You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mário Gamito <ga...@gmail.com> on 2007/04/13 19:54:53 UTC
Marking HAM as good mail
Hi,
My boss is getting HAM mails from two addresses which are always marked
as SPAM.
I've seen that lowering the sa-learn threshold is not an option.
Is there a way to configure SA to stop marking those two specific
addresses as SPAM ?
Any help would be appreciated.
Warm Regards
--
:wq! Mário Gamito
Re: Marking HAM as good mail
Posted by Matthias Häker <mh...@its-h.de>.
Mário Gamito schrieb:
> Hi,
>
> My boss is getting HAM mails from two addresses which are always marked
> as SPAM.
>
> I've seen that lowering the sa-learn threshold is not an option.
>
> Is there a way to configure SA to stop marking those two specific
> addresses as SPAM ?
>
> Any help would be appreciated.
>
> Warm Regards
>
how do you call sa
i call it from procmail and i use my own whitelist system with procmail
, maybe this is a option for you
Matthias
Re: Marking HAM as good mail
Posted by John Rudd <jr...@ucsc.edu>.
Are you using the Botnet plugin?
If so, I'd add an exemption for their IP address to your Botnet.cf file.
It looks like what you'd need, if you are using Botnet, is either:
botnet_skip_ip ^81\.92\.203\.3$
and/or
botnet_skip_ip ^84\.18\.242\.136$
Depending on whether your scanning machine is the
mx1.netcanvas.com/gauguin.netcanvas.com machine. If it is, then use the
2nd config line I gave, if it's not, then use the first one.
If you're not using Botnet, then ignore this message :-)
Mário Gamito wrote:
> Hi,
>
> Thank you for your answers.
>
>> Look at the config documentation for the whitelist_from_rcvd and
>> whitelist_from_spf options.
> Humm... where are they ? Couldn't find it :(
>
>> Can you post the list of rules that these mails are hitting (the
>> X-Spam_Status header)?
> Here it is:
> X-Spam-Status: Yes, score=5.6 required=5.0
> X-Spam-Level: +++++
> Received: from unknown (HELO mx1.netcanvas.com) ([81.92.203.3])
> (envelope-sender <ad...@burocratik.com>)
> by 0 (qmail-ldap-1.03) with SMTP
> for <mg...@telbit.pt>; 13 Mar 2007 18:43:32 -0000
> Received: (qmail 18227 invoked by uid 205); 13 Mar 2007 18:43:32 -0000
> Received: from 84.18.242.136 by mx1.netcanvas.com (envelope-from
> <ad...@burocratik.com>, uid 202) with qmail-scanner-1.24st
> (clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st.
> Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):.
> Processed in 2.395852 secs); 13 Mar 2007 18:43:32 -0000
> X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=-0.3 required=5.0
> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
> gauguin.netcanvas.com
> X-Qmail-Scanner-MOVED-X-Spam-Level:
> X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0
> tests=AWL,BAYES_00,
> HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0
>
>
> Warm Regards
Re: Marking HAM as good mail
Posted by mouss <mo...@netoyen.net>.
Mário Gamito wrote:
> Hi,
>
>
>> now, take one of the messages and run "spamassassin -t" on it and show
>> these tests (at the end of the report).
>>
> Strange, it has only 4.1 points, but is marked as SPAM!
>
not now, but it was marked as spam when it was delivered. maybe
dcc/razor (or spamcops?) was hit at that time. Unfortunately, it's too
late to know (unless the infos are in your logs).
you'll need to modify your filter as I said before (add the list of
rules to the X-Spam-Status header, so that you know what matched at the
filtering time).
> # spamassassin -t
> 1173748887.M111529P3626V0000000000000901I0172197A_86.mail.telbit.pt\,S\=28719\:2\,
>
> Content analysis details: (4.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.0 MIME_BOUND_EQ_REL MIME_BOUND_EQ_REL
> 0.3 FROM_STARTS_WITH_NUMS From: starts with many numbers
> 0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type=
> entry
> 1.3 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
> lines
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.6 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
>
>
> Warm Regards
>
Re: Marking HAM as good mail
Posted by Mário Gamito <ga...@gmail.com>.
Hi,
> now, take one of the messages and run "spamassassin -t" on it and show
> these tests (at the end of the report).
Strange, it has only 4.1 points, but is marked as SPAM!
# spamassassin -t
1173748887.M111529P3626V0000000000000901I0172197A_86.mail.telbit.pt\,S\=28719\:2\,
Content analysis details: (4.1 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.0 MIME_BOUND_EQ_REL MIME_BOUND_EQ_REL
0.3 FROM_STARTS_WITH_NUMS From: starts with many numbers
0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type=
entry
1.3 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
0.0 HTML_MESSAGE BODY: HTML included in message
0.6 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
Warm Regards
--
:wq! Mário Gamito
Re: Marking HAM as good mail
Posted by mouss <mo...@netoyen.net>.
Mário Gamito wrote:
> Hi,
>
> Thank you for your answers.
