R: R: R: R: Message quarantined as SPAM

Dominic Raferd dominic at timedicer.co.uk
Thu Jul 20 17:25:48 CEST 2017 

These headers are from SpamAssassin not from amavis. Here is an example of
headers from amavisd-new:

X-Spam-Flag: YES
X-Spam-Score: 4.426
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.426 tag=4 tag2=4 kill=4 tests=[DKIM_SIGNED=0.1,
        DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001,
        HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.365,
        RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729, SPF_PASS=-0.001,
        URIBL_BLOCKED=0.001] autolearn=disabled

Is it possible you are running spamassassin separately *after* amavis, and
spamassassin (when called independently, not via amavis) is clearing out
amavis headers and substituting its own?

My understanding (and I am not an expert) is that spamassassin should be
called *by* amavis and should not be adding any of its headers to the
email, the headers should be added by amavis based on all its testing
results (including from spamassassin). I do not know the exact relationship
between the hit score of amavis and the score that it gets back from
spamassassin, I would expect that amavis uses spamassassin score and adds
some more tests of its own to make an overall total. Someone more expert
will know.



On 20 July 2017 at 14:58, Scappatura Rocco <Rocco.Scappatura at infracom.it>
wrote:

> Hello.
>
>
>
> Thank you for the anwer. $sa_tag_level_deflt  is already set to 2.0. Here
> the headers of the message relative the score:
>
>
>
> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on av9.infracom.it
>
> X-Spam-Level: *
>
> X-Spam-Status: No, score=1.9 required=5.0 tests=BASE64_LENGTH_79_INF,
> BAYES_00,
>
>         HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,
> MISSING_MIME_HB_SEP,
>
>         MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
>
>         TO_NO_BRKTS_HTML_IMG,T_REMOTE_IMAGE autolearn=no
> autolearn_force=no
>
>         version=3.4.0
>
> Delivered-To: spam-quarantine
>
> X-Envelope-To: <iagrossi at example.net>
>
> X-Envelope-To-Blocked: <iagrossi at example.net>
>
> X-Quarantine-ID: <BknEtFAN2Yh1>
>
> X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not
> UTF-8)
>
>         (char B0 hex): Subject: Annullamento Ordine n\x{B0} 217026098 del
>
>         [...]
>
>
>
> So the thing to be clarified is the difference between the ‘score’
> reported by spamassassin (and X-Spam-Status header) and the Hits reported
> by the amavisd log.
>
>
>
> Could someone explain the difference?
>
>
>
> Regards,
>
>
>
> RS
>
>
>
> *Da:* amavis-users [mailto:amavis-users-bounces+rocco.scappatura=
> infracom.it at amavis.org] *Per conto di *Dominic Raferd
> *Inviato:* giovedì 20 luglio 2017 07:18
> *A:* amavis-users at amavis.org
> *Oggetto:* Re: R: R: R: R: Message quarantined as SPAM
>
>
>
> You can set $sa_tag_level_deflt (different from $sa_tag2_level_deflt) to
> lower level - mails with scores above $sa_tag_level_deflt will have spam
> info header added; this header shows how amavis has calculated the score.
>
>
>
> On 19 July 2017 at 14:02, Scappatura Rocco <Rocco.Scappatura at infracom.it>
> wrote:
>
> Thank you for the answer.
>
>
>
> Yes, you are right. Anyway I set ‘$sa_kill_level_deflt = 6.31’ too in
> amavis configuration.
>
>
>
> I could agree for the differnce of the score of the message assigned by
> amavis and the score of the SA test of the quarantined message..
>
>
>
> But, I would like to understand why amavis assigns a so high score (7.946)
> to a harmless message ..
>
>
>
> Regards,
>
>
>
> RS
>
>
>
>
>
> *Da:* amavis-users [mailto:amavis-users-bounces+rocco.scappatura=
> infracom.it at amavis.org] *Per conto di *Dominic Raferd
> *Inviato:* mercoledì 19 luglio 2017 14:28
> *A:* amavis-users at amavis.org
> *Oggetto:* Re: R: R: R: R: Message quarantined as SPAM
>
>
>
>
>
>
>
> On 19 July 2017 at 12:56, Scappatura Rocco <Rocco.Scappatura at infracom.it>
> wrote:
>
> Hello.
>
> Even after the changes done to the amavis configuration, I still notice
> that some messages has been blocked as SPAM. For example:
>
> Jul 18 12:04:55 zzz amavis[18242]: (18242-14) Blocked SPAM
> {DiscardedInbound,Quarantined}, [195.245.231.137]:39849 [193.67.127.189] <
> orderfleet at example.org> -> <iagrossi at example.net>, quarantine:
> B/spam-BknEtFAN2Yh1.gz, Queue-ID: 31099D5C4B, Message-ID: <
> OF2B08DA46.86F90238-ON80258161.003760D6 at leaseplancorp.net>, mail_id:
> BknEtFAN2Yh1, Hits: 7.946, size: 170434, 551 ms
>
> while the score I get while testing the messages is much lower that
> $sa_tag2_level_deflt (1.9 < 6.31):
>
> ​...
>
>
>
> Where is the problem? Why the message is tagged as SPAM and quarantined?
>
>
>
> ​It is not $sa_tag2_level_deflt that determines whether message is
> quarantined, this only determines whether to add 'spam detected' headers in
> the emails.
>
>
>
> Score above $sa_kill_level_deflt​ triggers evasive action (i.e. according
> to $spam_quarantine_method).
>
>
>
> Also I am not sure you can rely on getting same spam calculation when you
> re-test a quarantined email as when it arrives from outside, perhaps this
> is why header shows score of 7.946 but retest only 1.9?
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20170720/5e53f595/attachment.html>

More information about the amavis-users mailing list