You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by do...@bakerbotts.com on 2007/07/25 20:01:09 UTC
score-0 problem: SpamAssassin (not cached, score=0, required 5, autolearn=)
I have noticed that some spam has been creeping in. We have 4 inbound
MX servers, but only has is experiencing this problem.
SpamAssassin version 3.2.0
running on Perl version 5.8.3
This is MailScanner version 4.59.4
Here are the counts of 'is not spam' and 'is spam' with 'score=0,':
fgrep "score=0," /var/log/maillog | grep 'is not spam' | wc -l -- 649
fgrep "score=0," /var/log/maillog | grep 'is spam' | wc -l -- 311
Spamassasin is not showing any errors, and '/usr/bin/spamassassin -D -p
/etc/MailScanner/spam.assassin.prefs.conf --lint' does not show errors.
Here is an example of the headers from a spam message:
From: "Erick Page" <le...@amorymusic.com>
X-Mailer: The Bat! (v2.01) Personal
Reply-To: lehamorymusiccah@amorymusic.com
X-Priority: 3 (Normal)
Message-ID: <53...@amorymusic.com>
To: domianbilling@bakerbotts.com
Subject: Greatest artworks from top artists
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------F6EBF6EB821E4B82"
X-Null-Tag: fca71ee22f4011b5a8b9f02a21610260
X-BakerBotts-MailScanner-Information: Please contact the ISP for more
information
X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=0, required 5, autolearn=)
X-BakerBotts-MailScanner-From: lehamorymusiccah@amorymusic.com
X-Spam-Status: No
Return-Path: lehamorymusiccah@amorymusic.com
I would appreciate any help you can provide.
Thanks,
Donald
Donald Dawson
Security Administrator
Baker Botts L.L.P.
713-229-2183
Re: score-0 problem: SpamAssassin (not cached, score=0,
required 5, autolearn=)
Posted by SM <sm...@resistor.net>.
At 11:01 25-07-2007, donald.dawson@bakerbotts.com wrote:
>I have noticed that some spam has been creeping in. We have 4
>inbound MX servers, but only has is experiencing this problem.
Are you using the same configuration on all MX servers?
>Here is an example of the headers from a spam message:
>
>From: "Erick Page" <le...@amorymusic.com>
>X-Mailer: The Bat! (v2.01) Personal
>Reply-To: lehamorymusiccah@amorymusic.com
>X-Priority: 3 (Normal)
>Message-ID: <53...@amorymusic.com>
>To: domianbilling@bakerbotts.com
>Subject: Greatest artworks from top artists
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="----------F6EBF6EB821E4B82"
>X-Null-Tag: fca71ee22f4011b5a8b9f02a21610260
>X-BakerBotts-MailScanner-Information: Please contact the ISP for
>more information
>X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
> score=0, required 5, autolearn=)
>X-BakerBotts-MailScanner-From: lehamorymusiccah@amorymusic.com
>X-Spam-Status: No
>Return-Path: lehamorymusiccah@amorymusic.com
The headers should also include the Received headers. SpamAssassin
performs tests on the entire headers and the body of the
message. The above headers alone is not enough to do a determination.
Regards,
-sm
RE: score-0 problem: SpamAssassin (not cached, score=0,
required 5, autolearn=)
Posted by SM <sm...@resistor.net>.
Hi Donald
At 14:56 25-07-2007, donald.dawson@bakerbotts.com wrote:
>No rules triggered at all for that piece of spam.
You should at least have hits for HELO_DYNAMIC_DHCP and
RDNS_DYNAMIC. The Received headers in your sample are odd. The
dsl85-102-24083.ttnet.net.tr should ahve been the topmost. I assume
that they might have been reordered after the message went through
SpamAssassin.
Regards,
-sm
RE: score-0 problem: SpamAssassin (not cached, score=0, required 5, autolearn=)
Posted by do...@bakerbotts.com.
No rules triggered at all for that piece of spam.
I'll check the MailScanner group to see if they have any experience with
this issue.
Thanks,
Donald
-----Original Message-----
From: SM [mailto:sm@resistor.net]
Sent: Wednesday, July 25, 2007 4:18 PM
To: Dawson, Donald; users@spamassassin.apache.org
Subject: RE: score-0 problem: SpamAssassin (not cached, score=0,
required 5, autolearn=)
At 13:41 25-07-2007, donald.dawson@bakerbotts.com wrote:
>sm - We have the same configuration on all our MX servers. Here are
>all of the headers for an example spam email:
The SpamAssassin scoring should be the same then.
