You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by David Goldsmith <dg...@sans.org> on 2006/06/05 21:34:11 UTC

Message Scores Changing?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A messages that just made it through to my mailbox had the following SA
headers:

X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13)
X-Spam-Level: ****
X-Spam-Status: No, score=4.5 required=7.0 tests=BAYES_50,HTML_40_50,
	HTML_MESSAGE,URIBL_SBL autolearn=no version=3.1.0

I bounced it to our 'spam' address and ran 'spamc' against the message
and came back with:

X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13)
X-Spam-Level:
X-Spam-Status: No, score=0.5 required=7.0 tests=BAYES_40,HTML_40_50,
        HTML_MESSAGE,URIBL_SBL autolearn=no version=3.1.0


I've seen this often where email bounced by one of our users to out spam
box appears to have a lower score when tested manually but in this case,
I ran spamc within minutes of receiving the message.

Any ideas on what may have changed in the Bayesian database in the short
interval that would lower the confidence that the message is spam?

Thanks,
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhIcz417vU8/9QfkRAr1TAKCe0qLIzJrTcAYkSgnDOASqpPNl6wCgthUy
OTdz/o1ODhgLyHJTGsazeKo=
=Pabv
-----END PGP SIGNATURE-----

Re: Message Scores Changing?

Posted by David Goldsmith <dg...@sans.org>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Kettler wrote:
> David Goldsmith wrote:
>> A messages that just made it through to my mailbox had the following SA
>> headers:
>>
>> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13)
>> X-Spam-Level: ****
>> X-Spam-Status: No, score=4.5 required=7.0 tests=BAYES_50,HTML_40_50,
>>     HTML_MESSAGE,URIBL_SBL autolearn=no version=3.1.0
>>
>> I bounced it to our 'spam' address and ran 'spamc' against the message
>> and came back with:
>>
>> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13)
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.5 required=7.0 tests=BAYES_40,HTML_40_50,
>>         HTML_MESSAGE,URIBL_SBL autolearn=no version=3.1.0
>>
>>
>> I've seen this often where email bounced by one of our users to out spam
>> box appears to have a lower score when tested manually but in this case,
>> I ran spamc within minutes of receiving the message.
>>
>> Any ideas on what may have changed in the Bayesian database in the short
>> interval that would lower the confidence that the message is spam?
> 
> Define "bounced it to our 'spam' address"..  What exact mechanism did
> you use here?

Using Thunderbird, I used the 'Redirect' option to pass it to an address
that our users can submit spam to that made it through.  We then
manually review / test those messages with spamc / sa-learn by hand.

> I ask because Auto-processing learners are a dangerous minefield, SA's
> bayes system is very sensitive to changes in:
> 
>     From and To: headers
>     Body encoding
> 
> Both of which will be changed dramatically if you use "forward" on a
> message.

Dave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhPn4417vU8/9QfkRAr9pAJ9TzupLQJcOU3T/vMF/zNn6R1o7CgCff+YE
xkWWjiBF7WQ/bFcKAqmvxP0=
=A0Ru
-----END PGP SIGNATURE-----

Re: Message Scores Changing?

Posted by Matt Kettler <mk...@comcast.net>.

David Goldsmith wrote:
> A messages that just made it through to my mailbox had the following SA
> headers:
>
> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13)
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.5 required=7.0 tests=BAYES_50,HTML_40_50,
>     HTML_MESSAGE,URIBL_SBL autolearn=no version=3.1.0
>
> I bounced it to our 'spam' address and ran 'spamc' against the message
> and came back with:
>
> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13)
> X-Spam-Level:
> X-Spam-Status: No, score=0.5 required=7.0 tests=BAYES_40,HTML_40_50,
>         HTML_MESSAGE,URIBL_SBL autolearn=no version=3.1.0
>
>
> I've seen this often where email bounced by one of our users to out spam
> box appears to have a lower score when tested manually but in this case,
> I ran spamc within minutes of receiving the message.
>
> Any ideas on what may have changed in the Bayesian database in the short
> interval that would lower the confidence that the message is spam?

Define "bounced it to our 'spam' address"..  What exact mechanism did
you use here?

I ask because Auto-processing learners are a dangerous minefield, SA's
bayes system is very sensitive to changes in:

    From and To: headers
    Body encoding

Both of which will be changed dramatically if you use "forward" on a
message.

Mysql SA question

Posted by Alan Fullmer <li...@xnote.com>.

What would keep SA from looking up entries in the mysql db for some
addresses, then successfully do it to others?

There are certain addresses the system does not want to whitelist because it
isn't looking it up in the database.

But I know it is working because it will pull other addresses out.  This
specifically is a Comcast.net address.  I have no idea if that has anything
to do with it or not.

Does anyone have any sort of idea why it would ignore looking up certain
emails in the mysql db?