You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike Pepe <la...@doki-doki.net> on 2005/06/24 02:34:35 UTC

not whitelist, but why are spams getting through?

OK, so it's not the autowhitelist doing it, but over the last couple of 
weeks an extraordinary amount of spam is getting through and I don't 
know why.

A particular message just came into my inbox, with the following headers:

X-Spam-Checker-Version:
SpamAssassin 3.0.4 (2005-06-05) on quadzilla
X-Spam-Level: ****
X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_60, 
RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO autolearn=no version=3.0.4

yet, when I run spamassassin < message , I get this result:

X-Spam-Prev-Subject: Hi funstuff..,,.beryllium
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on quadzilla
X-Spam-Level: ************
X-Spam-Status: Yes, score=13.0 required=5.0 tests=AWL,BAYES_60,
         RCVD_HELO_IP_MISMATCH,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,
         RCVD_NUMERIC_HELO,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,
         URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam 
version=3.0.4

Looks like the automatic scanning via spamd is running different tests 
than when I run the message through manually.

Why would this be?

System is fairly stock fedora core 3.

Re: not whitelist, but why are spams getting through?

Posted by Matt Kettler <mk...@evi-inc.com>.

Mike Pepe wrote:
> OK, so it's not the autowhitelist doing it, but over the last couple of
> weeks an extraordinary amount of spam is getting through and I don't
> know why.
> 
> A particular message just came into my inbox, with the following headers:
> 
> X-Spam-Checker-Version:
> SpamAssassin 3.0.4 (2005-06-05) on quadzilla
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_60,
> RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO autolearn=no version=3.0.4
> 

<snip>
> 
> Looks like the automatic scanning via spamd is running different tests
> than when I run the message through manually.
> 
> Why would this be?

Any chance you're starting spamd with the -L parameter?

Re: not whitelist, but why are spams getting through?

Posted by Mike Pepe <la...@doki-doki.net>.

> 
> There are two fairly obvious possibilities here:
> 
> 1.    Your server isn't normally running with net tests enabled, but they
> were for the manual test.

Why would that be?

> 2.    You ran the manual test > 1/2hr after the automatic scan, and by then
> the domain had made it into all of the blacklists.

There was a delay between the manual test and the email's arrival, so 
that may be possible.

> Since awl kicked in on the manual test and didn't on the automatic test, you
> may have configuration differences.  I'd look for some configuration
> difference that may be keeping net tests from running normally.
> 
> Also feed this to bayes.  Assuming it really is spam, it should be getting a
> lot higher than a 60.
> 
>         Loren

I did feed it in.

Oddly enough, this morning when I went to check email there were no 
spurious spams in the inbox. Seems like it decided it wants to work now.

Mysterious.

Re: not whitelist, but why are spams getting through?

Posted by Loren Wilton <lw...@earthlink.net>.

> A particular message just came into my inbox, with the following headers:
>
> RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO autolearn=no version=3.0.4
>
> yet, when I run spamassassin < message , I get this result:
>
> X-Spam-Status: Yes, score=13.0 required=5.0 tests=AWL,BAYES_60,
RCVD_HELO_IP_MISMATCH,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,
RCVD_NUMERIC_HELO,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,
>          URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam
>
> Looks like the automatic scanning via spamd is running different tests
> than when I run the message through manually.
>
> Why would this be?

There are two fairly obvious possibilities here:

1.    Your server isn't normally running with net tests enabled, but they
were for the manual test.

2.    You ran the manual test > 1/2hr after the automatic scan, and by then
the domain had made it into all of the blacklists.

Since awl kicked in on the manual test and didn't on the automatic test, you
may have configuration differences.  I'd look for some configuration
difference that may be keeping net tests from running normally.

Also feed this to bayes.  Assuming it really is spam, it should be getting a
lot higher than a 60.

        Loren