--============_-1009003459==_============
Content-Type: text/plain ; format="flowed"
Content-Transfer-Encoding: quoted-printable

Hello,
Here is a complete sample without a link (because=20
apache.org bounced the message due the "spam"=20
content) with logs relevant to the message. I=20
have tar.gz/tgz the message to hopefully pass the=20
spam filter.

Here is the message:
Return-Path:
Delivered-To: fchan@molsci.org
X-Spam-Status: No, hits=3D? required=3D?
Message-ID: 20a13601c86ff1$64a2c710$6400a8c0@acerdac357703e
=46rom: "Rita Gore"
To:
Cc: ,
,
,

Subject: Size Genetics Warning
Date: Fri, 15 Feb 2008 17:39:26 -0100
Content-Type: text/plain;
format=3Dflowed;
reply-type=3Doriginal
Content-Transfer-Encoding: 7bit

Gain 3.5+ Inches In Length.... 100% Safe To Take, With NO Side Effects.



Here is the qmail-queue.log:
=46ri, 15 Feb 2008 08:39:54 PST:21158: SA: finished=20
scan in 50.013946 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:39:54 PST:21158: p_s: finished scan in 0.007968 secs
=46ri, 15 Feb 2008 08:39:54 PST:21158: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309354376421158"...
=46ri, 15 Feb 2008 08:39:54 PST:21158: ------=20
Process 21158 finished. Total of 50.174236 secs
=46ri, 15 Feb 2008 08:39:55 PST:21298: +++ starting=20
debugging for process 21298 (ppid=3D21271) by=20
uid=3D509
=46ri, 15 Feb 2008 08:39:55 PST:21298: c_a_g: found=20
URL in message - maybe phishy - better scan it
=46ri, 15 Feb 2008 08:39:55 PST:21298: w_c: Total=20
time between DATA command and "." was 0.000196=20
secs
=46ri, 15 Feb 2008 08:39:55 PST:21298: w_c: elapsed time from start 0.000177=
secs
=46ri, 15 Feb 2008 08:39:55 PST:21298: g_e_h:=20
return-path=3D'PeggylawfulMcginnis@analogzone.com',=20
recips=3D'ftp@molsci.org,fchan@molsci.org,dawn@mol sci.org,ftp-fprot@molsci.o=
rg,dkinney@molsci.org'
=46ri, 15 Feb 2008 08:39:55 PST:21298: from=3D'"Rita=20
Gore" ',=20
subj=3D'Size Genetics Warning', via SMTP from=20
79.26.135.208
=46ri, 15 Feb 2008 08:39:55 PST:21298: clamdscan: finished scan in 0.014551 =
secs
=46ri, 15 Feb 2008 08:40:45 PST:21298: SA: finished=20
scan in 50.020665 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:40:46 PST:21298: p_s:=20
finished scan in 0.00844500000000004 secs
=46ri, 15 Feb 2008 08:40:46 PST:21298: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309359576421298"...
=46ri, 15 Feb 2008 08:40:46 PST:21298: ------=20
Process 21298 finished. Total of 50.133095 secs