>Note, it may be system/config-related - the /dev/shm directory is
>used by spamassassin, but it is not getting cleaned out consistently.
It might be Mailscanner leaving these files there.
>Received: from dsl85-102-24083.ttnet.net.tr
>(dsl85-102-24083.ttnet.net.tr [85.102.94.19] (may be forged))
This should trigger a rule at least. Can you verify your logs to see
which tests were hit for that particular email?
Regards,
-sm
RE: score-0 problem: SpamAssassin (not cached, score=0,
required 5, autolearn=)
Posted by SM <sm...@resistor.net>.
At 13:41 25-07-2007, donald.dawson@bakerbotts.com wrote:
>sm - We have the same configuration on all our MX servers. Here are
>all of the headers for an example spam email:
The SpamAssassin scoring should be the same then.
>Note, it may be system/config-related - the /dev/shm directory is
>used by spamassassin, but it is not getting cleaned out consistently.
It might be Mailscanner leaving these files there.
>Received: from dsl85-102-24083.ttnet.net.tr
>(dsl85-102-24083.ttnet.net.tr [85.102.94.19] (may be forged))
This should trigger a rule at least. Can you verify your logs to see
which tests were hit for that particular email?
Regards,
-sm
RE: score-0 problem: SpamAssassin (not cached, score=0, required 5, autolearn=)
Posted by do...@bakerbotts.com.
sm - We have the same configuration on all our MX servers. Here are all
of the headers for an example spam email:
Note, it may be system/config-related - the /dev/shm directory is used
by spamassassin, but it is not getting cleaned out consistently.
Microsoft Mail Internet Headers Version 2.0
Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
Wed, 25 Jul 2007 06:28:25 -0500
Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
Wed, 25 Jul 2007 06:28:25 -0500
Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
[10.20.254.236]) by housweep03.bakerbotts.net
(Content Technologies SMTPRS 4.3.20) with ESMTP id
<T8...@housweep03.bakerbotts.net>;
Wed, 25 Jul 2007 06:28:24 -0500
Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net) by
housweep01.bakerbotts.net
(Content Technologies SMTPRS 4.3.20) with ESMTP id
<T8...@housweep01.bakerbotts.net>;
Wed, 25 Jul 2007 06:28:23 -0500
X-Envelope-From: lehamorymusiccah@amorymusic.com
Received: from dsl85-102-24083.ttnet.net.tr
(dsl85-102-24083.ttnet.net.tr [85.102.94.19] (may be forged))
by houmx05.bakerbotts.com (8.13.8/8.13.5) with ESMTP id l6PBRJSh012871;
Wed, 25 Jul 2007 06:27:27 -0500
Received: from [85.102.94.19] by mail.amorymusic.com; Wed, 25 Jul 2007
11:27:32 -0200
Date: Wed, 25 Jul 2007 11:27:32 -0200
From: "Erick Page" <le...@amorymusic.com>
X-Mailer: The Bat! (v2.01) Personal
Reply-To: lehamorymusiccah@amorymusic.com
X-Priority: 3 (Normal)
Message-ID: <53...@amorymusic.com>
To: domianbilling@bakerbotts.com
Subject: Greatest artworks from top artists
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------F6EBF6EB821E4B82"
X-Null-Tag: fca71ee22f4011b5a8b9f02a21610260
X-BakerBotts-MailScanner-Information: Please contact the ISP for more
information
X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=0, required 5, autolearn=)
X-BakerBotts-MailScanner-From: lehamorymusiccah@amorymusic.com
X-Spam-Status: No
Return-Path: lehamorymusiccah@amorymusic.com
X-OriginalArrivalTime: 25 Jul 2007 11:28:25.0570 (UTC)
FILETIME=[EA688C20:01C7CEAE]
------------F6EBF6EB821E4B82
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
------------F6EBF6EB821E4B82
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
------------F6EBF6EB821E4B82--
-----Original Message-----
From: donald.dawson@bakerbotts.com
[mailto:donald.dawson@bakerbotts.com]
Sent: Wednesday, July 25, 2007 3:11 PM
To: users@spamassassin.apache.org
Subject: RE: score-0 problem: SpamAssassin (not cached, score=0,
required 5, autolearn=)
