You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tim Alberts <ta...@msiscales.com> on 2008/02/13 18:45:44 UTC
False positive with scoring I don't understand
Greetings everyone. I'm new to the list because I need help
desperately. I've been using spamassassin for many years and it has
gone a long way to fixing spam, so first, thank you for the great product.
System is Fedora Linux 6 running sendmail. Mail is delivered for local
users with procmail which feeds the delivered mail to spamassassin. I'm
getting the following from some (very important) customers and it's
really a problem right now. Where is the score 244.3 coming from? The
sender is whitelisted for -100?
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on msi2.inside.msi
X-Spam-Level:**************************************************
X-Spam-Status: Yes, score=244.3 required=5.0 tests=AWL,BAYES_00,
USER_IN_WHITELIST autolearn=no version=3.1.9
X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's
white-list * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to
1% * [score: 0.0000] * 347 AWL AWL: From: address is in the
auto white-list
Re: False positive with scoring I don't understand
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2008-02-18 at 13:12 -0800, Tim Alberts wrote:
> Thank you again everyone for responding.
>
> I do have the per user settings and it prompts the question that I don't
> see an answer for yet. What happens with the command
> 'spamassassin --remove-addr-from-whitelist' with per user settings? I
> assumed running the command as root, it would filter down through each
> user AWL. Thinking more about it I guess it stands to reason that it
> doesn't because spamassassin doesn't know about all the users.
>
> So is the solution to log in as each user and issue the command to clear
> the marked address from each account? How should it be handled in this
> situation.
Yes. With per user conf and AWL DB, each user (affected) must fix their
own AWL. Just like you removed the corrupt AWL DBs for exactly these
users, you could have just removed the email address in question from
them.
> Note: For now, I have deleted the autowhitelist file from the selected
> users that are communicating with the marked email address.
> Unfortunately again, I won't know if it worked until the customer emails
> again.
Fortunately, this is not true. :)
As one of the affected users, just run any mail from that email address
through SA again:
spamassassin < saved-raw-mail | less
Check the resulting X-Spam headers. Instead of 'spamassassin', you can
use 'spamc' too, if you generally do that anyway. Just be sure to do
that as the affected users, with their correct environment [1]. If you
again re-run such mail through spamassassin, you will see a sane AWL
score, unless the overall score is identical to the previous one.
guenther
[1] 'su' vs 'su -' caveat if you su from root
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: False positive with scoring I don't understand
Posted by Tim Alberts <ta...@msiscales.com>.
René Berber wrote:
> Tim Alberts wrote:
> [snip]
>> OK, I ran the command and just received another email from the
>> customer today. The mail is still being marked as spam. I need to
>> fix this now or stop using spamassassin.
>>
>> To re-iterate the problem. I am receiving mail from a customer and
>> it is being marked as spam. The test report for the email shows:
>>
>> * -100 USER_IN_WHITELIST From: address is in the user's white-list
>> * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% *
>> [score: 0.0000] * 274 AWL AWL: From: address is in the auto
>> white-list
>>
>> How do I clear the AWL?
>
> Just remove the file, it looks like it is corrupted.
>
> To find where the file is, look for auto_whitelist_path in your
> settings. I have it configured in
> /etc/mail/spamassasin/mailscanner.cf to:
>
> auto_whitelist_path /var/spool/spamassassin/auto-whitelist
>
> Unless you have a more complicated configuration (per user settings).
Thank you again everyone for responding.
I do have the per user settings and it prompts the question that I don't
see an answer for yet. What happens with the command
'spamassassin --remove-addr-from-whitelist' with per user settings? I
assumed running the command as root, it would filter down through each
user AWL. Thinking more about it I guess it stands to reason that it
doesn't because spamassassin doesn't know about all the users.
So is the solution to log in as each user and issue the command to clear
the marked address from each account? How should it be handled in this
situation.
Note: For now, I have deleted the autowhitelist file from the selected
users that are communicating with the marked email address.
Unfortunately again, I won't know if it worked until the customer emails
again.
Re: False positive with scoring I don't understand
Posted by René Berber <r....@computer.org>.
Tim Alberts wrote:
[snip]
> OK, I ran the command and just received another email from the customer
> today. The mail is still being marked as spam. I need to fix this now
> or stop using spamassassin.
>
> To re-iterate the problem. I am receiving mail from a customer and it
> is being marked as spam. The test report for the email shows:
>
> * -100 USER_IN_WHITELIST From: address is in the user's white-list *
> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% *
> [score: 0.0000] * 274 AWL AWL: From: address is in the auto white-list
>
> How do I clear the AWL?
Just remove the file, it looks like it is corrupted.
To find where the file is, look for auto_whitelist_path in your
settings. I have it configured in /etc/mail/spamassasin/mailscanner.cf to:
auto_whitelist_path /var/spool/spamassassin/auto-whitelist
Unless you have a more complicated configuration (per user settings).
--
René Berber
Re: False positive with scoring I don't understand
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Feb 18, 2008 at 11:12:59AM -0800, Paul Douglas Franklin wrote:
> use_auto_whitelist 0
Alternately, and the better way, is to disable the AWL plugin. You'll find
the following line in v310.pre (in your site config directory):
loadplugin Mail::SpamAssassin::Plugin::AWL
comment it out and restart SA (if you use a daemon).
--
Randomly Selected Tagline:
Only in America... do drugstores make the sick walk all the way to the
back of the store to get their prescriptions while healthy people can
buy cigarettes at the front.
Re: False positive with scoring I don't understand
Posted by Paul Douglas Franklin <pd...@yugm.org>.
I have
use_auto_whitelist 0
in my local.cf.
awl was causing just too much trouble.
--Paul
Tim Alberts wrote:
> Tim Alberts wrote:
>> Rubin Bennett wrote:
>>>
>>> spamassassin --remove-addr-from-whitelist
>>>
>>> (Googled for SpamAssassin AWL remove entry)
>>> http://wiki.apache.org/spamassassin/AwlWrongWay
>>>
>>> Also man spamassassin should give you some more details about that
>>> command :)
>>>
>>> Rubin
>> yahoo'd - spamassassin auto white list clear
>>
>> Guess that MS/Yahoo deal is already causing problems?
>>
>> Thank you again Rubin
>>
>
>
> OK, I ran the command and just received another email from the
> customer today. The mail is still being marked as spam. I need to
> fix this now or stop using spamassassin.
>
> To re-iterate the problem. I am receiving mail from a customer and it
> is being marked as spam. The test report for the email shows:
>
> * -100 USER_IN_WHITELIST From: address is in the user's white-list
> * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% *
> [score: 0.0000] * 274 AWL AWL: From: address is in the auto
> white-list
>
> How do I clear the AWL?
>
--
Paul Douglas Franklin
Computer Manager, Union Gospel Mission of Yakima, Washington
Husband of Danette
Father of Laurene, Miriam, Tycko, Timothy, Sarabeth, Marie, Dawnita, Anna Leah, Alexander, and Caleb
Re: False positive with scoring I don't understand
Posted by Tim Alberts <ta...@msiscales.com>.
Tim Alberts wrote:
> Rubin Bennett wrote:
>>
>> spamassassin --remove-addr-from-whitelist
>>
>> (Googled for SpamAssassin AWL remove entry)
>> http://wiki.apache.org/spamassassin/AwlWrongWay
>>
>> Also man spamassassin should give you some more details about that
>> command :)
>>
>> Rubin
> yahoo'd - spamassassin auto white list clear
>
> Guess that MS/Yahoo deal is already causing problems?
>
> Thank you again Rubin
>
OK, I ran the command and just received another email from the customer
today. The mail is still being marked as spam. I need to fix this now
or stop using spamassassin.
To re-iterate the problem. I am receiving mail from a customer and it
is being marked as spam. The test report for the email shows:
* -100 USER_IN_WHITELIST From: address is in the user's white-list *
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% *
[score: 0.0000] * 274 AWL AWL: From: address is in the auto white-list
How do I clear the AWL?
Re: False positive with scoring I don't understand
Posted by Tim Alberts <ta...@msiscales.com>.
Rubin Bennett wrote:
>
> spamassassin --remove-addr-from-whitelist
>
> (Googled for SpamAssassin AWL remove entry)
> http://wiki.apache.org/spamassassin/AwlWrongWay
>
> Also man spamassassin should give you some more details about that
> command :)
>
> Rubin
yahoo'd - spamassassin auto white list clear
Guess that MS/Yahoo deal is already causing problems?
Thank you again Rubin
Re: False positive with scoring I don't understand
Posted by Rubin Bennett <rb...@thatitguy.com>.
On Wed, 2008-02-13 at 10:15 -0800, Tim Alberts wrote:
> Rubin Bennett wrote:
> > On Wed, 2008-02-13 at 09:45 -0800, Tim Alberts wrote:
> >
> >> Greetings everyone. I'm new to the list because I need help
> >> desperately. I've been using spamassassin for many years and it has
> >> gone a long way to fixing spam, so first, thank you for the great product.
> >>
> >> System is Fedora Linux 6 running sendmail. Mail is delivered for local
> >> users with procmail which feeds the delivered mail to spamassassin. I'm
> >> getting the following from some (very important) customers and it's
> >> really a problem right now. Where is the score 244.3 coming from? The
> >> sender is whitelisted for -100?
> >>
> >> X-Spam-Flag: YES
> >>
> >> X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on msi2.inside.msi
> >>
> >> X-Spam-Level:**************************************************
> >>
> >> X-Spam-Status: Yes, score=244.3 required=5.0 tests=AWL,BAYES_00,
> >> USER_IN_WHITELIST autolearn=no version=3.1.9
> >>
> >> X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's
> >> white-list * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to
> >> 1% * [score: 0.0000] * 347 AWL AWL: From: address is in the
> >> auto white-list
> >>
> >>
> > The From: address is in the auto whitelist. Turn it off and see where
> > you get, then determine why they were added to the AWL in the first
> > place.
> >
> > Rubin
> >
> Thank you for responding Rubin. I disable the AWL with main
> spamassassin local.cf config file and the line 'auto_learn 0' correct?
> However I'm not sure how to determine why they were added in the first
> place. I'm looking through the awl docs, and I think it would be easier
> (and much quicker with less downtime) to just remove the address from
> the awl. I don't see how to do this though, can it be done, and if so, how?
>
>
spamassassin --remove-addr-from-whitelist
(Googled for SpamAssassin AWL remove entry)
http://wiki.apache.org/spamassassin/AwlWrongWay
Also man spamassassin should give you some more details about that
command :)
Rubin
> >
> >>
>
--
Rubin Bennett
RB Technologies
http://thatitguy.com
rbennett@thatitguy.com
(802)223-4448
"They that can give up essential liberty to obtain a little
temporary security deserve neither liberty nor safety"
--Benjamin Franklin, Historical Review of Pennsylvania, 1759
Re: False positive with scoring I don't understand
Posted by Jari Fredriksson <ja...@iki.fi>.
> At 09:45 13-02-2008, Tim Alberts wrote:
>> some (very important) customers and it's really a
>> problem right now. Where is the score 244.3 coming
>> from? The sender is whitelisted for -100?
>> [snip]
>> X-Spam-Status: Yes, score=244.3 required=5.0
>> tests=AWL,BAYES_00, USER_IN_WHITELIST autolearn=no
>> version=3.1.9
>>
>> X-Spam-Report: * -100 USER_IN_WHITELIST From: address is
>> in the user's white-list * -2.6 BAYES_00 BODY:
>> Bayesian spam probability is 0 to 1% * [score:
>> 0.0000] * 347 AWL AWL: From: address is in the auto
>> white-list
>
> The AWL score is 347. A user_in_whitelist score of -100
> is not enough to offset such a large positive score.
> Verify the auto whitelist and your configuration.
>
AWL should be renamed ABL, if it can produce such scores. Must be pain.
Re: False positive with scoring I don't understand
Posted by SM <sm...@resistor.net>.
At 09:45 13-02-2008, Tim Alberts wrote:
>some (very important) customers and it's really a problem right
>now. Where is the score 244.3 coming from? The sender is
>whitelisted for -100?
>[snip]
>X-Spam-Status: Yes, score=244.3 required=5.0 tests=AWL,BAYES_00,
>USER_IN_WHITELIST autolearn=no version=3.1.9
>
>X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the
>user's white-list * -2.6 BAYES_00 BODY: Bayesian spam probability
>is 0 to 1% * [score: 0.0000] * 347 AWL AWL: From:
>address is in the auto white-list
The AWL score is 347. A user_in_whitelist score of -100 is not
enough to offset such a large positive score. Verify the auto
whitelist and your configuration.
Regards,
-sm
Re: False positive with scoring I don't understand
Posted by Kris Deugau <kd...@vianet.ca>.
Tim Alberts wrote:
> Thank you for responding Rubin. I disable the AWL with main
> spamassassin local.cf config file and the line 'auto_learn 0' correct?
Not quite. If you run "spamassassin --lint" with that directive in
place, you should get an error reported.
Add "use_auto_whitelist 0" to local.cf instead. Make sure to restart
spamd if you're using it.
> However I'm not sure how to determine why they were added in the first
> place. I'm looking through the awl docs, and I think it would be easier
> (and much quicker with less downtime) to just remove the address from
> the awl. I don't see how to do this though, can it be done, and if so,
> how?
From man spamassassin-run:
-R, --remove-from-whitelist Remove all addresses found in mail from
persistent address list
Personally, I'm baffled by all the trouble people seem to have with the
AWL; the only issue I've run into is users pushing their mail quota due
to large AWL files caused by stale one-hit-wonder entries. (Which I
solved by adapting a utility from the SA distribution to trim out said
stale entries.)
(I've been finding the SA man page(s) much more difficult to find
certain information from in recent versions; I understand the divisions
but they're not all that easy to find. The major "standard" plugins
should probably have mention in the "see also" section of
Mail::SpamAssassin::Conf's man page - which is where *everything* used
to be documented.)
-kgd
Re: False positive with scoring I don't understand
Posted by Tim Alberts <ta...@msiscales.com>.
Rubin Bennett wrote:
> On Wed, 2008-02-13 at 09:45 -0800, Tim Alberts wrote:
>
>> Greetings everyone. I'm new to the list because I need help
>> desperately. I've been using spamassassin for many years and it has
>> gone a long way to fixing spam, so first, thank you for the great product.
>>
>> System is Fedora Linux 6 running sendmail. Mail is delivered for local
>> users with procmail which feeds the delivered mail to spamassassin. I'm
>> getting the following from some (very important) customers and it's
>> really a problem right now. Where is the score 244.3 coming from? The
>> sender is whitelisted for -100?
>>
>> X-Spam-Flag: YES
>>
>> X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on msi2.inside.msi
>>
>> X-Spam-Level:**************************************************
>>
>> X-Spam-Status: Yes, score=244.3 required=5.0 tests=AWL,BAYES_00,
>> USER_IN_WHITELIST autolearn=no version=3.1.9
>>
>> X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's
>> white-list * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to
>> 1% * [score: 0.0000] * 347 AWL AWL: From: address is in the
>> auto white-list
>>
>>
> The From: address is in the auto whitelist. Turn it off and see where
> you get, then determine why they were added to the AWL in the first
> place.
>
> Rubin
>
Thank you for responding Rubin. I disable the AWL with main
spamassassin local.cf config file and the line 'auto_learn 0' correct?
However I'm not sure how to determine why they were added in the first
place. I'm looking through the awl docs, and I think it would be easier
(and much quicker with less downtime) to just remove the address from
the awl. I don't see how to do this though, can it be done, and if so, how?
>
>>
Re: False positive with scoring I don't understand
Posted by Rubin Bennett <rb...@thatitguy.com>.
On Wed, 2008-02-13 at 09:45 -0800, Tim Alberts wrote:
> Greetings everyone. I'm new to the list because I need help
> desperately. I've been using spamassassin for many years and it has
> gone a long way to fixing spam, so first, thank you for the great product.
>
> System is Fedora Linux 6 running sendmail. Mail is delivered for local
> users with procmail which feeds the delivered mail to spamassassin. I'm
> getting the following from some (very important) customers and it's
> really a problem right now. Where is the score 244.3 coming from? The
> sender is whitelisted for -100?
>
> X-Spam-Flag: YES
>
> X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on msi2.inside.msi
>
> X-Spam-Level:**************************************************
>
> X-Spam-Status: Yes, score=244.3 required=5.0 tests=AWL,BAYES_00,
> USER_IN_WHITELIST autolearn=no version=3.1.9
>
> X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's
> white-list * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to
> 1% * [score: 0.0000] * 347 AWL AWL: From: address is in the
> auto white-list
>
The From: address is in the auto whitelist. Turn it off and see where
you get, then determine why they were added to the AWL in the first
place.
Rubin
>
>
--
Rubin Bennett
RB Technologies
http://thatitguy.com
rbennett@thatitguy.com
(802)223-4448
"They that can give up essential liberty to obtain a little
temporary security deserve neither liberty nor safety"
--Benjamin Franklin, Historical Review of Pennsylvania, 1759