You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Patrick Baldwin <Pa...@studsvik.com> on 2008/03/26 19:01:39 UTC

{SPAM?} Many False Positives

Hi, I have an issue where much of my site's incoming
mail is being tagged as {SPAM?} when it's not.

The mail server here is Sendmail 8.12.5 on SunOS 5.8,
and it's happening with a variety of mail clients.

I'm looking to figure out where this {$SPAM} tag is coming
from. I've gone through the docs on the site and the archive,
and it seems like this should be in my local.cf, but I don't see
what entry I have that's doing this.

I'd also like to figure out how to get this to stop, as it's making
for unhappy users.

As far as I know, nothing has changed on my systems with regard
to Spamassassin, but this just started up today.

I've been trying Google for answers for the past few hours, but no
luck; I suspect I may not even know the right question to ask.

Any help much appreciated.


My main.rc file:

$ more main.rc
:0
* ^To: <postmaster
| /usr/local/bin/dmail +Postmaster

:0
* ^X-yoursite-MailScanner-SpamCheck: spam
| /usr/local/bin/dmail +spamassassin

:0
* ^X-yoursite-MailScanner: Found to be infected
| /usr/local/bin/dmail +spamassassin


:0
| /usr/local/bin/dmail



My spamassassin.procmail.rc:

$ more spamassassin.procmail.rc
:0fw
| /usr/local/bin/spamassassin -P

:0
* ^X-Spam-Status: Yes
| /usr/local/bin/dmail +spamassassin



The part of my local.cf file that isn't a whitelist:

blacklist_from *@*mailsubs.com
blacklist_from *@*cheetahmail.com
blacklist_from *@*chtah.com
blacklist_from *@*shinbiro.com
blacklist_from *@*azoogle.com
blacklist_from *@*whatsnew-mail.com
blacklist_from *@*ventrikulumspectoum.com
blacklist_from *@*globalgreat-deals.com
blacklist_from *@*trackingclicks.com
blacklist_from *@*lesbianseagulls.net
blacklist_from *@*home.nl
blacklist_from *@*ew01.com
blacklist_from *@virtumundo.com
blacklist_from *@vm-mail.com
blacklist_from *@abbasiapacific.com.sg


score           FORGED_HOTMAIL_RCVD     2.5
score           CTYPE_JUST_HTML         0.3


body            FORTRAN_100     / INTEGER/
describe        FORTRAN_100     looking for FORTRAN source
score           FORTRAN_100     -15.0

body            FORTRAN_101     / SUBROUTINE/
describe        FORTRAN_101     looking for FORTRAN source
score           FORTRAN_101     -15.0

score           HTTP_EXCESSIVE_ESCAPES  105
score ALL_TRUSTED  0.000  0.000  0.000  0.000
score URIBL_AB_SURBL 0 4.000 0 4.000
score URIBL_OB_SURBL 0 4.000 0 4.000
score URIBL_PH_SURBL 0 4.000 0 4.000
score URIBL_SBL 0 4.000 0 4.000
score URIBL_SC_SURBL 0 4.000 0 4.000
score URIBL_WS_SURBL 0 4.000 0 4.000
score RCVD_ILLEGAL_IP 4.000 4.000 4.000 4.000
score RCVD_IN_BL_SPAMCOP_NET 0 4.000 0 4.000
score RCVD_IN_NJABL_DUL 0 2.000 0 2.000
score RCVD_IN_SORBS_DUL 0 2.000 0 2.000

-- 
Patrick Baldwin
Systems Administrator
Studsvik Scandpower
617-965-7455

Re: {SPAM?} Re: {SPAM?} Many False Positives

Posted by Patrick Baldwin <Pa...@studsvik.com>.

Mike Jackson wrote:
>> Hi, I have an issue where much of my site's incoming
>> mail is being tagged as {SPAM?} when it's not.
> 
> You're using MailScanner. It's probably in there. Look if you're still 
> using ORDB.  :-)
> 
> 

That was it, thanks.

-- 
Patrick Baldwin
Systems Administrator
Studsvik Scandpower
617-965-7455

Re: {SPAM?} Many False Positives

Posted by Mike Jackson <mj...@barking-dog.net>.

> Hi, I have an issue where much of my site's incoming
> mail is being tagged as {SPAM?} when it's not.

You're using MailScanner. It's probably in there. Look if you're still 
using ORDB.  :-)

Re: {SPAM?} Many False Positives

Posted by John Hardin <jh...@impsec.org>.

On Wed, 26 Mar 2008, Patrick Baldwin wrote:

> Hi, I have an issue where much of my site's incoming
> mail is being tagged as {SPAM?} when it's not.
>
> I'm looking to figure out where this {$SPAM} tag is coming
> from.

Please post the full message headers from a false positive so that we can 
get an idea which rules are hitting.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Microsoft is not a standards body.
-----------------------------------------------------------------------
  18 days until Thomas Jefferson's 265th Birthday