You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Henry Kwan <sp...@designmedia.com> on 2006/12/18 20:01:30 UTC

Negative AWL on a spam & received from localhost?

Hi,

Running SA 3.17 on a CentOS 4.4 install with sendmail.  Am getting some spams
that score negative AWL and was wondering why this was.  This particular spam
also seems to have been received via localhost?  How can this be?  Is something
on my install misconfigured so that spams can cloak themselves as localhost?  I
checked and it's not an open relay.

Thanks.

Here are the headers:

>From theokiya@amurzon.ru  Fri Dec 15 12:25:42 2006
Received: from localhost by mail.designmedia.com
        with SpamAssassin (version 3.1.7);
        Fri, 15 Dec 2006 12:25:46 -0800
From: "ossie russell" <th...@amurzon.ru> 
To: "Lane Crawford" <va...@designmedia.com>
Subject: *****SPAM***** CreditCardDebtFree Overnight                   
Date: Fri, 15 Dec 2006 13:36:01 +0000
Message-Id: <c3...@theokiya>

Later on, in the expanded scoring section, this is what I get:

 1.1 SARE_SUB_POOR_CREDIT   Spammer subject - credit or money
 1.5 FH_RELAY_NODNS         We could not determine your Reverse DNS
 4.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                            [122.4.2.26 listed in sbl-xbl.spamhaus.org]
 0.5 RCVD_IN_CBL            RBL: DNSBL: sender has sent spam to spamtraps
                            [122.4.2.26 listed in cbl.abuseat.org]
-1.9 AWL                    AWL: From: address is in the auto white-list

Re: Negative AWL on a spam & received from localhost?

Posted by Henry Kwan <sp...@designmedia.com>.

Matt Kettler <mkettler_sa <at> verizon.net> writes:

> In this case, the past average for the sender was approximately 7.7
> (spam), this message came in at 11.5 (also spam), so the AWL split the
> difference and took off 1.9 points to make it 9.6 (still spam). That's
> 100% normal.
> 
> See also:
> 
> http://wiki.apache.org/spamassassin/AwlWrongWay
> 
> http://wiki.apache.org/spamassassin/AutoWhitelist

Hi Matt,

Thanks much for the explanation.  It's yet another case of "I should have 
searched harder in the wiki".  I'll search more next time before posting 
a question.  :embarrassed:

Thanks again.

Re: Negative AWL on a spam & received from localhost?

Posted by Matt Kettler <mk...@verizon.net>.

Henry Kwan wrote:
> Hi,
>
> Running SA 3.17 on a CentOS 4.4 install with sendmail.  Am getting some spams
> that score negative AWL and was wondering why this was.  
Rule 1) just because the AWL scores negative, does NOT mean the AWL
thinks it is nonspam. The AWL is fundamentally a score averager, and the
only way for it to always assign positive scores to spam is if your
pre-awl scores are constantly decreasing. .that's a BAD thing.

In this case, the past average for the sender was approximately 7.7
(spam), this message came in at 11.5 (also spam), so the AWL split the
difference and took off 1.9 points to make it 9.6 (still spam). That's
100% normal.

See also:

http://wiki.apache.org/spamassassin/AwlWrongWay

http://wiki.apache.org/spamassassin/AutoWhitelist