SpamAssassin scoring

Bruce Pennypacker bruce.pennypacker at gmail.com
Fri Oct 31 19:16:46 CET 2014 

A bit more of a followup to my spam scoring issue I'm seeing.  I'm
having spam that's scored highly quarantined.  In my quarantine
directory I have a few hundred quarantined messages from just the past
24 hours alone, so SpamAssassin is definitely doing what it should in
some cases, and it's verifying that the spam checks are working at
least in some cases.  for example, one quarantined e-mail has:

X-Spam-Status: Yes, score=16.943 tag=-9999 tag2=5 kill=6.9
        tests=[BAYES_80=2.5, DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293,
        DKIM_SIGNED=0.1, INVALID_DATE=1.096, RAZOR2_CF_RANGE_51_100=2,
        RAZOR2_CF_RANGE_E8_51_100=2, RAZOR2_CHECK=2,
        RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001,
        URIBL_BLACK=2.5, URIBL_DBL_SPAM=2.5] autolearn=spam

Which indicates that checks like Bayes, DCC, Razor, etc. are all
working properly and amavis is correctly quarantining this e-mail
because of the high spam score.

Yet I still have cases where a spam gets through to a users inbox with
the following header:

X-Spam-Status: No, score=0.293 tagged_above=-9999 required=5
tests=[BAYES_00=-0.5, RDNS_NONE=0.793] autolearn=no

Yet if I take the full spam message and pipe it to 'spamassassin -t'
it shows a high score:

Content analysis details:   (10.7 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
 3.5 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                            [score: 1.0000]
 1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
 2.0 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS

So what might be causing SpamAssassin to properly score spam in some
cases to the point that the messages get quarantined but in others be
wildly off base when running through amavis?  What could cause
something like the Bayes check to work properly with all the
quarantined spam but then vary so drastically on other e-mails when
processed through amavis vs. passing it to 'spamassassin -t'? Not to
mention that the DCC &  Pyzor checks seem to be getting skipped
entirely. How can I go about debugging this sort of behavior?  Is my
only option to crank up SpamAssassin logging  in amavis and wait for
more spam to show up in users inboxes?

-Bruce

More information about the amavis-users mailing list