There are files in /dev/shm/ (.spamassassin*) that are being
created, and some are being left in that directory. Here is an example
of a file that has been left on this ramdisk fs:
# grep l6PJ1iYV029369 /var/log/maillog
Jul 25 14:01:51 houmx05 milter-greylist: l6PJ1iYV029369:
skipping greylist because this is the default action,
(from==kimharrison2@srs.bis.na.blackberry.com>,
rcpt=<tr...@bakerbotts.com>,
addr=smtp02.bis.na.blackberry.com[216.9.248.49])
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369:
from=<SRS0=R44+k6=MX=tmo.blackberry.net=kimharrison2@srs.bis.na.blackber
ry.com>, size=654, class=0, nrcpts=1,
msgid=<2074773001-1185390040-cardhu_decombobulator_blackberry.rim.net-11
01465393-@bxe017.bisx.prod.on.blac, proto=ESMTP, daemon=MTA,
relay=smtp02.bis.na.blackberry.com [216.9.248.49]
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter
add: header: X-Null-Tag: 3a576a56bd3b913802bbc7fd4c9f07ad
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter
add: header: X-Greylist: Default is to whitelist mail, not delayed by
milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Wed, 25
Jul 2007 14:01:51 -0500 (CDT)
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369:
to=<tr...@bakerbotts.com>, delay=00:00:00, mailer=esmtp,
pri=30654, stat=queued
Jul 25 14:01:53 houmx05 MailScanner[6850]: Message
l6PJ1iYV029369 from 216.9.248.49
(srs0=r44+k6=mx=tmo.blackberry.net=kimharrison2@srs.bis.na.blackberry.co
m) to bakerbotts.com is not spam, SpamAssassin (not cached, score=0,
required 5, autolearn=)
Jul 25 14:01:56 houmx05 sendmail[29452]: l6PJ1iYV029369:
to=<tr...@bakerbotts.com>, delay=00:00:05, xdelay=00:00:00,
mailer=esmtp, pri=120654, relay=housweep01.bakerbotts.net.
[10.20.254.236], dsn=2.0.0, stat=Sent (Message received OK)
# l .spamassassin29421Mvfyimtmp
-rw------- 1 root root 1307 Jul 25 14:01
.spamassassin29421Mvfyimtmp
Wed Jul 25 14:12:06 CDT 2007
I'm wondering if it is a possible problem with the /dev/shm ram
disk. Can spamassassin be pointed to use another directory?
Thanks,
Donald
-----Original Message-----
From: Dawson, Donald
Sent: Wednesday, July 25, 2007 1:01 PM
To: users@spamassassin.apache.org
Subject: score-0 problem: SpamAssassin (not
cached, score=0, required 5, autolearn=)
I have noticed that some spam has been creeping in. We
have 4 inbound MX servers, but only has is experiencing this problem.
SpamAssassin version 3.2.0
running on Perl version 5.8.3
This is MailScanner version 4.59.4
Here are the counts of 'is not spam' and 'is spam' with
'score=0,':
fgrep "score=0," /var/log/maillog | grep 'is not spam' |
wc -l -- 649
fgrep "score=0," /var/log/maillog | grep 'is spam' | wc
-l -- 311
Spamassasin is not showing any errors, and
'/usr/bin/spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf
--lint' does not show errors.
Here is an example of the headers from a spam message:
From: "Erick Page" <le...@amorymusic.com>
X-Mailer: The Bat! (v2.01) Personal
Reply-To: lehamorymusiccah@amorymusic.com
X-Priority: 3 (Normal)
Message-ID: <53...@amorymusic.com>
To: domianbilling@bakerbotts.com
Subject: Greatest artworks from top artists
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------F6EBF6EB821E4B82"
X-Null-Tag: fca71ee22f4011b5a8b9f02a21610260
X-BakerBotts-MailScanner-Information: Please contact the
ISP for more information
X-BakerBotts-MailScanner-SpamCheck: not spam,
SpamAssassin (not cached,
score=0, required 5, autolearn=)
X-BakerBotts-MailScanner-From:
lehamorymusiccah@amorymusic.com
X-Spam-Status: No
Return-Path: lehamorymusiccah@amorymusic.com
I would appreciate any help you can provide.
Thanks,
Donald
Donald Dawson
Security Administrator
Baker Botts L.L.P.
713-229-2183
RE: score-0 problem: SpamAssassin (not cached, score=0, required 5, autolearn=)
Posted by do...@bakerbotts.com.
