You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Peter Marshall <pe...@caris.com> on 2005/02/03 14:36:18 UTC
spamassassin scoring message twice
I am not sure why it is doing this ... but everytime i get a spam, it looks
like it does the smap rateing twice. And it gives different scores each
time. Here is the new header from the last email I got. Notice how it
looks like spamassassin ran twice. Any Idea's ??? (yes, my threshhold is
low ... i am just testing what happens when spam arrives).
------------------------------------------------------
Spam detection software, running on the system "mailtestlx.mydomain.com",
has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
postmaster@caris.com for details.
Content preview: Spam detection software, running on the system
"mailtestlx.mydomain.com", has identified this incoming email
as possible spam. The original message has been attached to this so
you can view it (if it isn't spam) or label similar future email. If
you have any questions, see postmaster@caris.com for details. [...]
Content analysis details: (8.6 points, 3.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
0.5 FROM_ENDS_IN_NUMS From: ends in numbers
0.9 PLING_QUERY Subject has exclamation mark and question mark
-2.8 ALL_TRUSTED Did not pass through any untrusted hosts
1.1 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
0.8 BODY_ENHANCEMENT2 BODY: Information on getting larger body parts
0.2 HTML_TEXT_AFTER_HTML BODY: HTML contains text after HTML close tag
0.2 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag
0.3 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
1.5 MPART_ALT_DIFF BODY: HTML and text parts are different
0.2 HTML_90_100 BODY: Message is 90% to 100% HTML
0.0 HTML_TITLE_EMPTY BODY: HTML title contains no text
0.1 MIME_BASE64_TEXT RAW: Message text disguised using base64
encoding
0.8 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding
1.2 OBFUSCATING_COMMENT HTML comments which obfuscate text
3.1 PERCENT_RANDOM PERCENT_RANDOM
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
Subject:
???SPAM??? FW: Get it now!
From:
"Joe" <wi...@hotmail.com>
Date:
Wed, 02 Feb 2005 22:17:00 -0400
To:
pmarshall@mydomain.com
Spam detection software, running on the system "mailtestlx.mydomain.com",
has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
postmaster@mydomain.com for details.
Content preview: >From: "Fastest Penis Growth Available" To:
wizard10@hotmail.com Subject: >Get it now! >Date: Mon, 31 Jan 2005
09:21:56 -0800 > Nah, it's not what i'm looking for. clickhere . .
[...]
Content analysis details: (9.6 points, 3.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
0.5 FROM_ENDS_IN_NUMS From: ends in numbers
0.8 BODY_ENHANCEMENT2 BODY: Information on getting larger body parts
0.2 HTML_TEXT_AFTER_HTML BODY: HTML contains text after HTML close tag
0.2 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag
0.3 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
1.5 MPART_ALT_DIFF BODY: HTML and text parts are different
0.2 HTML_90_100 BODY: Message is 90% to 100% HTML
0.0 HTML_TITLE_EMPTY BODY: HTML title contains no text
0.1 MIME_BASE64_TEXT RAW: Message text disguised using base64
encoding
0.8 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding
1.2 OBFUSCATING_COMMENT HTML comments which obfuscate text
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
3.1 PERCENT_RANDOM PERCENT_RANDOM
0.1 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
-------------------------------------
RE: spamassassin scoring message twice
Posted by Peter Marshall <pe...@caris.com>.
found it ... I had another procmailrc file in /etc ... I was trying
something else a little while ago and for got about it.
Thanks for the help.
I have another question, but I will make a new post.
Peter
-----Original Message-----
From: Peter Marshall [mailto:peter.marshall@caris.com]
Sent: Thursday, February 03, 2005 10:38 AM
To: Matt Kettler; users@spamassassin.apache.org
Subject: RE: spamassassin scoring message twice
Here is my .provmailrc file
#Spamassassin start
:0fw
| /usr/bin/spamc
#Spamassassin end
~
And I run this from /etc/init.d/spamassassin
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# Source spamd configuration.
if [ -f /etc/sysconfig/spamassassin ] ; then
. /etc/sysconfig/spamassassin
else
SPAMDOPTIONS="-d -c -m5 -H"
fi
[ -f /usr/bin/spamd -o -f /usr/local/bin/spamd ] || exit 0
PATH=$PATH:/usr/bin:/usr/local/bin
# See how we were called.
case "$1" in
start)
# Start daemon.
echo -n "Starting spamd: "
daemon spamd $SPAMDOPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/spamassassin
;;
stop)
# Stop daemons.
echo -n "Shutting down spamd: "
killproc spamd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/spamassassin
;;
-----Original Message-----
From: Matt Kettler [mailto:mkettler_sa@comcast.net]
Sent: Thursday, February 03, 2005 9:58 AM
To: Peter Marshall; users@spamassassin.apache.org
Subject: Re: spamassassin scoring message twice
At 08:36 AM 2/3/2005, Peter Marshall wrote:
>I am not sure why it is doing this ... but everytime i get a spam, it looks
>like it does the smap rateing twice. And it gives different scores each
>time. Here is the new header from the last email I got. Notice how it
>looks like spamassassin ran twice. Any Idea's ??? (yes, my threshhold is
>low ... i am just testing what happens when spam arrives).
