SpamAssassin scoring

Tom Hendrikx tom at whyscream.net
Fri Oct 31 21:09:14 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 31-10-14 19:16, Bruce Pennypacker wrote:
> A bit more of a followup to my spam scoring issue I'm seeing.  I'm 
> having spam that's scored highly quarantined.  In my quarantine 
> directory I have a few hundred quarantined messages from just the
> past 24 hours alone, so SpamAssassin is definitely doing what it
> should in some cases, and it's verifying that the spam checks are
> working at least in some cases.  for example, one quarantined
> e-mail has:
> 
> X-Spam-Status: Yes, score=16.943 tag=-9999 tag2=5 kill=6.9 
> tests=[BAYES_80=2.5, DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293, 
> DKIM_SIGNED=0.1, INVALID_DATE=1.096, RAZOR2_CF_RANGE_51_100=2, 
> RAZOR2_CF_RANGE_E8_51_100=2, RAZOR2_CHECK=2, 
> RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-0.594,
> SPF_PASS=-0.001, URIBL_BLACK=2.5, URIBL_DBL_SPAM=2.5]
> autolearn=spam
> 
> Which indicates that checks like Bayes, DCC, Razor, etc. are all 
> working properly and amavis is correctly quarantining this e-mail 
> because of the high spam score.
> 
> Yet I still have cases where a spam gets through to a users inbox
> with the following header:
> 
> X-Spam-Status: No, score=0.293 tagged_above=-9999 required=5 
> tests=[BAYES_00=-0.5, RDNS_NONE=0.793] autolearn=no
> 
> Yet if I take the full spam message and pipe it to 'spamassassin
> -t' it shows a high score:
> 
> Content analysis details:   (10.7 points, 5.0 required)
> 
> pts rule name              description ---- ----------------------
> -------------------------------------------------- 3.0 BAYES_99
> BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 3.5
> BAYES_999              BODY: Bayes spam probability is 99.9 to
> 100% [score: 1.0000] 1.1 DCC_CHECK              Detected as bulk
> mail by DCC (dcc-servers.net) 2.0 PYZOR_CHECK            Listed in
> Pyzor (http://pyzor.sf.net/) 0.3 DIGEST_MULTIPLE        Message
> hits more than one network digest check 0.8 RDNS_NONE
> Delivered to internal network by a host with no rDNS
> 
> So what might be causing SpamAssassin to properly score spam in
> some cases to the point that the messages get quarantined but in
> others be wildly off base when running through amavis?  What could
> cause something like the Bayes check to work properly with all the 
> quarantined spam but then vary so drastically on other e-mails
> when processed through amavis vs. passing it to 'spamassassin -t'?
> Not to mention that the DCC &  Pyzor checks seem to be getting
> skipped entirely. How can I go about debugging this sort of
> behavior?  Is my only option to crank up SpamAssassin logging  in
> amavis and wait for more spam to show up in users inboxes?
> 

Hi Bruce,


pyzor and dcc are dynamic tests: they are network tests that are fed
realtime with spam by their maintainers and/or users. If you receive a
spam message and it isn't detected, there is a bug chance that when
you do a manual check a few hours later, the message is detected by
those systems, which is exactly the behaviour you are observing. If
you want to benefit from delayed evaluation, you need to look into
greylisting (with all its pros and cons).

The mbayes difference might happen if you're not running spamassassin
as the same user as amavis: not enough information about that in your
message. See https://wiki.apache.org/spamassassin/BayesNotWorking for
first steps in debugging.

Regards,
	Tom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUU+xnAAoJEJPfMZ19VO/1q7MP/ityAHwAPHlWWX7Ke92D8xo5
CKS58rmxslzRa7b+I97ufl1fFhvDQhXjqR/B2CSwrb9G7mXoSqMuXEAsIGlSaS1A
4EgC55TzQbQdEwcoywy/5kJ1IwXgDyQbdpS8Ij/DOIybuHoiPD699rL0BoItHxCu
H3DLF8WK+yOyQuxSFGPCOk0fVG1UdN0ElKk+pv6V8aPAq7c1Mh44zZKbYEElh/If
+9C0K56ectq2l4PfIkL2fEXWiJnvRRHGj97AIjLpzqx6M1k8LEJ3anLYtTOUk++H
mv/MqaOeLZs9mAwEXCaF8xh0zvb3wf0PFO8XGlIPA54/R9Hwm3gL+i0a6gcNz56T
iP7X1vTjhu+DF/XEaHpyjDCEWATf7tSvQ+exR9pQHtLGf/RH+ci7vznlOJw4SF4k
BVsQQ4zDHWI8kbLeADV+7oiT1d/8YzXYdLHZrNHvb3vfo2npMKYvcRaSF7EEs6zL
zjXZmoC9Pkg3bxJteJeBXZ0pznSZrZRWSu1dzSLqK0tQ1Wdz0jhfR7vE4SKJiXZn
f6vKD4FJm7CMKEZOf4IEXsCJdkni8Lgl+VEvBt1qoAZA6eXi/BjlSsOwQXQh60F9
a+sMw45J68xThFGFrdp6rkVkDb1dmddyTaJPPoIY+kHOEJri+eXEc5PxvnxIN3VF
bCl/fjmWP+eC6sM5Ig4z
=PdSZ
-----END PGP SIGNATURE-----

More information about the amavis-users mailing list