Not all rules firing

Kent Oyer kent at micro-source.net
Sat Jul 13 23:13:57 CEST 2013 

Thanks Patrick. I thought of that as well. However, the network tests are firing for some messages but just not all. I have skip_rbl_checks 0 in my local.cf file and I have $sa_local_tests_only = 0 in my amavisd.conf file. I thought maybe the tests were timing out so I setup a non-forwarding, caching name server but that hasn't seemed to help either. Maybe there's another setting I'm missing.

Thanks
Kent

-----Original Message-----
From: Patrick Ben Koetter [mailto:p at sys4.de] 
Sent: Friday, July 12, 2013 5:22 PM
To: amavis-users at amavis.org
Subject: Re: Not all rules firing

* Kent Oyer <kent at micro-source.net>:
> Hello,
> 
> I hope someone out there can help me. Everything was working great but recently I am seeing a lot of spam slipping through. When I look at the message headers and I see very few tests are hitting. 
> 
> X-Spam-Status: No, score=2.067 tag=x tag2=3.5 kill=3.5 tests=[BAYES_60=1.5,
> 	RP_MATCHES_RCVD=-0.303, SARE_MLH_Stock1=0.87] autolearn=no
> 
> However, when I take the same message and pipe it through spamassassin -t, I get a very different result:
> 
> Content analysis details:   (12.4 points, 5.0 required)
> 
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  1.3 RCVD_IN_RP_RNBL        RBL: Relay in RNBL,
>                             https://senderscore.org/blacklistlookup/
>                            [66.197.238.137 listed in bl.score.senderscore.com]
>  1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
>                             [URIs: underneathright.com]
>  1.2 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
>                             [URIs: underneathright.com]
>  1.7 URIBL_DBL_SPAM         Contains an URL listed in the DBL blocklist
>                             [URIs: underneathright.com]
>  0.9 SARE_MLH_Stock1        Subject mentions stock or stock related words
>  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
>                             [score: 0.5285]
>  1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
>  0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>  1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
>                             above 50%
>                             [cf: 100]
>  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>                             [cf: 100]
>  0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
> 
> I am using a SQL database for lookups. How would I begin to troubleshoot this? 

Seems like all tests that require network access aren't used, when the mail is processed by your mailserver/content filter. There's an option to switch that off in spamassassin and IIRC you can also control that from within amavis sa_... settings. This is where I'd look first.

p at rick


--
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list