You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Gary W. Smith" <ga...@primeexalia.com> on 2004/11/09 05:28:27 UTC

3.0x v 2.6x side by side comparison q?

I have all email hitting the production 2.6x spamd and at the same time
logging it against the 3.x spamd.  I diff the output from the original
email for both spamd's.  Anyways, I keep noticing that ALL_TRUSTED is
hit for each and every 3.x email.  

Obviously from the header it started from an external source which isn't
trusted.  In local.cf I have clear_trusted_networks and do not add any
additional trusted networks listed.

Why?  Each email that is passing through the system seems to be
automatically starting off with a -3.3.  BTW, the 3.0 server we are
testing against is on the private network.

Here is the test call.  10.27.0.10 is the address for the server that is
spooling the mail coming in from the net (NAT'd).

daemon spamd -D -i  -A 10.27.0.10,127.0.0.1 -d -r /var/run/spamd.pid -m
20


Return-Path: <1-...@atr.dedicated-marketing1.com>
Received: from atr.dedicated-marketing1.com
(atr.dedicated-marketing1.com [206.71.53.105])
        by server.xxxx.com (Postfix) with SMTP id 8EFA516A02C
        for <xx...@xxxx.com>; Mon,  8 Nov 2004 20:14:34 -0800 (PST)
From: Rapid Cash Provider <Ra...@dedicated-marketing1.com>
Subject: Get 5OO USD by tomorrow. Only takes 2 minutes 
To: xxxx@xxxx.com
MIME-Version: 1.0
Date: Mon, 8 Nov 2004 23:21:58 EST
Message-ID:
<q7...@atr.dedicated-marketing1.com>
X-Mailer: 3.2.1-1 [Oct  8 2004, 19:42:14]
Content-Type: text/html; charset=us-ascii;
class-id=1:1KmbbFzHY0JozDuFF7LYDL4Zru:318084
Content-Transfer-Encoding: 7bit



6c6
< Subject: Get 5OO USD by tomorrow. Only takes 2 minutes 
---
> Subject: [Suspected SPAM] Get 5OO USD by tomorrow. Only takes 2
minutes 
13a14,34
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
>       xxxx.xxxx.com
> X-Spam-Level: **************
> X-Spam-Status: Yes, hits=14.4 required=5.0 tests=BAYES_99,HTML_90_100,
>       HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_02,HTML_MESSAGE,
>
HTTP_WITH_EMAIL_IN_URL,MIME_HTML_ONLY,SARE_MSGID_DBL_AT,WS_URI_RBL 
>       autolearn=no version=2.63
> X-Spam-Report: 
>       *  1.0 SARE_MSGID_DBL_AT Message ID has two at signs
>       *  0.1 HTML_MESSAGE BODY: HTML included in message
>       *  5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>       *      [score: 1.0000]
>       *  0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME
parts
>       *  0.6 HTML_FONT_INVISIBLE BODY: HTML font color is same as
background
>       *  1.2 HTML_90_100 BODY: Message is 90% to 100% HTML
>       *  1.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of
words
>       *  4.4 WS_URI_RBL URI's domain appears in sa-blacklist
>       *      [dedicated-marketing1.com is blacklisted in URI]
>       [RBL at ws.surbl.org]
>       *  0.2 HTTP_WITH_EMAIL_IN_URL URI: 'remove' URL contains an
email address
**********************************************************************
6c6
< Subject: Get 5OO USD by tomorrow. Only takes 2 minutes 
---
> Subject: [Suspected SPAM] Get 5OO USD by tomorrow. Only takes 2
minutes 
13a14,46
> X-Spam-Prev-Subject: Get 5OO USD by tomorrow. Only takes 2 minutes 
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on 
>       xxxx.xxxx.com
> X-Spam-Level: ***********************
> X-Spam-Status: Yes, score=24.0 required=5.0
tests=ALL_TRUSTED,BAYES_99,
>       DOMAIN_RATIO,HTML_90_100,HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_20,
>       HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHOUTING3,MIME_HTML_ONLY,
>       SARE_MSGID_DBL_AT,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,
>       URIBL_SBL,URIBL_WS_SURBL autolearn=no version=3.0.1
> X-Spam-Report: 
>       *  1.0 SARE_MSGID_DBL_AT Message ID has two at signs
>       * -3.3 ALL_TRUSTED Did not pass through any untrusted hosts
>       *  3.2 DOMAIN_RATIO BODY: Message body mentions many internet
domains
>       *  0.4 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000
bytes of words
>       *  0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting"
markup
>       *  0.0 HTML_FONT_INVISIBLE BODY: HTML font color is same as
background
>       *  0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to
image area
>       *  0.0 HTML_90_100 BODY: Message is 90% to 100% HTML
>       *  0.0 HTML_MESSAGE BODY: HTML included in message
>       *  5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>       *      [score: 1.0000]
>       *  0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME
parts
>       *  1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
>       *      [URIs: imgehost.com dedicated-marketing1.com]
>       *  4.0 URIBL_AB_SURBL Has URI in AB at
http://www.surbl.org/lists.html
>       *      [URIs: imgehost.com]
>       *  4.0 URIBL_JP_SURBL Has URI in JP at
http://www.surbl.org/lists.html
>       *      [URIs: imgehost.com dedicated-marketing1.com]
>       *  4.0 URIBL_WS_SURBL Has URI in WS at
http://www.surbl.org/lists.html
>       *      [URIs: dedicated-marketing1.com]
>       *  4.0 URIBL_OB_SURBL Has URI in OB at
http://www.surbl.org/lists.html
>       *      [URIs: imagesbyaz.com]