SpamAssassin scoring

Bruce Pennypacker bruce.pennypacker at gmail.com
Fri Oct 31 01:56:59 CET 2014 

On Thu, Oct 30, 2014 at 5:27 PM, Patrick Ben Koetter <p at sys4.de> wrote:
> * Bruce Pennypacker <bruce.pennypacker at gmail.com>:
>> I have version 2.9.1 of amavisd-new set up using version 3.3.1 of
>> SpamAssassin on a centos/postfix system and I'm really confused about
>> the scoring that's going on.  I'm seeing a lot of spam get delivered
>> with really low scores.  For example, the headers of a recent spam
>> show:
>>
>> X-Virus-Scanned: amavisd-new at <mydomain>
>> X-Spam-Flag: NO
>> X-Spam-Score: 0.904
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.904 tagged_above=-9999 required=5
>> tests=[BAYES_00=-0.5, HTML_MESSAGE=2, RP_MATCHES_RCVD=-0.594,
>> SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
>>
>> If I log in as the amavis user (which is what amavisd-new is running
>> as) and pipe the full body of the spam to SpamAssassin in test mode I
>> get a very different result:
>>
>> $ spamassassin -t < /tmp/foo
>>
>> ...
>>
>> Content analysis details:   (14.0 points, 5.0 required)
>>
>>  pts rule name              description
>> ---- ---------------------- --------------------------------------------------
>>  2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL
>> blocklist  [URIs: effr.eu]
>>  2.5 URIBL_BLACK            Contains an URL listed in the URIBL
>> blacklist [URIs: effr.eu]
>>  3.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
>> [score: 1.0000]
>> -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
>> -0.6 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
>>  3.5 BAYES_999              BODY: Bayes spam probability is 99.9 to
>> 100% [score: 1.0000]
>>  2.0 HTML_MESSAGE           BODY: HTML included in message
>>  1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
>>
>> What am I missing in my setup that's causing such poor SA scoring
>> under amavisd-new but good scoring when run locally as the same user?
>
> Do amavis and Spamassassin know who is a trusted sender and what their
> local (read: recipient) domains are? Seems like both don't have an idea of
> what's incoming and what's outgoing.


I've verified @local_domains_acl and @local_domains_maps both contain
my domain.  @mynetworks didn't have the IP of my mailserver in it so I
added it and restarted amavisd-new.  The mailserver IP is also listed
in trusted_networks in /etc/mail/spamassassin/local.cf.  But despite
adding/verifying all this and restarting I'm still seeing spam come in
that gets scored differently by amavisd than if I invoke spamassassin
manually...

-Bruce

More information about the amavis-users mailing list