>
>
>> Look at the config documentation for the whitelist_from_rcvd and
>> whitelist_from_spf options.
>>
> Humm... where are they ? Couldn't find it :(
>
>
>> Can you post the list of rules that these mails are hitting (the
>> X-Spam_Status header)?
>>
> Here it is:
> X-Spam-Status: Yes, score=5.6 required=5.0
>
you should configure your filter so that the X-Spam-Status header shows
the tests that were hit.
now, take one of the messages and run "spamassassin -t" on it and show
these tests (at the end of the report).
> X-Spam-Level: +++++
> Received: from unknown (HELO mx1.netcanvas.com) ([81.92.203.3])
> (envelope-sender <ad...@burocratik.com>)
> by 0 (qmail-ldap-1.03) with SMTP
> for <mg...@telbit.pt>; 13 Mar 2007 18:43:32 -0000
> Received: (qmail 18227 invoked by uid 205); 13 Mar 2007 18:43:32 -0000
> Received: from 84.18.242.136 by mx1.netcanvas.com (envelope-from
> <ad...@burocratik.com>, uid 202) with qmail-scanner-1.24st
> (clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st.
> Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):.
> Processed in 2.395852 secs); 13 Mar 2007 18:43:32 -0000
> X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=-0.3 required=5.0
> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
> gauguin.netcanvas.com
> X-Qmail-Scanner-MOVED-X-Spam-Level:
> X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0
> tests=AWL,BAYES_00,
> HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0
>
you may want to disable AWL.
Re: Marking HAM as good mail
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 13 Apr 2007, Mário Gamito wrote:
> > Look at the config documentation for the whitelist_from_rcvd and
> > whitelist_from_spf options.
> Humm... where are they ? Couldn't find it :(
perldoc Mail::SpamAssassin::Conf
perldoc Mail::SpamAssassin::Plugin::SPF
or
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_SPF.html
> > Can you post the list of rules that these mails are hitting (the
> > X-Spam_Status header)?
> Here it is:
> X-Spam-Status: Yes, score=5.6 required=5.0
> ... qmail-scanner-1.24st
> (clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st.
> Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):.
> X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0
> tests=AWL,BAYES_00,
> HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0
...oookay, someone better-versed in qmail-scanner will have to
interpret this. I can't. It sure looks to me like it shouldn't be
classified as spam.
Also: you may want to upgrade your SpamAssassin install to 3.1.8,
3.1.0 is rather old and is subject to DoS attack.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The difference between ignorance and stupidity is that the stupid
desire to remain ignorant. -- Jim Bacon
-----------------------------------------------------------------------
Today: Thomas Jefferson's 264th Birthday
Re: Marking HAM as good mail
Posted by Mário Gamito <ga...@gmail.com>.
Hi,
Thank you for your answers.
> Look at the config documentation for the whitelist_from_rcvd and
> whitelist_from_spf options.
Humm... where are they ? Couldn't find it :(
> Can you post the list of rules that these mails are hitting (the
> X-Spam_Status header)?
Here it is:
X-Spam-Status: Yes, score=5.6 required=5.0
X-Spam-Level: +++++
Received: from unknown (HELO mx1.netcanvas.com) ([81.92.203.3])
(envelope-sender <ad...@burocratik.com>)
by 0 (qmail-ldap-1.03) with SMTP
for <mg...@telbit.pt>; 13 Mar 2007 18:43:32 -0000
Received: (qmail 18227 invoked by uid 205); 13 Mar 2007 18:43:32 -0000
Received: from 84.18.242.136 by mx1.netcanvas.com (envelope-from
<ad...@burocratik.com>, uid 202) with qmail-scanner-1.24st
(clamdscan: 0.88.7/2828. spamassassin: 3.1.0. perlscan: 1.24st.
Clear:RC:0(84.18.242.136):SA:0(-0.3/5.0):.
Processed in 2.395852 secs); 13 Mar 2007 18:43:32 -0000
X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=-0.3 required=5.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
gauguin.netcanvas.com
X-Qmail-Scanner-MOVED-X-Spam-Level:
X-Qmail-Scanner-MOVED-X-Spam-Status: No, score=-0.3 required=5.0
tests=AWL,BAYES_00,
HTML_IMAGE_ONLY_08,HTML_MESSAGE autolearn=no version=3.1.0
Warm Regards
--
:wq! Mário Gamito
Re: Marking HAM as good mail
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 13 Apr 2007, Mário Gamito wrote:
> My boss is getting HAM mails from two addresses which are always
> marked as SPAM.
>
> Is there a way to configure SA to stop marking those two specific
> addresses as SPAM ?
Look at the config documentation for the whitelist_from_rcvd and
whitelist_from_spf options.
Can you post the list of rules that these mails are hitting (the
X-Spam_Status header)?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Warning Labels we'd like to see #1: "If you are a stupid idiot while
using this product you may hurt yourself. And it won't be our fault."
-----------------------------------------------------------------------
Today: Thomas Jefferson's 264th Birthday