But notices these also at right after this message:
=46ri, 15 Feb 2008 08:40:45 PST:21298: SA: finished=20
scan in 50.020665 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:40:46 PST:21298: p_s:=20
finished scan in 0.00844500000000004 secs
=46ri, 15 Feb 2008 08:40:46 PST:21298: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309359576421298"...
=46ri, 15 Feb 2008 08:40:46 PST:21298: ------=20
Process 21298 finished. Total of 50.133095 secs
=46ri, 15 Feb 2008 08:40:46 PST:21299: SA: finished=20
scan in 50.01334 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:40:46 PST:21299: p_s: finished scan in 0.009365 secs
=46ri, 15 Feb 2008 08:40:46 PST:21299: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309359676421299"...
=46ri, 15 Feb 2008 08:40:46 PST:21299: ------=20
Process 21299 finished. Total of 50.215451 secs
=46ri, 15 Feb 2008 08:41:01 PST:21376: SA: finished=20
scan in 50.061759 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:41:01 PST:21376: p_s: finished scan in 0.102243 secs
=46ri, 15 Feb 2008 08:41:01 PST:21376: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309361076421376"...
=46ri, 15 Feb 2008 08:41:02 PST:21376: ------=20
Process 21376 finished. Total of 50.796067 secs
=46ri, 15 Feb 2008 08:41:02 PST:21395: SA: finished=20
scan in 50.014535 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:41:02 PST:21395: p_s: finished scan in 0.008081 secs
=46ri, 15 Feb 2008 08:41:02 PST:21395: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309361276421395"...
=46ri, 15 Feb 2008 08:41:02 PST:21391: SA: finished=20
scan in 50.102585 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:41:02 PST:21391: p_s: finished scan in 0.012847 secs
=46ri, 15 Feb 2008 08:41:03 PST:21391: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309361276421391"...
=46ri, 15 Feb 2008 08:41:03 PST:21395: ------=20
Process 21395 finished. Total of 50.430792 secs
=46ri, 15 Feb 2008 08:41:03 PST:21391: ------=20
Process 21391 finished. Total of 50.258332 secs
=46ri, 15 Feb 2008 08:41:03 PST:21538: +++ starting=20
debugging for process 21538 (ppid=3D21529) by=20
uid=3D509
=46ri, 15 Feb 2008 08:41:06 PST:21406: SA: finished=20
scan in 50.016036 secs - hits=3D?/?
=46ri, 15 Feb 2008 08:41:06 PST:21406: p_s: finished scan in 0.008182 secs
=46ri, 15 Feb 2008 08:41:06 PST:21406: ini_sc:=20
finished scan of=20
"/var/spool/qmailscan/tmp/s1.molsci.org120309361376421406"...
=46ri, 15 Feb 2008 08:41:07 PST:21406: ------=20
Process 21406 finished. Total of 50.81682 secs


