[SUSPECTED SPAM]Re: Scoring questions

Dino Edwards dino.edwards at mydirectmail.net
Mon Jan 29 18:30:57 CET 2018 

First of all, please turn off your autolearn in SA. That always causes more problems than it’s worth.

The X-Spam Headers come from SA. The weird thing is that your SA autolearn thinks this email is ham. I think there is something goofy going on with your bayes. You should clear your bayes cause it looks poisoned.






From: Computer Bob [mailto:bob at inter-control.com]
Sent: Monday, January 29, 2018 12:01 PM
To: Dino Edwards <dino.edwards at mydirectmail.net>; amavis-users at amavis.org
Subject: [SUSPECTED SPAM]Re: Scoring questions

Interestingly, I have been getting a boatload of these this morning.
They are getting flagged as *****SPAM*****, but the headers show:

X-Spam-Flag: NO

X-Spam-Score: 0

X-Spam-Level:

X-Spam-Status: No, score=0 tagged_above=-9999 required=5

          tests=[HTML_MESSAGE=0.001, NO_RELAYS=-0.001]

          autolearn=ham autolearn_force=no

In the content, it shows being caught by spamassassin with:

Content analysis details:   (25.7 points, 4.0 required)



 pts rule name              description

---- ---------------------- --------------------------------------------------

 1.2 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts

 0.0 HTML_MESSAGE           BODY: HTML included in message

 2.0 BAYES_50               BODY: Bayes spam probability is 40 to 60%

                            [score: 0.4823]

 1.7 RDNS_DYNAMIC           Delivered to internal network by host with

                            dynamic-looking rDNS

 0.0 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag

 5.0 KB_WAM_LONELY_WOMEN    Lonely Women Scam of the Day

 2.9 HELO_DYNAMIC_HCC       Relay HELO'd using suspicious hostname (HCC)

 2.5 PHP_ORIG_SCRIPT        Sent by bot & other signs

 3.7 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr

                            1)

 1.5 HELO_DYNAMIC_DHCP      Relay HELO'd using suspicious hostname (DHCP)

 1.0 BODY_URI_ONLY          Message body is only a URI in one line of text or for

                            an image

 1.8 TO_NO_BRKTS_HTML_ONLY  To: lacks brackets and HTML only

 2.4 TO_NO_BRKTS_DYNIP      To: lacks brackets and dynamic rDNS


Which is what I would expect.
Could you enlighten me on where exactly the X-Spam- headers are coming from ?

On 1/29/18 10:26 AM, Dino Edwards wrote:

Are you running cat {mailfile} | spamassassin -D –t as root?



From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Computer Bob
Sent: Monday, January 29, 2018 11:22 AM
To: amavis-users at amavis.org<mailto:amavis-users at amavis.org>
Subject: Scoring questions

Greetings to all,

I have an issue with my setup somehow and it seems to be in amavis-new, most spam gets detected and delt with, some gets through and the scoring seems odd.
This one came in this morning and is typical of those that get through:

Return-Path: <rejuvalex at jodiariastrial.com><mailto:rejuvalex at jodiariastrial.com>

Subject: Regrow your Hair in 3 Weeks.

X-Spam-Flag: NO

X-Spam-Score: 1.995

X-Spam-Level: *

X-Spam-Status: No, score=1.995 tagged_above=-9999 required=5

        tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,

        PYZOR_CHECK=1.985, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,

        T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no

If I run the email through on the command line with:
cat {mailfile} | spamassassin -D -t
The results are:
Content analysis details:   (7.5 points, 4.0 required)
 pts rule name              description
---- ---------------------- --------------------------------------------------
 5.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                            [URIs: jodiariastrial.com]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                            background
 2.0 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 0.0 T_REMOTE_IMAGE         Message contains an external image

I am running:
Ubuntu 14.04.5
Postfix mail_version = 2.11.0 milter_macro_v = $mail_name $mail_version
amavisd-new-2.7.1 (20120429)
ClamAV 0.99.2/24255/Thu Jan 25 11:22:47 2018
Anti-Virus scanner version: 13.0.3114
SpamAssassin version 3.4.0
   running on Perl version 5.18.2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20180129/4301b081/attachment.html>

More information about the amavis-users mailing list