You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by SA <sp...@linkcheck.co.uk> on 2016/12/06 17:43:26 UTC

Unexpected TVD_SPACE_RATIO and strange action of X-Originating-IP

One of my web sites sends me a minimal email to indicate its status. 
There is no body, just a subject and the usual headers. It is sent 
several times a day.

The sending domain is in the trusted_networks list so the SA report 
includes ALL_TRUSTED - full X-Spam-Status is (and should be)...

No, score=-28.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,PFSA_OURSERVER_VALID
         autolearn=ham version=3.3.2

BUT sometimes I get...

No, score=-25.5 required=5.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,PFSA_OURSERVER_VALID,TVD_SPACE_RATIO,
	TVD_SPACE_RATIO_MINFP autolearn=ham version=3.3.2

PFSA_OURSERVER_VALID is my own addition and is set to -25 if it's from 
the web site. DKIM is set by the mail receiver not the sender, which is 
a very simple smtp service.

What puzzles me is why SA reports TVD_SPACE_RATIO and 
TVD_SPACE_RATIO_MINFP when there is no body at all - just a single blank 
line with not even a single space and no signature or MIME. And why it 
does so only sometimes (about 1 in four or five times).

For reference the ENTIRE email (with obfuscations) for the TVD case, as 
received by me is...

Delivered-To: <(me)@(recip)>
Received: from (my mail server)
	by (my mail server) (Dovecot) with LMTP id KLhdFWzRRliENgAAu8yh1g
	for <(me)@(recip)>; Tue, 06 Dec 2016 14:57:46 +0000
Received: from (my mail server) (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by (my mail server) (Postfix) with ESMTPS id 6D8201E06F0
	for <(me)@(recip)>; Tue,  6 Dec 2016 14:57:46 +0000 (GMT)
Received: by (my mail server) (Postfix, from userid 5001)
	id 41C391E0668; Tue,  6 Dec 2016 14:57:46 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= (etc)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on MYPOSTFIX
X-Spam-Level:
X-Spam-Status: No, score=-25.5 required=5.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,PFSA_OURSERVER_VALID,TVD_SPACE_RATIO,
	TVD_SPACE_RATIO_MINFP autolearn=ham version=3.3.2
X-Spam-RelaysUntrusted:
Received: from (webserver) ((webserver) [(webserver IP)])
	by (my mail server (Postfix) with SMTP id DA6541E06F0
	for <(me)@(recip)>; Tue,  6 Dec 2016 14:57:35 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= (etc)
From: "FormTest" <(form)@(webserver)>
To: "(me)" <(me)@(recip)>
Reply-To: (sender)@(webserver)
Subject: Form Check
Date: Tue, 06 Dec 2016 14:57:35 -0000
Message-ID: <20161206-14573592-10bc@(webserver)>
X-Envelope-From: (sender)@(webserver)
X-Original-IP: (web customer's IP) (SEE BELOW)
MIME-Version: 1.0

There is another oddity in this scenario. I have set up a tracing 
header, shown above as...

X-Original-IP: (web visitor's IP)

This is recent. Previously I had...

X-Originating-IP: (web visitor's IP)

... but this resulted in losing ALL_TRUSTED (all other tags in 
X-Spam-Status remained). Spamassassin seemed to think this was the 
envelope-from or something of that kind and filled in...

X-Spam-RelaysUntrusted: [ ip=(visitor's IP) rdns= helo= by= ident= envfrom=

If anyone could help with either of these I would be grateful.


-- 
Dave Stiles

Re: Unexpected TVD_SPACE_RATIO and strange action of X-Originating-IP

Posted by SA <sp...@linkcheck.co.uk>.

Thank you for the reply.

 > No, ALL_TRUSTED means that the email only passed through trusted
 > IP addresses or was authenticated into the trusted network.

Yes. Sorry, I phrased it badly.

My main point here was the TVD tags. Why sometimes and not others in 
virtually identical emails with no bodies? There is sufficient leeway on 
the scoring that it does not really matter but it's still incorrect as 
far as I can tell.

 > In webmail the client IP address is often put in X-Originating-IP;
 > SpamAssassin treats this as the first relay just as if it were from an
 > smtp submission received header.

Hmm. I suspected as much. Thanks. :)

-- 
Dave Stiles

Re: Unexpected TVD_SPACE_RATIO and strange action of X-Originating-IP

Posted by RW <rw...@googlemail.com>.

On Tue, 6 Dec 2016 17:43:26 +0000
SA wrote:

> One of my web sites sends me a minimal email to indicate its status. 
> There is no body, just a subject and the usual headers. It is sent 
> several times a day.
> 
> The sending domain is in the trusted_networks list so the SA report 
> includes ALL_TRUSTED 

No, ALL_TRUSTED means that the email only passed through trusted IP
addresses or was authenticated into the trusted network. 

...

> There is another oddity in this scenario. I have set up a tracing 
> header, shown above as...
> 
> X-Original-IP: (web visitor's IP)
> 
> This is recent. Previously I had...
> 
> X-Originating-IP: (web visitor's IP)
> 
> ... but this resulted in losing ALL_TRUSTED (all other tags in 
> X-Spam-Status remained). Spamassassin seemed to think this was the 
> envelope-from or something of that kind and filled in...
> 
> X-Spam-RelaysUntrusted: [ ip=(visitor's IP) rdns= helo= by= ident=
> envfrom=

In webmail the client IP address is often put in X-Originating-IP;
SpamAssassin treats this as the first relay just as if it were from an
smtp submission received header.