Here is the maillog for that period of time:
=46eb 15 08:38:39 s1 spamd[19278]: spamd: checking=20
message <000701c87009$012e9d45$3295f986@arwld>=20
for qscand:510
=46eb 15 08:40:47 s1 spamd[19278]: spamd:=20
identified spam (44.9/8.5) for qscand:510 in=20
127.6 seconds, 2091 bytes.
=46eb 15 08:40:47 s1 spamd[19278]: spamd: result: Y=20
44 -=20
BAYES_99,BOTNET,DOS_OE_TO_MX,DRUGS_ERECTILE,DRUGS_ ERECTILE_OBFU,FB_CIALIS_LE=
O3,FB_P1LL,FH_HELO_EQ_D_D_D_D,FUZZY_CPILL,FUZZY_PR ICES,HELO_DYNAMIC_HCC,HELO=
_DYNAMIC_IPADDR2,HTML_MESSAGE,RAZOR2_CF_RANGE_51_1 00,RAZOR2_CF_RANGE_E8_51_1=
00,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL ,RCVD_IN_XBL,RDNS_DYNAMIC,=
SUBJECT_DRUG_GAP_C,TVD_RCVD_IP,URIBL_BLACK,URIBL_J P_SURBL,URIBL_OB_SURBL,URI=
BL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL=20
scantime=3D127.6,size=3D2091,user=3Dqscand,uid=3D5 10,required_score=3D8.5,rh=
ost=3Dlocalhost.localdomain,raddr=3D127.0.0.1,rpor t=3D54630,mid=3D<000701c87=
009$012e9d45$3295f986@arwld>,bayes=3D1.000000,autolearn=3Dspam
=46eb 15 08:40:47 s1 spamd[30645]: prefork: child states: BB
=46eb 15 08:40:47 s1 spamd[30645]: spamd: server=20
successfully spawned child process, pid 21505
=46eb 15 08:40:47 s1 spamd[19278]: spamd:=20
connection from localhost.localdomain [127.0.0.1]=20
at port 54631
=46eb 15 08:40:47 s1 spamd[21505]: spamd:=20
connection from localhost.localdomain [127.0.0.1]=20
at port 54632
=46eb 15 08:40:47 s1 spamd[19278]: spamd: checking=20
message <000501c86ff1$04c27ff7$560b6dac@hmteb>=20
for qscand:510
=46eb 15 08:40:47 s1 spamd[30645]: prefork: child states: BBB
=46eb 15 08:40:47 s1 spamd[30645]: spamd: server=20
successfully spawned child process, pid 21506
=46eb 15 08:40:47 s1 spamd[21505]: spamd: checking=20
message <000401c86ff1$052d8315$cfeea49e@dlbwdqwt>=20
for qscand:510
=46eb 15 08:40:47 s1 spamd[21506]: spamd:=20
connection from localhost.localdomain [127.0.0.1]=20
at port 54633
=46eb 15 08:40:47 s1 spamd[30645]: prefork: child states: BBBB
=46eb 15 08:40:47 s1 spamd[30645]: spamd: server=20
successfully spawned child process, pid 21507
=46eb 15 08:40:47 s1 spamd[21506]: spamd: checking=20
message <47B5C019.2040002@groupe-afd.com> for=20
qscand:510
=46eb 15 08:40:47 s1 spamd[30645]: prefork: child states: BBBBB
=46eb 15 08:40:47 s1 spamd[30645]: prefork: server=20
reached --max-children setting, consider raising=20
it
=46eb 15 08:40:47 s1 spamd[21507]: spamd:=20
connection from localhost.localdomain [127.0.0.1]=20
at port 54634
=46eb 15 08:40:48 s1 spamd[21507]: spamd: checking=20
message <47B5C02F.3080700@abnamro.com> for=20
qscand:510
=46eb 15 08:40:50 s1 spamd[19278]: spamd:=20
identified spam (32.7/8.5) for qscand:510 in 3.2=20
seconds, 828 bytes.
=46eb 15 08:40:50 s1 spamd[19278]: spamd: result: Y=20
32 -=20
BAYES_99,BOTNET,DOS_OE_TO_MX,FH_HELO_EQ_D_D_D_D,HE LO_DYNAMIC_HCC,HELO_DYNAMI=
C_IPADDR2,NO_DNS_FOR_FROM,RCVD_IN_PBL,RDNS_DYNAMIC ,TVD_RCVD_IP,URIBL_AB_SURB=
L,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_ WS_SURBL=20
scantime=3D3.2,size=3D828,user=3Dqscand,uid=3D510, required_score=3D8.5,rhost=
=3Dlocalhost.localdomain,raddr=3D127.0.0.1,rport=3 D54631,mid=3D<000501c86ff1=
$04c27ff7$560b6dac@hmteb>,bayes=3D1.000000,autolearn=3Dspam
=46eb 15 08:40:50 s1 spamd[30645]: prefork: child states: BBBBB
=46eb 15 08:40:50 s1 spamd[30645]: prefork: server=20
reached --max-children setting, consider raising=20
it
=46eb 15 08:40:50 s1 spamd[19278]: spamd:=20
connection from localhost.localdomain [127.0.0.1]=20
at port 54635
=46eb 15 08:40:50 s1 spamd[19278]: spamd: checking=20
message=20
<20080215160339.4011D566A0@mx1.e.genomeweb.com>=20
for qscand:510Feb 15 08:40:51 s1 spamd[21505]:=20
spamd: identified spam (26.2/8.5) for qscand:510=20
in 4.3 seconds, 863 bytes.
=46eb 15 08:40:51 s1 spamd[21505]: spamd: result: Y=20
26 -=20
BAYES_99,BOTNET,DOS_OE_TO_MX,FH_HELO_ALMOST_IP,HEL O_DYNAMIC_DHCP,RCVD_IN_SOR=
BS_DUL,RDNS_DYNAMIC,SPF_FAIL,URIBL_AB_SURBL,URIBL_ BLACK,URIBL_JP_SURBL,URIBL=
_OB_SURBL,URIBL_WS_SURBL=20
scantime=3D4.3,size=3D863,user=3Dqscand,uid=3D510, required_score=3D8.5,rhost=
=3Dlocalhost.localdomain,raddr=3D127.0.0.1,rport=3 D54632,mid=3D<000401c86ff1=
$052d8315$cfeea49e@dlbwdqwt>,bayes=3D1.000000,autolearn=3Dspam
=46eb 15 08:40:52 s1 spamd[30645]: prefork: child states: BBBBB
=46eb 15 08:40:52 s1 spamd[30645]: prefork: server=20
reached --max-children setting, consider raising=20
itFeb 15 08:40:52 s1 spamd[21505]: spamd:=20
connection from localhost.localdomain [127.0.0.1]=20
at port 54636Feb 15 08:40:52 s1 spamd[21505]:=20
spamd: checking message=20
<000c01c87194$04a29446$a4747e99@dcwbdbb> for=20
qscand:510Feb 15 08:40:53 s1 spamd[21506]: spamd:=20
identified spam (35.1/8.5) for qscand:510 in 6.0=20
seconds, 772 bytes.
=46eb 15 08:40:53 s1 spamd[21506]: spamd: result: Y=20
35 -=20
BAYES_99,BOTNET,DIGEST_MULTIPLE,PYZOR_CHECK,RAZOR2 _CF_RANGE_51_100,RAZOR2_CF=
_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_ CHECK,RCVD_IN_BL_SPAMCOP_N=
ET,RCVD_IN_XBL,RDNS_NONE,SUBJ_PILL,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL=
,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL=20
scantime=3D6.0,size=3D772,user=3Dqscand,uid=3D510, required_score=3D8.5,rhost=
=3Dlocalhost.localdomain,raddr=3D127.0.0.1,rport=3 D54633,mid=3D<47B5C019.204=
0002@groupe-afd.com>,bayes=3D1.000000,autolearn=3Dspam
=46eb 15 08:40:53 s1 spamd[30645]: prefork: child states: BBBBB


