You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike Pepe <la...@doki-doki.net> on 2006/04/22 15:57:49 UTC

same message, different scores

Hi folks, I got two spams through today and I'm a little confused as to why.

Spam 1:

 From lamune@quadzilla  Sat Apr 22 01:28:34 2006
Return-Path: <Je...@fen.com>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on quadzilla
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=5.0 tests=BAYES_80 autolearn=no
         version=3.1.1
Received: from fen.com ([221.155.184.221])
         by quadzilla.doki-doki.net (8.13.1/8.13.1) with SMTP id 
k3M5SUHj028409
         for <la...@doki-doki.net>; Sat, 22 Apr 2006 01:28:32 -0400
Message-ID: <EC...@fen.com>
Date: Fri, 21 Apr 2006 23:11:16 -0700
From: "Lyle Grisham" <Je...@fen.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) 
Gecko/20030624 Sylera/1.2.4
MIME-Version: 1.0
To: <la...@doki-doki.net>
Subject: FWD: Cathy Caparula, Ref # QG3836-I34V
Content-Type: text/plain;
         charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on 
localhost
X-Virus-Status: Clean
Status: R
Content-Length: 215
X-Keywords: 


ATTN: Cathy Caparula,

After a lookover of all your infomation, I'm delighted to inform you of
your acceptance.

http://5ag420.iscool.net

Just fill-out your details on our web site above.


God Bless,
Lyle Grisham

Now, I run it through sa manually, and the report looks like:

Content analysis details:   (10.0 points, 5.0 required)

  pts rule name              description
---- ---------------------- 
--------------------------------------------------
  4.0 CATHY_CAPARULA         BODY: Email addressed to Cathy Caparula
  3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                             [score: 1.0000]
  1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see 
<http://www.spamcop.net/bl.shtml?221.155.184.221>]
  3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                             [221.155.184.221 listed in 
sbl-xbl.spamhaus.org]
-2.9 AWL                    AWL: From: address is in the auto white-list

The second spam is almost identical to the first.

I guess the question is: why such radically different scores? is the 
auto-scanning not using my custom CATHY_CAPARULA rule?

Re: same message, different scores

Posted by Matt Kettler <mk...@evi-inc.com>.

Mike Pepe wrote:
> 
>> We need some background on your setup:
>>
>> How do you call SA to get your mail scanned at delivery time?
>> Do you use spamd to scan your mail?
>> If so, did you restart spamd after adding your rule?
>> Where is your CATHY_CAPARULA rule declared (ie: what file)?
> 
> Hi Matt,
> 
> The system is FC3, running SA 3.1.1
> 
> I use procmail piping the messages through spamd.
> 
> I'm not sure if I restarted spamd after I made that custom rule, but
> that rule lives in /etc/mail/spamassassin
> 
> If I don't restart spamd, and I modify rules, would that cause what I am
> seeing?

Yes.. spamd only reads the files in /etc/mail/spamassassin when it loads.

> Would running spamassassin directly evaluate the message
> differently than going through spamd?

Yes. The spamassassin script parses all the config files from scratch when it
starts. Also, unlike spamd, it will honor rules in user_prefs by default. Spamd
requires the allow_user_rules setting to do that.

Re: same message, different scores

Posted by Mike Pepe <la...@doki-doki.net>.

> We need some background on your setup:
> 
> How do you call SA to get your mail scanned at delivery time?
> Do you use spamd to scan your mail?
> If so, did you restart spamd after adding your rule?
> Where is your CATHY_CAPARULA rule declared (ie: what file)?

Hi Matt,

The system is FC3, running SA 3.1.1

I use procmail piping the messages through spamd.

I'm not sure if I restarted spamd after I made that custom rule, but 
that rule lives in /etc/mail/spamassassin

If I don't restart spamd, and I modify rules, would that cause what I am 
seeing? Would running spamassassin directly evaluate the message 
differently than going through spamd?

-Mike

Re: same message, different scores

Posted by Matt Kettler <mk...@comcast.net>.

Mike Pepe wrote:
> Hi folks, I got two spams through today and I'm a little confused as
> to why.
>
> Spam 1:
>
> From lamune@quadzilla  Sat Apr 22 01:28:34 2006
> Return-Path: <Je...@fen.com>
> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on quadzilla
> X-Spam-Level: **
> X-Spam-Status: No, score=2.0 required=5.0 tests=BAYES_80 autolearn=no
>         version=3.1.1
>
<snip>
> Now, I run it through sa manually, and the report looks like:
>
> Content analysis details:   (10.0 points, 5.0 required)
>
>  pts rule name              description
> ---- ----------------------
> --------------------------------------------------
>  4.0 CATHY_CAPARULA         BODY: Email addressed to Cathy Caparula
>  3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
>                             [score: 1.0000]
>  1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
>              [Blocked - see
> <http://www.spamcop.net/bl.shtml?221.155.184.221>]
>  3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
>                             [221.155.184.221 listed in
> sbl-xbl.spamhaus.org]
> -2.9 AWL                    AWL: From: address is in the auto white-list
>
> The second spam is almost identical to the first.
>
> I guess the question is: why such radically different scores? is the
> auto-scanning not using my custom CATHY_CAPARULA rule?
We need some background on your setup:

How do you call SA to get your mail scanned at delivery time?
Do you use spamd to scan your mail?
If so, did you restart spamd after adding your rule?
Where is your CATHY_CAPARULA rule declared (ie: what file)?