You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andy Howell <an...@gamubaru.com> on 2018/01/18 19:52:10 UTC
Mail flagged as spam on command line getting passed through as ham
I've been getting annoying spams for "Shark Tank". I added a simple rule in local.cf to check the subject line:
header SHARK_TANK Subject =~ /\bshark tank\b/i
score SHARK_TANK 7 7 7 7
The mail still get through. In my inbox:
X-Spam-Flag: NO
X-Spam-Score: 4.148
X-Spam-Level: ****
X-Spam-Status: No, score=4.148 required=6.2 tests=[BAYES_80=2, DIET_1=0.001,
HTML_IMAGE_RATIO_02=0.437, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01, T_SPF_TEMPERROR=0.01,
URIBL_BLACK=1.7] autolearn=no autolearn_force=no
If I pass the mail through spamassasin on the command line, it gets flagged as spam:
spamassassin -D < spam-mail-shark-tank.txt >out.txt 2>&1
In out.txt:
X-Spam-Flag: YES
X-Spam-Level: ********************
X-Spam-Status: Yes, score=20.5 required=5.0 tests=BAYES_60,DIET_1,
HTML_IMAGE_RATIO_02,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
RCVD_IN_SBL_CSS,SHARK_TANK,SPF_HELO_PASS,T_REMOTE_IMAGE,URIBL_ABUSE_SURBL,
URIBL_BLACK,URIBL_DBL_SPAM autolearn=spam autolearn_force=no version=3.4.1
X-Spam-Report:
* 7.0 SHARK_TANK No description available.
* 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
* blocklist
* [URIs: coloringkidsus.com]
* 3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [107.175.23.4 listed in zen.spamhaus.org]
* 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
* [URIs: coloringkidsus.com]
* 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: coloringkidsus.com]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 DIET_1 BODY: Lose Weight Spam
* 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
* 1.5 BAYES_60 BODY: Bayes spam probability is 60 to 80%
* [score: 0.7650]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100] * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/
* 0.0 T_REMOTE_IMAGE Message contains an external image
X-Spam-Bayes: bayes=0.7650, N=176(88-0+3), ham=(), spam=(shark, Pill, craze)
Any ideas what I'm doing wrong?
Thanks,
Andy
Re: Mail flagged as spam on command line getting passed through as
ham
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 18 Jan 2018, at 14:52 (-0500), Andy Howell wrote:
> Any ideas what I'm doing wrong?
Your server and command line invocations are using different
configurations.
WHY that is happening is impossible to know without more information
about how you're using SpamAssassin in your mail server. Some "glue"
software uses its own configuration, some is run in a chroot "jail" with
its own full set of config files, some is run under a non-root user with
its own user-specific rules.
The most common tools for connecting SA and a MTA are Amavis,
MIMEDefang, spamass-milter, and a menagerie of scripts that pipe
messages into spamc for checking by spamd. How to troubleshoot your
problem is dependent on what machnism you use.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: Mail flagged as spam on command line getting passed through as
ham
Posted by "@lbutlr" <kr...@kreme.com>.
On 18 Jan 2018, at 12:52, Andy Howell <an...@gamubaru.com> wrote:
> Any ideas what I'm doing wrong?
The headers for your original message will show you , most likely, how Spamassassin was called which is not the same way that it is called on your command line test.
Probably you are using something like amavisd or a milter to invoke SA and that is using a different configuration location or is set to load a different configuration (that ignores local.cf, perhaps).
I’d start by checking your headers for received lines that contains 127.0.0.1. For example, I see the following on my incoming mail:
Received: from mail.covisp.net (localhost [127.0.0.1])
by mail.covisp.net (Postfix) with ESMTP id 3zMvkL61dHzxbCl;
Thu, 18 Jan 2018 12:52:26 -0700 (MST)
Received: from mail.covisp.net ([127.0.0.1])
by mail.covisp.net (mail.covisp.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id bwx-NVnJBvTg; Thu, 18 Jan 2018 12:52:25 -0700 (MST)
--
Bishops move diagonally. That's why they often turn up where the kings
don't expect them to be.
Re: Mail flagged as spam on command line getting passed through as
ham
Posted by Andy Howell <an...@gamubaru.com>.
Shanew,
Checked my logs and modifcation time on the local.cf. I had restarted
it. I initially had a single 7 in there, but that was not working so I
added all 4.
Thanks,
Andy
On 01/18/2018 02:24 PM, shanew@shanew.net wrote:
> Most likely you've forgotten to restart spamd or maybe whatever glue
> calls SpamAssassin (amavisd, for example).