I noticed that --max-childern setting has been=20
reached. This is my spamd option setting:
# Set default spamd configuration.
SPAMDOPTIONS=3D"-d -c --max-children=3D20 -H"
SPAMD_PID=3D/var/run/spamd.pid

What --max-childern setting should I set it at.=20
My sever is fairly powerful (Two 3GHz 4GB RAM)=20
running RedHat Linux 5.
Is there more information you need since I'm=20
keeping this message until I solve this strange=20
and annoying issue. This occurs to about 20-50=20
out of the 8000-10000 messages I get each day.

Thank you,
=46rank
>Hello,
>This sample message that I got had no link in=20
>the message but I got the same ? for the spam=20
>score also. It appears some message with links=20
>or without links I get that ? score. However it=20
>appears after investigating the most of them=20
>have links.
>
>Thank you,
>Frank
>
>>Return-Path:

g>
>>Delivered-To: fchan@molsci.org
>>X-Spam-Status: No, hits=3D-104.0 required=3D8.5
>>Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
>>list-help:
>>list-unsubscribe:
>>List-Post:
>>List-Id:
>>Delivered-To: mailing list users@spamassassin.apache.org
>>X-ASF-Spam-Status: No, hits=3D1.2 required=3D10.0
>> tests=3DSPF_NEUTRAL
>>X-Spam-Check-By: apache.org
>>Subject: Re: Getting ? in spam scores.
>>From: Karsten Br=C9ckelmann
>>To: users@spamassassin.apache.org
>>Content-Type: text/plain
>>Date: Sat, 09 Feb 2008 04:14:40 +0100
>>Message-Id: <1202526880.9434.38.camel@monkey.loc>
>>Content-Transfer-Encoding: 7bit
>>X-Virus-Checked: Checked by ClamAV on apache.org
>>
>>Please, resist the urge to top post and including unnecessary full
>>quotes. This also makes answering questions much easier...
>>
>>
>>On Fri, 2008-02-08 at 16:45 -0800, fchan wrote:
>>> Thank you. I have check my DNS and it appears to resolve the link
>>> correctly.

>>
>>What link? The spample does not show any. Also, the DNS queries relevant
>>for SA are those to the various blacklists. By default including URI as
>>well as IP blacklists.
>>
>>Anyway, you can't prove the non-existence of a DNS issue, by one
>>successful query. So we now know that it works at least sometimes. Good,
>>we pretty much knew that before.
>>
>>> It is just annoying, I think less than 1% of all messages,
>>> are getting this and I'm checking if there is something I can do to
>>> solve this.
>>> Here is a sample message that is causing this:

>>
>>The sample is incomplete...
>>
>>> Received: (qmail 7689 invoked by uid 501); 8 Feb 2008 01:58:00 -0800
>>> Received: from 87.18.202.233 by s1.molsci.org (envelope-from
>>> , uid 509) with
>>> qmail-scanner-2.01st
>>> (clamdscan: 0.92/5545. spamassassin: 3.2.4. perlscan: 2.01st.
>>> Clear:RC:0(87.18.202.233):SA:0(?/?):.
>>> Processed in 50.059824 secs); 08 Feb 2008 09:58:00 -0000
>>> X-Spam-Status: No, hits=3D? required=3D?

>>
>>Did you try asking qmail-scanner folks already? That is not the default
>>SA header.
>>
>>
>>[ snip ]
>>> Another thing is when I do a sa-learn --spam of this message I get
>>> this message "Learned tokens from 0 message(s) (1 message(s)
>>> examined)". Why I cannot get sa-learn to learn from this message also.

