You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dave <mo...@insensible.net> on 2005/04/10 20:30:27 UTC
False Positives
Hi, I just recently upgraded to version 3.0.2 and now appear to be
receiving quite a few false positives where my previous installation of
2.6.4 didn't have this problem. I am also having a problem getting the rest
results to display within the headers so I can determine what tests are
being hit in these false positives. A clear example of the false positives
are as follows:
Delivered-To: anotheraddy@insensible.net
X-Spam-Status: Yes, hits=5.3 required=5.0
X-Spam-Level: +++++
X-Antivirus-soundillusions-Mail-From: morbiddk@insensible.net via server1
X-Antivirus-soundillusions: 1.24-st-qms
(Clear:RC:0(68.230.240.31):SA:1(5.3/5.0):. Processed in 6.255823 secs
Process 8768)
X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2
Date: Sun, 10 Apr 2005 14:23:43 -0400
To: anotheraddy@insensible.net
From: Dave <mo...@insensible.net>
Subject: [SPAM] this is a test
testing the new SA system, lemme know how it looks.
This was a plain text email and was caught with 5.3 points, but it doesn't
show me what the points were from. Here is a copy of my cf.
required_hits 5.0
rewrite_header Subject [SPAM]
dns_available yes
fold_headers 1
use_terse_report 1
report_safe 0
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_ version=_VERSION_
use_dcc 1
use_pyzor 1
use_razor2 1
use_bayes 1
bayes_path /etc/mail/spamassassin/bayes
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 7.0
bayes_learn_during_report 1
bayes_min_ham_num 250
bayes_min_spam_num 250
ok_languages en
ok_locales en
rbl_timeout 3
score RCVD_IN_BL_SPAMCOP_NET 3
score HTML_FONT_INVISIBLE 3.5
score HTML_90_100 3.5
score HTML_WEB_BUGS 2.0
score HTML_IMAGE_ONLY_04 3.5
score USER_IN_WHITELIST_TO -50
score SUBJECT_DRUG_GAP_C 3.5
score SUBJECT_DRUG_GAP_L 3.5
score SUBJECT_DRUG_GAP_VIA 3.5
score VIA_GAP_GRA 3.5
score BAYES_00 0 0 -4.901 -4.900
score BAYES_05 0 0 -0.925 -2.599
score BAYES_20 0 0 -0.730 -1.951
score BAYES_40 0 0 -0.276 -1.096
score BAYES_50 0 0 1.567 0.001
score BAYES_60 0 0 3.515 1.592
score BAYES_80 0 0 3.608 2.087
score BAYES_95 0 0 3.514 3.514
score BAYES_99 0 0 4.070 5.400
# Whitelist stuffs
use_auto_whitelist 1
auto_whitelist_factor 0.5
Any and all help would be appreciated.
Re: False Positives
Posted by David Earp <mo...@insensible.net>.
> How are you calling spamassassin? Are you calling it from procmail, or
> are you using something like amavis?
I didn't even think about how it was being called. After I read this I
realized that its most likely my qmail-scanner causing it as it rewrites
the header itself.
I've removed the fast_spamassassin option and now the I have a modified
but functioning X-Spam-Status which shows the tests, autolearn and
version output. Thanks for the help, now I can begin debugging the false
positive issue.
Re: False Positives
Posted by Matt Kettler <mk...@evi-inc.com>.
David Earp wrote:
>>Try this add_header command instead. Note carefully the addition of
>>quotation marks.
>>
>>add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_
>>tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_ version=_VERSION_"
>>
>>
>
>Added the quotes, no difference. I should note that my add_header is all
>on one line.
>
>
Yeah, the line wrap is a side effect of RFC requirements for mail. Mine
was written as one line, but Thunderbird wrapped it automatically.
Question:
How are you calling spamassassin? Are you calling it from procmail, or
are you using something like amavis?
Re: False Positives
Posted by David Earp <mo...@insensible.net>.
> Try this add_header command instead. Note carefully the addition of
> quotation marks.
>
> add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_
> tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_ version=_VERSION_"
Added the quotes, no difference. I should note that my add_header is all
on one line.
> I assume your intent was to replace TESTS with TESTSSCORES.
Yes, I changed it to TESTSSCORES shortly after sending my original
email.
> Alternatively, just comment out the add_header command for now, and work
> with the defaults until you've got your problems sorted.
Tried both commented and uncommented, neither spam nor ham messages show
more than the YESNO SCORE and REQD are shown.
> Also, run spamassassin --lint and fix the errors.
I ran this and made sure it returned clear before completing all of my
initial tests and emailing the list.
> Right off the bat I can spot that use_terse_report has been deprecated
> since 2.60, and is now an error in 3.x
Oops, forgot about that one, removed it, no change.
Re: False Positives
Posted by Matt Kettler <mk...@evi-inc.com>.
Dave wrote:
> Hi, I just recently upgraded to version 3.0.2 and now appear to be
> receiving quite a few false positives where my previous installation
> of 2.6.4 didn't have this problem. I am also having a problem getting
> the rest results to display within the headers so I can determine what
> tests are being hit in these false positives. A clear example of the
> false positives are as follows:
>
<snip>
You missed the important part of your example... without a list of hits,
nobody will be able to give you any advice on a FP or a FN.
Really, that *should* be in your X-Spam-Status header, but your modified
status header doesn't seem to include this vital information. It appears
that in your add_header command you forgot to put quotes in, and
spamassassin is barfing on the (,).
Try this add_header command instead. Note carefully the addition of
quotation marks.
add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_ version=_VERSION_"
This is more in-line with the defaults, which look like this:
add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_"
I assume your intent was to replace TESTS with TESTSSCORES.
Alternatively, just comment out the add_header command for now, and work
with the defaults until you've got your problems sorted.
Also, run spamassassin --lint and fix the errors.
Right off the bat I can spot that use_terse_report has been deprecated
since 2.60, and is now an error in 3.x