Different Scores - SpamAssassin

This is a discussion on Different Scores - SpamAssassin ; Can someone help me understand why a message can come through and get one score, then I can scan it again 1 minute later and get a much higher score? Here's the message. http://slexy.org/raw/s2JoVC8OlP http://slexy.org/raw/s2JoVC8OlP The top copy of the ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Different Scores

  1. Different Scores


    Can someone help me understand why a message can come through and get one
    score, then I can scan it again 1 minute later and get a much higher score?

    Here's the message.
    http://slexy.org/raw/s2JoVC8OlP http://slexy.org/raw/s2JoVC8OlP

    The top copy of the message was how it was scanned coming in. Immediately, I
    rescanned the message with spamassassin -d -t (scroll down to see it). I
    snipped off the bottom of the long boring stuff.

    I'm just trying to understand what's going on here so I can maintain my
    sanity.

    TIA
    --
    View this message in context: http://www.nabble.com/Different-Scor...p19403311.html
    Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


  2. Re: Different Scores

    On Tue, 9 Sep 2008, PileOfMush wrote:

    > Can someone help me understand why a message can come through and get one score, then I can scan it again 1 minute later and get a
    > much higher score? Here's the message. http://slexy.org/raw/s2JoVC8OlP The top copy of the message was how it was scanned coming in.
    > Immediately, I rescanned the message with spamassassin -d -t (scroll down to see it). I snipped off the bottom of the long boring
    > stuff. I'm just trying to understand what's going on here so I can maintain my sanity. TIA


    Did you scan the message via 'spamassassin -d -t' as the same user the
    (I'm assuming) first mentioned was scanned via spamd?

    This is a common issue that arises quite often on this list.

    -d


  3. Re: Different Scores

    PileOfMush wrote:
    > Can someone help me understand why a message can come through and get
    > one score, then I can scan it again 1 minute later and get a much
    > higher score? Here's the message. http://slexy.org/raw/s2JoVC8OlP The
    > top copy of the message was how it was scanned coming in. Immediately,
    > I rescanned the message with spamassassin -d -t (scroll down to see
    > it). I snipped off the bottom of the long boring stuff. I'm just
    > trying to understand what's going on here so I can maintain my sanity.
    > TIA


    I see two big differences that jump out at me. As Duane suggested, were
    these run as the same user?

    The first thing that jumps out is that in the first run, URIBL_JP_SURBL
    scores 1.5 (default when bayes is enabled), but the second run it scores
    2.9 (default when bayes is disabled).

    Also, the first run hit BAYES_00 for -2.6 points, but the second run did
    not hit bayes at all.

    It looks like your second run is as a user that doesn't have a bayes DB,
    but your first run does have one, and that bayes DB strongly thinks the
    message is not spam (less than 1% probability it is spam..).

    You might want to review your bayes training.

    See also: man sa-learn


  4. Re: Different Scores


    No, I ran the spamassassin -d -t test as root. I'm not sure which user to
    run as. I'm using qmail on plesk. I have about 6 different users with
    the name "qmail" in them, plus a few "mail" related users as well as
    "popuser".

    Here is what's different between the two sets of headers. I threw the Bayes
    part out as well because it's understandable. Does running as a different
    user cause this part to be different as well? This message was manually run
    through literally 1 minute later.

    Automated:
    * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
    blocklist
    * [URIs: opaqbay.com]
    * 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
    * [URIs: wildberyl.com]

    Manually run as root:
    * 0.3 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
    * 0.8 RCVD_IN_DOB RBL: Received via relay in new domain (Day Old
    Bread)
    * 0.9 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
    * [URIs: opaqbay.com]
    * 2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
    blocklist
    * [URIs: opaqbay.com]




    Matt Kettler-3 wrote:
    >
    > PileOfMush wrote:
    >> Can someone help me understand why a message can come through and get
    >> one score, then I can scan it again 1 minute later and get a much
    >> higher score? Here's the message. http://slexy.org/raw/s2JoVC8OlP The
    >> top copy of the message was how it was scanned coming in. Immediately,
    >> I rescanned the message with spamassassin -d -t (scroll down to see
    >> it). I snipped off the bottom of the long boring stuff. I'm just
    >> trying to understand what's going on here so I can maintain my sanity.
    >> TIA

    >
    > I see two big differences that jump out at me. As Duane suggested, were
    > these run as the same user?
    >
    > The first thing that jumps out is that in the first run, URIBL_JP_SURBL
    > scores 1.5 (default when bayes is enabled), but the second run it scores
    > 2.9 (default when bayes is disabled).
    >
    > Also, the first run hit BAYES_00 for -2.6 points, but the second run did
    > not hit bayes at all.
    >
    > It looks like your second run is as a user that doesn't have a bayes DB,
    > but your first run does have one, and that bayes DB strongly thinks the
    > message is not spam (less than 1% probability it is spam..).
    >
    > You might want to review your bayes training.
    >
    > See also: man sa-learn
    >
    >
    >
    >
    >
    >
    >
    >


    --
    View this message in context: http://www.nabble.com/Different-Scor...p19416161.html
    Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


  5. Re: Different Scores

    PileOfMush wrote:
    > No, I ran the spamassassin -d -t test as root.

    Well, if you use spamd, that's definitely not the right user. Spamd will
    never scan as root.


    > I'm not sure which user to
    > run as. I'm using qmail on plesk. I have about 6 different users with
    > the name "qmail" in them, plus a few "mail" related users as well as
    > "popuser".
    >

    Hmm, I'm unfamiliar with both qmail and plesk...

    As a general suggestion, as root run
    locate bayes_toks

    And see which home directories contain bayes DBs.. look for the one
    that's recently updated. run as that user.

    > Here is what's different between the two sets of headers. I threw the Bayes
    > part out as well because it's understandable. Does running as a different
    > user cause this part to be different as well?

    Bayes being enabled or not changes the score of *all* the rules. So
    that's quite normal. Generally the system puts a lot of trust bayes,
    since it is generally hand-trained and hand corrected.


    The RCVD_IN_DOB is a little odd, but that could have timed out on the
    first run, but been cached for the second one. Regardless the two rules
    that hit that did not hit in the first run total to 1.1 points, and are
    much less of a difference than the bayes impact. (-2.6 for BAYES_00, and
    URIBL_JP_SURBL is reduced by 1.4 points, so bayes is directly involved
    in 4 points of difference).

    In a well trained scenario, this should have hit BAYES_99, for +3.5
    points, instead of -2.6 for BAYES_00, causing the bayes run to score
    much higher. That's a 6.1 point swing. Big difference.





    > This message was manually run
    > through literally 1 minute later.
    >
    > Automated:
    > * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
    > blocklist
    > * [URIs: opaqbay.com]
    > * 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
    > * [URIs: wildberyl.com]
    >
    > Manually run as root:
    > * 0.3 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
    > * 0.8 RCVD_IN_DOB RBL: Received via relay in new domain (Day Old
    > Bread)
    > * 0.9 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
    > * [URIs: opaqbay.com]
    > * 2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
    > blocklist
    > * [URIs: opaqbay.com]
    >
    >



  6. Re: Different Scores

    On 10.09.08 11:24, PileOfMush wrote:
    > No, I ran the spamassassin -d -t test as root. I'm not sure which user to
    > run as. I'm using qmail on plesk. I have about 6 different users with
    > the name "qmail" in them, plus a few "mail" related users as well as
    > "popuser".
    >
    > Here is what's different between the two sets of headers. I threw the Bayes
    > part out as well because it's understandable. Does running as a different
    > user cause this part to be different as well? This message was manually run
    > through literally 1 minute later.
    >
    > Automated:
    > * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
    > blocklist
    > * [URIs: opaqbay.com]
    > * 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
    > * [URIs: wildberyl.com]
    >
    > Manually run as root:
    > * 0.3 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
    > * 0.8 RCVD_IN_DOB RBL: Received via relay in new domain (Day Old
    > Bread)
    > * 0.9 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
    > * [URIs: opaqbay.com]
    > * 2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
    > blocklist
    > * [URIs: opaqbay.com]


    since URIBL_JP_SURBL and URIBL_RHS_DOB have different scores in those cases,
    it's clear that you run with different settings.

    % grep URIBL_JP_SURBL /var/lib/spamassassin/3.002003/updates_spamassassin_org/50_scores.cf
    score URIBL_JP_SURBL 0 2.857 0 1.501 # n=0 n=2

    the first aas with, the latter without BAYES filter...
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Honk if you love peace and quiet.


+ Reply to Thread