We have been very happily running spamassassin 3.0.4 under amavisd-new
milter on Suse 9.2 since a couple of years, using the standard
configuration recommended by the Italian GARR network.

Please avoid comments on "old version" or so, we are planning an overall
update following an OS update in the coming months. I am asking here a
VERY SPECIFIC question.

We are trying to debug a funny case of false positive (extremely rare
otherwise) which occurred to us (the issue has been solved "by chance" but
we do not understand why).

A colleague of us working remotely has set up (on a machine outside of our
domain) a system which requires a registration and then sends a
confirmation e-mail.

All such confirmation messages were blocked by our spamassassin with a
score of about 8. This is an example of info in the header.

X-Spam-Status: Yes, hits=8.087 tag=-999 tag2=4.5 kill=4.5 tests=AWL,
BAYES_05,
DNS_FROM_SECURITYSAGE, FORGED_RCVD_HELO, HTML_10_20, HTML_EXTRA_CLOSE,
HTML_MESSAGE, HTML_SHORT_LENGTH, NO_REAL_NAME, UPPERCASE_25_50

As far as I understand, none of the above rules has a score above 0.38
(usually quite lower and marginal, 0.007 or 0.001). except AWL which has 1
(in fact the address is recorded in awlst with a score of 8).

The message itself looked sort of funny to me :

1) had in the header
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0024_01C93372.1920FB50"

2) but it did not consist of attachments, and the boundary itself
did not appear anywhere in the message

3) the message itself consisted of two lines interspersed with a few
HTML tags. This is an example

Ti confermiamo l'avvenuta registrazione al CRIS dell'XYZT di abcde

I
dati di accesso sono:

userid: XXXXXXXXX
password: YYYYYYY

We suggested to our colleague to arrange so that everything was sent
in plain text. He did so (now there is no Content-Type in the header
and no HTML tags in the body), and now the messages are getting through.

But even if they were malformed, why should spamassassin assign such a
huge score ?

I should add that when I did the experiments yesterday, I found the awlst
on the main MX contained 33 hits (with the registration address and the
first two bytes of the IP address), with an average score of 8, while the
secondary MX contained one hit with a score of 9.1.

They were all recent since the registration address had just been created.

Yesterday I did a remove-address on both awlst's and re-run a single test,
and that was immediately blocked with a score of 8 (so it did not depend
on previous history of the address).

Then, when my colleague did his change, I did another remove-address and
then things went through without any record in awlst.


--
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
-----------------------------------------------------------------------
"Nature" on government cuts to research http://snipurl.com/4erid
"Nature" e i tagli del governo alla ricerca http://snipurl.com/4erko