You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alan Munday <sp...@brightheadtechnology.com> on 2006/11/30 02:23:14 UTC
Score=x+5
I've just seen a mail marked as spammy (amavisd-new) where the score header had Score=x+5 where x was the sum of the SA tests.
X-Spam-Status: Yes, score=0.917+5 tagged_above=0 required=5 tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01, FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001, SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231, SPF_PASS=-0.001]
I'm curious as to where the 5 came from as the the mail report does not look like spam:
Content analysis details: (0.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
1.2 SARE_UNA RAW: SARE_UNA
0.9 SARE_HTML_TD_BR FULL: Multiple line breaks in spammer pattern
0.5 SARE_HTML_MANY_BR05 Tooo many <br>'s!
0.7 AWL AWL: From: address is in the auto white-list
I've not seen this before (in over 4 years) and could not see and answer from a quick search.
Thanks
Alan
Re: Score=x+5
Posted by Matt Kettler <mk...@verizon.net>.
Alan Munday wrote:
> I've just seen a mail marked as spammy (amavisd-new) where the score
> header had Score=x+5 where x was the sum of the SA tests.
>
> X-Spam-Status: Yes, score=0.917+5 tagged_above=0 required=5
> tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01,
> FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001,
> SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231,
> SPF_PASS=-0.001]
>
> I'm curious as to where the 5 came from as the the mail report does
> not look like spam:
My guess would be amavis's soft-blacklist feature.
Re: Score counting error
Posted by Kelson <ke...@speed.net>.
Andrew Hearn (AAISP) wrote:
> X-Spam-Status: No, score=4.3 required=4.4 tests=BAYES_99,NO_RELAYS
> autolearn=disabled version=3.1.7
> X-Spam-Report:
> * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
> * 4.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> * [score: 1.0000]
It's just differences in rounding. The scores actually have three
digits past the decimal point, but the report only shows one.
NO_RELAYS is actually -0.001, so the final score, assuming BAYES_99 is
4.400 in your setup, is 4.399. IIRC the final score is always rounded
down in the report to avoid confusion when people see things like this:
X-Spam-Status: No, score=4.4 required=4.4
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Score counting error
Posted by "Andrew Hearn (AAISP)" <an...@aaisp.net.uk>.
Hi,
In my headers I see:
X-Spam-Status: No, score=4.3 required=4.4 tests=BAYES_99,NO_RELAYS
autolearn=disabled version=3.1.7
X-Spam-Report:
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
* 4.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
Seems odd that score doesn't add up? (4.4 + 0.0 = 4.3!!)
--
Andrew Hearn
Re: Score=x+5
Posted by Mark Martinec <Ma...@ijs.si>.
On Thursday December 7 2006 18:21, Fred T wrote:
> > -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64
> I'm curious about P0F_UNIX could you share this rule with me? And any
> similar fingerprint rules? Thanks!
The rules are quite straightforward (see below) - just matching
on inserted header field, which can be inserted by amavisd-new
(or some other sw component like milter or policy daemon or SA plugin),
based of results from p0f ( http://lcamtuf.coredump.cx/p0f.shtml ).
See release notes, p0f support was introduced with version 2.4.0:
http://www.ijs.si/software/amavisd/release-notes.txt
Here is my current set:
header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/
score L_P0F_WXP 3.0
header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/
score L_P0F_W 1.7
header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/
score L_P0F_UNKN 0.8
header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64)/
score L_P0F_Unix -1.0
header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/
score L_P0F_Linux -0.1
plus a couple to slightly favour network proximity,
which works well in my environment, but may not work
so well elsewhare:
header L_P0F_D1234 X-Amavis-OS-Fingerprint =~ /\bdistance [1-4](?![0-9])/
header L_P0F_D5 X-Amavis-OS-Fingerprint =~ /\bdistance 5(?![0-9])/
header L_P0F_D6 X-Amavis-OS-Fingerprint =~ /\bdistance 6(?![0-9])/
header L_P0F_D7 X-Amavis-OS-Fingerprint =~ /\bdistance 7(?![0-9])/
header L_P0F_D8 X-Amavis-OS-Fingerprint =~ /\bdistance 8(?![0-9])/
header L_P0F_D9 X-Amavis-OS-Fingerprint =~ /\bdistance 9(?![0-9])/
header L_P0F_D10 X-Amavis-OS-Fingerprint =~ /\bdistance 10(?![0-9])/
header L_P0F_D11 X-Amavis-OS-Fingerprint =~ /\bdistance 11(?![0-9])/
score L_P0F_D1234 -0.5
score L_P0F_D5 -0.5
score L_P0F_D6 -0.5
score L_P0F_D7 -0.5
score L_P0F_D8 -0.5
score L_P0F_D9 -0.5
score L_P0F_D10 -0.3
score L_P0F_D11 -0.3
Mark
Re: Score=x+5
Posted by Fred T <sp...@freddyt.com>.
Hello Alan,
Wednesday, November 29, 2006, 8:23:14 PM, you wrote:
> -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64
I'm curious about P0F_UNIX could you share this rule with me? And any
similar fingerprint rules? Thanks!
--
Best regards,
Fred mailto:spamassassin@freddyt.com