>
> As a side note, if you want it to score 7 regardless of network/bayes
> tests (which is what your score line indicates), you can just use
> "score SHARK_TANK 7"
>
>
> On Thu, 18 Jan 2018, Andy Howell wrote:
>
>> I've been getting annoying spams for "Shark Tank". I added a simple
>> rule in local.cf to check the subject line:
>>
>> header SHARK_TANK Subject =~ /\bshark tank\b/i
>> score SHARK_TANK 7 7 7 7
>>
>> The mail still get through. In my inbox:
>>
>> X-Spam-Flag: NO
>> X-Spam-Score: 4.148
>> X-Spam-Level: ****
>> X-Spam-Status: No, score=4.148 required=6.2 tests=[BAYES_80=2,
>> DIET_1=0.001,
>> HTML_IMAGE_RATIO_02=0.437, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001,
>> T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01, T_SPF_TEMPERROR=0.01,
>> URIBL_BLACK=1.7] autolearn=no autolearn_force=no
>>
>> If I pass the mail through spamassasin on the command line, it gets
>> flagged as spam:
>>
>> spamassassin -D < spam-mail-shark-tank.txt >out.txt 2>&1
>>
>> In out.txt:
>>
>> X-Spam-Flag: YES
>> X-Spam-Level: ********************
>> X-Spam-Status: Yes, score=20.5 required=5.0 tests=BAYES_60,DIET_1,
>>
>> HTML_IMAGE_RATIO_02,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
>>
>> RCVD_IN_SBL_CSS,SHARK_TANK,SPF_HELO_PASS,T_REMOTE_IMAGE,URIBL_ABUSE_SURBL,
>> URIBL_BLACK,URIBL_DBL_SPAM autolearn=spam autolearn_force=no
>> version=3.4.1
>> X-Spam-Report:
>> * 7.0 SHARK_TANK No description available.
>> * 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE
>> SURBL
>> * blocklist
>> * [URIs: coloringkidsus.com]
>> * 3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus
>> SBL-CSS
>> * [107.175.23.4 listed in zen.spamhaus.org]
>> * 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL
>> blocklist
>> * [URIs: coloringkidsus.com]
>> * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>> * [URIs: coloringkidsus.com]
>> * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>> * 0.0 DIET_1 BODY: Lose Weight Spam
>> * 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text
>> to image area
>> * 1.5 BAYES_60 BODY: Bayes spam probability is 60 to 80%
>> * [score: 0.7650]
>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>> * 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level
>> above 50%
>> * [cf: 100] * 0.9 RAZOR2_CHECK Listed in Razor2
>> (http://razor.sf.net/
>> * 0.0 T_REMOTE_IMAGE Message contains an external image
>> X-Spam-Bayes: bayes=0.7650, N=176(88-0+3), ham=(), spam=(shark, Pill,
>> craze)
>>
>> Any ideas what I'm doing wrong?
>>
>> Thanks,
>>
>> Andy
>>
>>
>
Re: Mail flagged as spam on command line getting passed through as
ham
Posted by sh...@shanew.net.
Most likely you've forgotten to restart spamd or maybe whatever glue
calls SpamAssassin (amavisd, for example).
As a side note, if you want it to score 7 regardless of network/bayes
tests (which is what your score line indicates), you can just use
"score SHARK_TANK 7"
On Thu, 18 Jan 2018, Andy Howell wrote:
> I've been getting annoying spams for "Shark Tank". I added a simple rule in local.cf to check the subject line:
>
> header SHARK_TANK Subject =~ /\bshark tank\b/i
> score SHARK_TANK 7 7 7 7
>
> The mail still get through. In my inbox:
>
> X-Spam-Flag: NO
> X-Spam-Score: 4.148
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.148 required=6.2 tests=[BAYES_80=2, DIET_1=0.001,
> HTML_IMAGE_RATIO_02=0.437, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001,
> T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01, T_SPF_TEMPERROR=0.01,
> URIBL_BLACK=1.7] autolearn=no autolearn_force=no
>
> If I pass the mail through spamassasin on the command line, it gets flagged as spam:
>
> spamassassin -D < spam-mail-shark-tank.txt >out.txt 2>&1
>
> In out.txt:
>
> X-Spam-Flag: YES
> X-Spam-Level: ********************
> X-Spam-Status: Yes, score=20.5 required=5.0 tests=BAYES_60,DIET_1,
> HTML_IMAGE_RATIO_02,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
> RCVD_IN_SBL_CSS,SHARK_TANK,SPF_HELO_PASS,T_REMOTE_IMAGE,URIBL_ABUSE_SURBL,
> URIBL_BLACK,URIBL_DBL_SPAM autolearn=spam autolearn_force=no version=3.4.1
> X-Spam-Report:
> * 7.0 SHARK_TANK No description available.
> * 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
> * blocklist
> * [URIs: coloringkidsus.com]
> * 3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
> * [107.175.23.4 listed in zen.spamhaus.org]
> * 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
> * [URIs: coloringkidsus.com]
> * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> * [URIs: coloringkidsus.com]
> * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
> * 0.0 DIET_1 BODY: Lose Weight Spam
> * 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
> * 1.5 BAYES_60 BODY: Bayes spam probability is 60 to 80%
> * [score: 0.7650]
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> * [cf: 100] * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/
> * 0.0 T_REMOTE_IMAGE Message contains an external image
> X-Spam-Bayes: bayes=0.7650, N=176(88-0+3), ham=(), spam=(shark, Pill, craze)
>
> Any ideas what I'm doing wrong?
>
> Thanks,
>
> Andy
>
>
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT CompSci
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew