RE: Different scores - SpamAssassin

This is a discussion on RE: Different scores - SpamAssassin ; maillist wrote: > Hi guys, > > slackware 11.0 > spamassassin version 3.2.5 > running on Perl version 5.8.8 > mimedefang version 2.64 > sendmail 8.14 > > I am getting a lot of spam. I did some investigating, and ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: RE: Different scores

  1. RE: Different scores

    maillist wrote:
    > Hi guys,
    >
    > slackware 11.0
    > spamassassin version 3.2.5
    > running on Perl version 5.8.8
    > mimedefang version 2.64
    > sendmail 8.14
    >
    > I am getting a lot of spam. I did some investigating, and it
    > looks like I have something set up incorrectly. If I get a spam
    > message, and run it through "spamassassin -t", then it shows that it
    > should be spam, but during the process when the mail actually comes
    > in, it is scoring much lower. I have been using spamassassin for 3
    > years now, and can't seem to figure this out.
    >
    > I ran spamassassin -D --lint, and see nothing usefull.
    >
    > When I start spamassassin, I start it like this:
    > /usr/bin/spamd -r /var/run/spamd.pid \
    > -d --username=defang --max-spare=8 --min-children=5 --max-children=25


    Run the message through spamc and see what you get.

    $ spamc < test.msg

    --
    Bowie


  2. Re: Different scores

    Bowie Bailey wrote:
    > maillist wrote:
    >
    >> Hi guys,
    >>
    >> slackware 11.0
    >> spamassassin version 3.2.5
    >> running on Perl version 5.8.8
    >> mimedefang version 2.64
    >> sendmail 8.14
    >>
    >> I am getting a lot of spam. I did some investigating, and it
    >> looks like I have something set up incorrectly. If I get a spam
    >> message, and run it through "spamassassin -t", then it shows that it
    >> should be spam, but during the process when the mail actually comes
    >> in, it is scoring much lower. I have been using spamassassin for 3
    >> years now, and can't seem to figure this out.
    >>
    >> I ran spamassassin -D --lint, and see nothing usefull.
    >>
    >> When I start spamassassin, I start it like this:
    >> /usr/bin/spamd -r /var/run/spamd.pid \
    >> -d --username=defang --max-spare=8 --min-children=5 --max-children=25
    >>

    >
    > Run the message through spamc and see what you get.
    >
    > $ spamc < test.msg
    >
    >


    I did, and no matter if I I use the -c flag or not, I get the same as if
    I ran it through spamassassin -t

    Another responded with a request for more info. I posted one small
    message here...

    http://emailacs.com/temp/J872209005Tq/7.txt

    The test score for that message was 6.269 ( 7 is required ) and the
    tests that it hit were:
    BAYES_80,DATE_IN_PAST_06_12,HS_BOBAX_MID_2,RDNS_NO NE


    ....however, when I manually run it through either spamc -c < 7.txt or
    spamassassin -t 7.txt, it scores the following...

    Content analysis details: (16.4 points, 7.0 required)

    pts rule name description
    ---- ----------------------
    --------------------------------------------------
    3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
    [190.97.76.59 listed in zen.spamhaus.org]
    2.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
    0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
    address
    [190.97.76.59 listed in dnsbl.sorbs.net]
    8.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    [score: 0.9955]
    1.0 HS_BOBAX_MID_2 Bobax? Message-Id:
    <0IX000EJXVWDA000@example.com>
    1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
    0.1 RDNS_DYNAMIC Delivered to trusted network by host with
    dynamic-looking rDNS

    ....sorry for the crappy page breaks.

    TIA
    -Aubrey


  3. Re: Different scores


    > Another responded with a request for more info. I posted one small
    > message here...


    That would have been me.

    > http://emailacs.com/temp/J872209005Tq/7.txt
    >
    > The test score for that message was 6.269 ( 7 is required ) and the
    > tests that it hit were:
    > BAYES_80,DATE_IN_PAST_06_12,HS_BOBAX_MID_2,RDNS_NO NE


    Note: No RBL hits.

    > ...however, when I manually run it through either spamc -c < 7.txt or
    > spamassassin -t 7.txt, it scores the following...