There are files in /dev/shm/ (.spamassassin*) that are being created,
and some are being left in that directory. Here is an example of a file
that has been left on this ramdisk fs:
# grep l6PJ1iYV029369 /var/log/maillog
Jul 25 14:01:51 houmx05 milter-greylist: l6PJ1iYV029369: skipping
greylist because this is the default action,
(from==kimharrison2@srs.bis.na.blackberry.com>,
rcpt=<tr...@bakerbotts.com>,
addr=smtp02.bis.na.blackberry.com[216.9.248.49])
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369:
from=<SRS0=R44+k6=MX=tmo.blackberry.net=kimharrison2@srs.bis.na.blackber
ry.com>, size=654, class=0, nrcpts=1,
msgid=<2074773001-1185390040-cardhu_decombobulator_blackberry.rim.net-11
01465393-@bxe017.bisx.prod.on.blac, proto=ESMTP, daemon=MTA,
relay=smtp02.bis.na.blackberry.com [216.9.248.49]
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter add:
header: X-Null-Tag: 3a576a56bd3b913802bbc7fd4c9f07ad
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter add:
header: X-Greylist: Default is to whitelist mail, not delayed by
milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Wed, 25
Jul 2007 14:01:51 -0500 (CDT)
Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369:
to=<tr...@bakerbotts.com>, delay=00:00:00, mailer=esmtp,
pri=30654, stat=queued
Jul 25 14:01:53 houmx05 MailScanner[6850]: Message l6PJ1iYV029369 from
216.9.248.49
(srs0=r44+k6=mx=tmo.blackberry.net=kimharrison2@srs.bis.na.blackberry.co
m) to bakerbotts.com is not spam, SpamAssassin (not cached, score=0,
required 5, autolearn=)
Jul 25 14:01:56 houmx05 sendmail[29452]: l6PJ1iYV029369:
to=<tr...@bakerbotts.com>, delay=00:00:05, xdelay=00:00:00,
mailer=esmtp, pri=120654, relay=housweep01.bakerbotts.net.
[10.20.254.236], dsn=2.0.0, stat=Sent (Message received OK)
# l .spamassassin29421Mvfyimtmp
-rw------- 1 root root 1307 Jul 25 14:01 .spamassassin29421Mvfyimtmp
Wed Jul 25 14:12:06 CDT 2007
I'm wondering if it is a possible problem with the /dev/shm ram disk.
Can spamassassin be pointed to use another directory?
Thanks,
Donald
> -----Original Message-----
> From: Dawson, Donald
> Sent: Wednesday, July 25, 2007 1:01 PM
> To: users@spamassassin.apache.org
> Subject: score-0 problem: SpamAssassin (not cached, score=0,
> required 5, autolearn=)
>
> I have noticed that some spam has been creeping in. We have 4 inbound
> MX servers, but only has is experiencing this problem.
>
> SpamAssassin version 3.2.0
> running on Perl version 5.8.3
> This is MailScanner version 4.59.4
>
> Here are the counts of 'is not spam' and 'is spam' with 'score=0,':
>
> fgrep "score=0," /var/log/maillog | grep 'is not spam' | wc -l -- 649
> fgrep "score=0," /var/log/maillog | grep 'is spam' | wc -l -- 311
>
> Spamassasin is not showing any errors, and '/usr/bin/spamassassin -D
> -p /etc/MailScanner/spam.assassin.prefs.conf --lint' does not show
> errors.
>
> Here is an example of the headers from a spam message:
>
> From: "Erick Page" <le...@amorymusic.com>
> X-Mailer: The Bat! (v2.01) Personal
> Reply-To: lehamorymusiccah@amorymusic.com
> X-Priority: 3 (Normal)
> Message-ID: <53...@amorymusic.com>
> To: domianbilling@bakerbotts.com
> Subject: Greatest artworks from top artists
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----------F6EBF6EB821E4B82"
> X-Null-Tag: fca71ee22f4011b5a8b9f02a21610260
> X-BakerBotts-MailScanner-Information: Please contact the ISP for more
> information
> X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not
> cached,
> score=0, required 5, autolearn=)
> X-BakerBotts-MailScanner-From: lehamorymusiccah@amorymusic.com
> X-Spam-Status: No
> Return-Path: lehamorymusiccah@amorymusic.com
>
> I would appreciate any help you can provide.
>
> Thanks,
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>