Not all rules firing

Patrick Ben Koetter p at sys4.de
Fri Jul 12 23:21:42 CEST 2013 

* Kent Oyer <kent at micro-source.net>:
> Hello,
> 
> I hope someone out there can help me. Everything was working great but recently I am seeing a lot of spam slipping through. When I look at the message headers and I see very few tests are hitting. 
> 
> X-Spam-Status: No, score=2.067 tag=x tag2=3.5 kill=3.5 tests=[BAYES_60=1.5,
> 	RP_MATCHES_RCVD=-0.303, SARE_MLH_Stock1=0.87] autolearn=no
> 
> However, when I take the same message and pipe it through spamassassin -t, I get a very different result:
> 
> Content analysis details:   (12.4 points, 5.0 required)
> 
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
>                             https://senderscore.org/blacklistlookup/
>                            [66.197.238.137 listed in bl.score.senderscore.com]
>  1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
>                             [URIs: underneathright.com]
>  1.2 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
>                             [URIs: underneathright.com]
>  1.7 URIBL_DBL_SPAM         Contains an URL listed in the DBL blocklist
>                             [URIs: underneathright.com]
>  0.9 SARE_MLH_Stock1        Subject mentions stock or stock related words
>  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
>                             [score: 0.5285]
>  1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
>  0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>  1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
>                             above 50%
>                             [cf: 100]
>  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>                             [cf: 100]
>  0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
> 
> I am using a SQL database for lookups. How would I begin to troubleshoot this? 

Seems like all tests that require network access aren't used, when the mail
is processed by your mailserver/content filter. There's an option to switch
that off in spamassassin and IIRC you can also control that from within amavis
sa_... settings. This is where I'd look first.

p at rick


-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list