sa-learn

[Chavdar Videff <ch...@mr-bricolage.bg>]

Hello List,

After fixing my spamassassin installation according to your recommendations, I 
started to receive reports from spamassassin and the original spam mails are 
encapsulated in these report mails.
Can I feed these report messages to sa-learn in order to teach bayes or I 
should change the configuration.

================================================================
mail1:/home/chavdar# cat /etc/mail/spamassassin/local.cf
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 10.50
# lock_method flock

required_hits 5
#rewrite_subject 1
#report_header 1
#use_terse_report 1
#defang_mime 0
#report_safe 0
use_bayes 1
use_bayes_rules 1
score BAYES_99 4
bayes_auto_learn 0
auto_learn 0
===================================================================================


The message sample:

===================================================================================

Received: from localhost by mail1.mr-bricolage.bg
        with SpamAssassin (version 3.0.3);
        Wed, 01 Jun 2005 10:43:13 +0300
 From: "Peaceful B. Speculating" <un...@benchmarkrings.com>
 To: Andrei <an...@doverie.bg>
 Subject: RE: cheapest Cialis delivered anonymously
 Date: Wed, 01 Jun 2005 00:43:59 -0700
 Message-Id: <11...@benchmarkrings.com>
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on 
        mail1.mr-bricolage.bg
 X-Spam-Level: *****
 X-Spam-Status: Yes, score=5.2 required=2.0 tests=DRUGS_ERECTILE,
        FORGED_RCVD_HELO,HTML_90_100,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
        MPART_ALT_DIFF,SUBJECT_DRUG_GAP_C autolearn=disabled version=3.0.3
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
  boundary="----------=_429D6711.BCDD772C"
 Status: R
 X-Status: N
 X-KMail-EncryptionState: 
 X-KMail-SignatureState: 
 X-KMail-MDN-Sent: 
 
Spam detection software, running on the system "mail1.mr-bricolage.bg", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Hiya! :) 
  
  
http://venkatramanfg.com/D3P9pFi3uxt4rXn1vpaf6PM2l/BwwKIQsOJwYJFAshBwJJAAE=.htm 
  The secret to creativity is knowing how to hide your sources. [...] 

Content analysis details:   (5.2 points, 2.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.9 SUBJECT_DRUG_GAP_C     Subject contains a gappy version of 'cialis'
 0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
 1.5 HTML_IMAGE_ONLY_12     BODY: HTML: images with 800-1200 bytes of words
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.5 MPART_ALT_DIFF         BODY: HTML and text parts are different
 0.2 HTML_90_100            BODY: Message is 90% to 100% HTML
 0.0 DRUGS_ERECTILE         Refers to an erectile drug

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


Encapsulated message


Return-Path: <un...@benchmarkrings.com>
 Received: from fw.doverie.bg (doh-gw.customer.0rbitel.net [195.24.44.114])
        by mail1.mr-bricolage.bg (8.13.3/8.13.3/Debian-6) with SMTP id 
j517hA1v025021
        for <an...@mr-bricolage.bg>; Wed, 1 Jun 2005 10:43:12 +0300
 Received: (qmail 3438 invoked by uid 507); 1 Jun 2005 07:40:56 -0000
 Delivered-To: doverie.bg-andrei@doverie.bg
 Received: (qmail 3435 invoked by uid 503); 1 Jun 2005 07:40:56 -0000
 Received: from unlatch@benchmarkrings.com by fw.doverie.bg by uid 500 with 
qmail-scanner-1.15 
 (f-prot: 3.12.  Clear:. 
 Processed in 1.520528 secs); 01 Jun 2005 07:40:56 -0000
 Received: from unknown (HELO holistictech.com) (210.110.86.127)
  by 0 with SMTP; 1 Jun 2005 07:40:51 -0000
 Received: from benchmarkrings.com (mail.benchmarkrings.com [208.21.167.2])
        by holistictech.com with esmtp
        id 5BB70676FE for <an...@doverie.bg>; Wed, 01 Jun 2005 00:43:59 -0700
 Message-ID: <11...@benchmarkrings.com>
 From: "Peaceful B. Speculating" <un...@benchmarkrings.com>
 To: Andrei <an...@doverie.bg>
 Subject: RE: cheapest Cialis delivered anonymously
 Date: Wed, 01 Jun 2005 00:43:59 -0700
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0035_BD960E63.07248F6A"
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2800.1437
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
 X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A.
 
Hiya! :)

http://venkatramanfg.com/D3P9pFi3uxt4rXn1vpaf6PM2l/BwwKIQsOJwYJFAshBwJJAAE=.htm

The secret to creativity is knowing how to hide your sources.

Adjuess

http://venkatramanfg.com/D3P9pFi3uxt4rXn1vpaf6PM2l/BwwKIQsOJwYJFAshBwJJAAE=.html


End of encapsulated message

Re: sa-learn

[Matt Kettler <mk...@comcast.net>]

At 04:09 AM 6/1/2005, Chavdar Videff wrote:
>After fixing my spamassassin installation according to your 
>recommendations, I
>started to receive reports from spamassassin and the original spam mails are
>encapsulated in these report mails.
>Can I feed these report messages to sa-learn in order to teach bayes or I
>should change the configuration.

sa-learn recognizes markups made by spamassassin, including encapsulation, 
and will correctly undo the encapsulation before learning the message.

However, if you use some other tool such as mimedefang to do your 
encapsulation, SA won't recognize that.