From the looks of it, you are feeding the mail to SA twice. How do you
have SA set up? What tools do you use? are you using both a milter and a
call in procmail?
Try to figure out where SA is being called, and pick one method.
As for the different scores, that's not surprising. Since you're using
encapsulation, the first time the message is scanned and marked as spam,
it's encapsulated in a new message with new headers. This means the second
time around the headers are different.
It also looks like you suffer from the ALL_TRUSTED mis-matches caused by
having a NATed mailserver.. you might want to look at setting
trusted_networks manually to fix that.
RE: spamassassin scoring message twice
Posted by Peter Marshall <pe...@caris.com>.
Here is my .provmailrc file
#Spamassassin start
:0fw
| /usr/bin/spamc
#Spamassassin end
~
And I run this from /etc/init.d/spamassassin
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# Source spamd configuration.
if [ -f /etc/sysconfig/spamassassin ] ; then
. /etc/sysconfig/spamassassin
else
SPAMDOPTIONS="-d -c -m5 -H"
fi
[ -f /usr/bin/spamd -o -f /usr/local/bin/spamd ] || exit 0
PATH=$PATH:/usr/bin:/usr/local/bin
# See how we were called.
case "$1" in
start)
# Start daemon.
echo -n "Starting spamd: "
daemon spamd $SPAMDOPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/spamassassin
;;
stop)
# Stop daemons.
echo -n "Shutting down spamd: "
killproc spamd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/spamassassin
;;
-----Original Message-----
From: Matt Kettler [mailto:mkettler_sa@comcast.net]
Sent: Thursday, February 03, 2005 9:58 AM
To: Peter Marshall; users@spamassassin.apache.org
Subject: Re: spamassassin scoring message twice
At 08:36 AM 2/3/2005, Peter Marshall wrote:
>I am not sure why it is doing this ... but everytime i get a spam, it looks
>like it does the smap rateing twice. And it gives different scores each
>time. Here is the new header from the last email I got. Notice how it
>looks like spamassassin ran twice. Any Idea's ??? (yes, my threshhold is
>low ... i am just testing what happens when spam arrives).
From the looks of it, you are feeding the mail to SA twice. How do you
have SA set up? What tools do you use? are you using both a milter and a
call in procmail?
Try to figure out where SA is being called, and pick one method.
As for the different scores, that's not surprising. Since you're using
encapsulation, the first time the message is scanned and marked as spam,
it's encapsulated in a new message with new headers. This means the second
time around the headers are different.
It also looks like you suffer from the ALL_TRUSTED mis-matches caused by
having a NATed mailserver.. you might want to look at setting
trusted_networks manually to fix that.
Re: spamassassin scoring message twice
Posted by Matt Kettler <mk...@comcast.net>.
At 08:36 AM 2/3/2005, Peter Marshall wrote:
>I am not sure why it is doing this ... but everytime i get a spam, it looks
>like it does the smap rateing twice. And it gives different scores each
>time. Here is the new header from the last email I got. Notice how it
>looks like spamassassin ran twice. Any Idea's ??? (yes, my threshhold is
>low ... i am just testing what happens when spam arrives).
From the looks of it, you are feeding the mail to SA twice. How do you
have SA set up? What tools do you use? are you using both a milter and a
call in procmail?
Try to figure out where SA is being called, and pick one method.
As for the different scores, that's not surprising. Since you're using
encapsulation, the first time the message is scanned and marked as spam,
it's encapsulated in a new message with new headers. This means the second
time around the headers are different.
It also looks like you suffer from the ALL_TRUSTED mis-matches caused by
having a NATed mailserver.. you might want to look at setting
trusted_networks manually to fix that.
RE: spamassassin scoring message twice
Posted by Sander Holthaus - Orange XL <in...@orangexl.com>.
What kind of setup are you using? What do you do if a email is tagged as
spam? SpamAssassin ran twice, but because of -2.8 ALL_TRUSTED, I would say
that it is some configuration issue on how you quarentine spam.
Kind Regards,
Sander Holthaus
> -----Original Message-----
> From: Peter Marshall [mailto:peter.marshall@caris.com]
> Sent: Thursday, February 03, 2005 2:36 PM
> To: users@spamassassin.apache.org
> Subject: spamassassin scoring message twice
>
> I am not sure why it is doing this ... but everytime i get a
> spam, it looks like it does the smap rateing twice. And it
> gives different scores each time. Here is the new header
> from the last email I got. Notice how it looks like
> spamassassin ran twice. Any Idea's ??? (yes, my threshhold
> is low ... i am just testing what happens when spam arrives).
>
> ------------------------------------------------------
> Spam detection software, running on the system
> "mailtestlx.mydomain.com", has identified this incoming email
> as possible spam. The original message has been attached to
> this so you can view it (if it isn't spam) or label similar
> future email. If you have any questions, see
> postmaster@caris.com for details.
>
> Content preview: Spam detection software, running on the system
> "mailtestlx.mydomain.com", has identified this incoming email
> as possible spam. The original message has been attached to this so
> you can view it (if it isn't spam) or label similar future email. If
> you have any questions, see postmaster@caris.com for details. [...]
>
> Content analysis details: (8.6 points, 3.0 required)
>
> pts rule name description
> ---- ----------------------
> ------------------------------------------------
> --
> 0.5 FROM_ENDS_IN_NUMS From: ends in numbers
> 0.9 PLING_QUERY Subject has exclamation mark and
> question mark
> -2.8 ALL_TRUSTED Did not pass through any untrusted hosts
> 1.1 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but
> no 'Received:'
> 0.8 BODY_ENHANCEMENT2 BODY: Information on getting
> larger body parts
> 0.2 HTML_TEXT_AFTER_HTML BODY: HTML contains text after
> HTML close tag
> 0.2 HTML_TEXT_AFTER_BODY BODY: HTML contains text after
> BODY close tag
> 0.3 MIME_HTML_MOSTLY BODY: Multipart message mostly
> text/html MIME
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML
> obfuscation
> 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different
> 0.2 HTML_90_100 BODY: Message is 90% to 100% HTML
> 0.0 HTML_TITLE_EMPTY BODY: HTML title contains no text
> 0.1 MIME_BASE64_TEXT RAW: Message text disguised using base64
> encoding
> 0.8 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding
> 1.2 OBFUSCATING_COMMENT HTML comments which obfuscate text
> 3.1 PERCENT_RANDOM PERCENT_RANDOM
>
> The original message was not completely plain text, and may
> be unsafe to open with some email clients; in particular, it
> may contain a virus, or confirm that your address can receive
> spam. If you wish to view it, it may be safer to save it to
> a file and open it with an editor.
>
>
>
>
> Subject:
> ???SPAM??? FW: Get it now!
> From:
> "Joe" <wi...@hotmail.com>
> Date:
> Wed, 02 Feb 2005 22:17:00 -0400
> To:
> pmarshall@mydomain.com
>
> Spam detection software, running on the system
> "mailtestlx.mydomain.com", has identified this incoming email
> as possible spam. The original message has been attached to
> this so you can view it (if it isn't spam) or label similar
> future email. If you have any questions, see
> postmaster@mydomain.com for details.
>
> Content preview: >From: "Fastest Penis Growth Available" To:
> wizard10@hotmail.com Subject: >Get it now! >Date: Mon, 31 Jan 2005
> 09:21:56 -0800 > Nah, it's not what i'm looking for. clickhere . .
> [...]
>
> Content analysis details: (9.6 points, 3.0 required)
>
> pts rule name description
> ---- ----------------------
> ------------------------------------------------
> --
> 0.5 FROM_ENDS_IN_NUMS From: ends in numbers
> 0.8 BODY_ENHANCEMENT2 BODY: Information on getting
> larger body parts
> 0.2 HTML_TEXT_AFTER_HTML BODY: HTML contains text after
> HTML close tag
> 0.2 HTML_TEXT_AFTER_BODY BODY: HTML contains text after
> BODY close tag
> 0.3 MIME_HTML_MOSTLY BODY: Multipart message mostly
> text/html MIME
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML
> obfuscation
> 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different
> 0.2 HTML_90_100 BODY: Message is 90% to 100% HTML
> 0.0 HTML_TITLE_EMPTY BODY: HTML title contains no text
> 0.1 MIME_BASE64_TEXT RAW: Message text disguised using base64
> encoding
> 0.8 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding
> 1.2 OBFUSCATING_COMMENT HTML comments which obfuscate text
> 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
> 3.1 PERCENT_RANDOM PERCENT_RANDOM
> 0.1 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary
>
> The original message was not completely plain text, and may
> be unsafe to open with some email clients; in particular, it
> may contain a virus, or confirm that your address can receive
> spam. If you wish to view it, it may be safer to save it to
> a file and open it with an editor.
>
> -------------------------------------
>