROM=0.001,
FREEMAIL_REPLYTO_END_DIGIT=0.25,
HTML_MESSAGE=0.001,
HTML_OBFUSCATE_05_10=0.001,
RCVD_IN_DNSWL_NONE=-0.0001,
RP_MATCHES_RCVD=-2.142,
SPF_PASS=-0.001] autolearn=ham


What could explain the discrepancy between amavisd-new's handling of it and spamassassin's
manual invocation?  It looks like amavisd-new isn't consulting the dns blacklists for some
reason :/

More information about the amavis-users mailing list