>>
>>Because it has been (auto?) learned before?
>>
>>> > > Wed, 06 Feb 2008 09:16:41 PST:18972:=20
>>>clamdscan: finished scan in 0.011407 secs
>>> > > Wed, 06 Feb 2008 09:17:26 PST:18972: SA: finished scan in 45.02652=

2
>>> > > secs - hits=3D?/?
>>> >
>>> >Does that mean qmail-scanner forced further processing due to the
>>> >timeout, without actually waiting for SA to finish? (Despite the succe=

ss
>>> >suggesting phrase...)

>>
>>So? Hey, I'm not a qmail-scanner guy, that was not meant as a
>>rhetorical question.
>>
>>> >> Wed, 06 Feb 2008 09:17:26 PST:18972: p_s:=20
>>>finished scan in 0.020737 secs
>>> >> Wed, 06 Feb 2008 09:17:26 PST:18972: ini_sc: finished scan of
>>> >> "/var/spool/qmailscan/tmp/s1.molsci.org120231820076418972"
>>> >>
>>> >> I have set timeout on qmailscanner for spamc to 45 seconds. Why are=

,
>>> >> what I guess, links causing this.
>>> >
>>> >Are you positive this is related to links? SA queries URI blacklists.
>>> >Is it possible you have a DNS issue by any chance?

>>
>>Now, are you really positive about that, or not?
>>
>> guenther
>>
>>
>>--
>>char *t=3D"\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\=

xc4";
>>main(){ char h,m=3Dh=3D*t++,*x=3Dt+2*h,c,i,l=3D*x,s=3D0; for=

(i=3D0;i
>>(c=3D*++x); c&128 && (s+=3Dh); if (!(h>>=3D1)||!t[s+h]){ putchar(t[s]);h=

=3Dm;s=3D0; }}}

--============_-1009003459==_============
Content-Id:
Content-Type: multipart/appledouble; boundary="============_-1009003459==_D============"

--============_-1009003459==_D============
Content-Transfer-Encoding: base64
Content-Type: application/applefile; name="%Size Genetics Warning.tgz"
Content-Disposition: attachment; filename="%Size Genetics Warning.tgz"
; modification-date="Fri, 15 Feb 2008 15:41:30 -0800"

AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAADAAAAPgAAAB kAAAAJAAAAVwAAACAA
AAAIAAAAdwAAABBTaXplIEdlbmV0aWNzIFdhcm5pbmcudGd6R3 ppcAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAPSG8qD0hvKkttDAAPSG+9
--============_-1009003459==_D============
Content-Type: application/octet-stream; name="Size Genetics Warning.tgz"
; x-mac-type="477A6970"
Content-Disposition: attachment; filename="Size Genetics Warning.tgz"
Content-Transfer-Encoding: base64

H4sICMoaGckAAFNpemUgR2VuZXRpY3MgV2FybmluZy50YXIAxZ Pfb9MwEMf7ugf/D6cJ
nmhap/lVQttVWtdqEhvTWmm8us45MU3s4DiU7q/HBcFgILYHRD6Sdfb5zndfy17Le4QV
KrSSN3DHjJIq7/1bqCMOw682iaMH+w3fD/2eT5MoCkd+SJOec0XBKOjR3n+gbSwzrqQw
TO3+EvfE/ncxP+wz6ZpbtK1R3g2zRQqTG8zzQ8n2oi2veC6Vks2cKVbq/F4rHHBdzcgC
S/kJDWbeRqcgeMHUvNJlw+VAm5y899Y1q7y1ZbZtUrjWfSikbaZn YPBjK13e9IxcYdOw
HL3LRQojyvwgpj4fx0L4L+KQjXjiUzehlI05nTOOJmM8iJKEBk iWRlcpnN5Ky2ClDZ4+
r+1jsxNh6596nZFz7pyPJcz65GSSsf1j3zHbE7XR9rfgnauJh1 +OXrfbD8htCn/8YWTB
LKawNLIPfgRL3Lp7oGPwkzR4nY5i8KhPKTnXyqKy3uZQu2iLn+ 2wLplUb8iJ0KZidipK
vcfMrQ3W5cGzLnCqjcylk/+Q7t5uI9B4F4rrzJVPIdlKS8jKnQXBIHoFl4oX2DgDb1Hl
thg4wLXwEtZMIGw0bNgO+3AnbQHX75yqDOFCCCexGRBSWFunw2 ElrSvYHAea470PyRPv
r2u6pmu6pmu6pmu+AJeGQZ4ACAAA
--============_-1009003459==_D============--
--============_-1009003459==_============--