[SUSPECTED SPAM]Re: Scoring questions

Computer Bob bob at inter-control.com
Mon Jan 29 18:57:29 CET 2018


I assume you mean bayes_auto_learn in local.cf. I set it to 0 from 1 and 
restarted.

**

On 1/29/18 11:30 AM, Dino Edwards wrote:
>
> First of all, please turn off your autolearn in SA. That always causes 
> more problems than it’s worth.
>
> The X-Spam Headers come from SA. The weird thing is that your SA 
> autolearn thinks this email is ham. I think there is something goofy 
> going on with your bayes. You should clear your bayes cause it looks 
> poisoned.
>
> *From:*Computer Bob [mailto:bob at inter-control.com]
> *Sent:* Monday, January 29, 2018 12:01 PM
> *To:* Dino Edwards <dino.edwards at mydirectmail.net>; 
> amavis-users at amavis.org
> *Subject:* [SUSPECTED SPAM]Re: Scoring questions
>
> Interestingly, I have been getting a boatload of these this morning.
> They are getting flagged as *****SPAM*****, but the headers show:
>
> X-Spam-Flag: NO
> X-Spam-Score: 0
> X-Spam-Level:
> X-Spam-Status: No, score=0 tagged_above=-9999 required=5
>           tests=[HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
>           autolearn=ham autolearn_force=no
>
>
> In the content, it shows being caught by spamassassin with:
>
> Content analysis details:   (25.7 points, 4.0 required)
>   pts rule name              description
> ---- ---------------------- --------------------------------------------------
>   1.2 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>   0.0 HTML_MESSAGE           BODY: HTML included in message
>   2.0 BAYES_50               BODY: Bayes spam probability is 40 to 60%
>                              [score: 0.4823]
>   1.7 RDNS_DYNAMIC           Delivered to internal network by host with
>                              dynamic-looking rDNS
>   0.0 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
>   5.0 KB_WAM_LONELY_WOMEN    Lonely Women Scam of the Day
>   2.9 HELO_DYNAMIC_HCC       Relay HELO'd using suspicious hostname (HCC)
>   2.5 PHP_ORIG_SCRIPT        Sent by bot & other signs
>   3.7 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr
>                              1)
>   1.5 HELO_DYNAMIC_DHCP      Relay HELO'd using suspicious hostname (DHCP)
>   1.0 BODY_URI_ONLY          Message body is only a URI in one line of text or for
>                              an image
>   1.8 TO_NO_BRKTS_HTML_ONLY  To: lacks brackets and HTML only
>   2.4 TO_NO_BRKTS_DYNIP      To: lacks brackets and dynamic rDNS
>
> Which is what I would expect.
> Could you enlighten me on where exactly the X-Spam- headers are coming 
> from ?
>
> On 1/29/18 10:26 AM, Dino Edwards wrote:
>
>     Are you running cat {mailfile} | spamassassin -D –t as root?
>
>     *From:*amavis-users
>     [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org]
>     *On Behalf Of *Computer Bob
>     *Sent:* Monday, January 29, 2018 11:22 AM
>     *To:* amavis-users at amavis.org <mailto:amavis-users at amavis.org>
>     *Subject:* Scoring questions
>
>     Greetings to all,
>
>     I have an issue with my setup somehow and it seems to be in
>     amavis-new, most spam gets detected and delt with, some gets
>     through and the scoring seems odd.
>     This one came in this morning and is typical of those that get
>     through:
>
>     Return-Path:<rejuvalex at jodiariastrial.com> <mailto:rejuvalex at jodiariastrial.com>
>
>     Subject: Regrow your Hair in 3 Weeks.
>
>     X-Spam-Flag: NO
>
>     X-Spam-Score: 1.995
>
>     X-Spam-Level: *
>
>     X-Spam-Status: No, score=1.995 tagged_above=-9999 required=5
>
>              tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
>
>              PYZOR_CHECK=1.985, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
>
>              T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
>
>
>     If I run the email through on the command line with:
>     cat {mailfile} | spamassassin -D -t
>     The results are:
>     Content analysis details:   (7.5 points, 4.0 required)
>      pts rule name              description
>     ---- ----------------------
>     --------------------------------------------------
>      5.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL
>     blocklist
>                                 [URIs: jodiariastrial.com]
>     -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
>      0.0 HTML_MESSAGE           BODY: HTML included in message
>      0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
>     identical to
>                                 background
>      2.0 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
>      0.0 T_REMOTE_IMAGE         Message contains an external image
>
>     I am running:
>     Ubuntu 14.04.5
>     Postfix mail_version = 2.11.0 milter_macro_v = $mail_name
>     $mail_version
>     amavisd-new-2.7.1 (20120429)
>     ClamAV 0.99.2/24255/Thu Jan 25 11:22:47 2018
>     Anti-Virus scanner version: 13.0.3114
>     SpamAssassin version 3.4.0
>        running on Perl version 5.18.2
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20180129/8d7db102/attachment.html>


More information about the amavis-users mailing list