    How long after the initial check is that? If my quick timezone math is
    correct, according to the sample, it's about an hour.

    > Content analysis details: (16.4 points, 7.0 required)
    >
    > pts rule name description
    > ---- ---------------------- --------------------------------------------------
    > 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
    > [190.97.76.59 listed in zen.spamhaus.org]
    > 2.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
    > 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
    > [190.97.76.59 listed in dnsbl.sorbs.net]

    
    RBL hits. They most likely have been updated since the original scan.
    Since you get this result with a subsequent spamc run, too, we pretty
    much can rule out permanent DNS failures or local tests option. Still, a
    (potentially local) temporary DNS issue might explain it.

    Do you see any RBL hits on your incoming mail stream?

    What strikes me as odd is the additional PBL hit. This one isn't updated
    that frequently, is it?

    > 8.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    > [score: 0.9955]


    This is insane.

    Also, on the original scan, it scored BAYES_80. This *is* a difference,
    especially, if you did not raise that score like you did with BAYES_99.

    Your original headers don't show, if this message has been auto-learned.
    Did you train it manually?

    > 1.0 HS_BOBAX_MID_2 Bobax? Message-Id: <0IX000EJXVWDA000@example.com>
    > 1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
    > 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
    > dynamic-looking rDNS



    Please re-read my previous post with the generic explanation, carefully.
    The above pretty much confirms everything I mentioned there. With the
    sole exception of AWL.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  4. offsetting thresholds (was: Re: Different scores)


    > The test score for that message was 6.269 ( 7 is required ) and the

    ^^^^^^^^^^^^^
    > tests that it hit were:
    > BAYES_80,DATE_IN_PAST_06_12,HS_BOBAX_MID_2,RDNS_NO NE


    > ...however, when I manually run it through either spamc -c < 7.txt or
    > spamassassin -t 7.txt, it scores the following...


    >  2.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL

    ^^^^^^^^^^^^^^^
    > 8.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%

    ^^^^^^^^^^^^

    Why do you do that?

    Unless you have been tweaking almost *every* single rule (which you did
    not, all others shown are stock scores), raising the required_score
    threshold and raising a *few* rules like these *only* pretty much has a
    single effect:

    ALL other rules are worth LESS.

    The equivalent would have been, to divide the score for all rules by 1.4
    and raise a very few only -- while sticking to the default threshold of
    5. Are you really sure your desired effect is, to have almost any rule
    weight in less than they do with the default rule set?

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  5. Re: Different scores

    Karsten Bräckelmann wrote:
    >
    > RBL hits. They most likely have been updated since the original scan.
    > Since you get this result with a subsequent spamc run, too, we pretty
    > much can rule out permanent DNS failures or local tests option. Still, a
    > (potentially local) temporary DNS issue might explain it.



    I feel like a complete ass. After reading this, I remembered that once
    I suspected that the DNS queries were taking to long, and decided to do
    some testing, so I turned off the RBL checks, but I did this in
    mimedefang's config file. I re-enabled it, and will probably find that
    my problem is gone now.

    As always, many thanks for this group, and all it's help

    -Aubrey


  6. Re: Different scores

    On Mon, 2008-07-28 at 19:15 -0500, maillist wrote:
    > Karsten Bräckelmann wrote:
    > >
    > > RBL hits. They most likely have been updated since the original scan.
    > > Since you get this result with a subsequent spamc run, too, we pretty
    > > much can rule out permanent DNS failures or local tests option. Still, a
    > > (potentially local) temporary DNS issue might explain it.

    >
    > I feel like a complete ass. After reading this, I remembered that once
    > I suspected that the DNS queries were taking to long, and decided to do
    > some testing, so I turned off the RBL checks, but I did this in
    > mimedefang's config file. I re-enabled it, and will probably find that
    > my problem is gone now.


    Oh, right. Actually, my above judgment could have been more accurate,
    too. I noticed the headers are not inserted by SA, when I mentioned
    that auto-learn info is missing. That could have tipped me off to not
    rule out local test mode only.


    > As always, many thanks for this group, and all it's help


    Glad to see all my remarks made you spot the issue and see the problem,
    if not nail the problem right away myself.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


+ Reply to Thread