You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Raphael Clifford <ra...@clifford.net> on 2005/05/21 11:57:50 UTC
randomly fluctuating scores
I have a spam message (attached below) which is causing all kinds of
problems. The first is that the score is
(command "spamassassin spam.txt")
X-Spam-Status: No, score=-4.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
autolearn=unavailable version=3.0.3
I am not NAT'ed so I can see no reason why it is ALL_TRUSTED
The second is that the score fluctuates randomly if I rerun this command
despite the fact that autolearn is "unavailable" or "no" each time. For
example
(DCC seems to have started working since the first test but this doesn't
stop the scores fluctuating)
X-Spam-Status: No, score=-1.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_99,
DCC_CHECK autolearn=no version=3.0.3
and then
X-Spam-Status: No, score=0.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_99,
DCC_CHECK autolearn=no version=3.0.3
So I tried
"spamassassin -t probablyspam"
and I get
X-Spam-Status: No, score=2.4 required=5.0 tests=ALL_TRUSTED,BAYES_99,
DCC_CHECK autolearn=no version=3.0.3
So I tried it without -t
X-Spam-Status: No, score=0.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_99,
DCC_CHECK autolearn=no version=3.0.3
and then without -t again
X-Spam-Status: No, score=1.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_99,
DCC_CHECK autolearn=no version=3.0.3
etc. etc.
Any ideas what is going on? I can see that AWL seems to be turned off
for the -t tests. Why would that be? I don't see why AWL would be
increasing the score each time either?
Raphael
------------ offending email ------------------------
Return-Path: <kl...@mcrmail.com>
Delivered-To: 6-contact@sembacuttiaratchy.com
Received: (qmail 19588 invoked from network); 20 May 2005 22:45:07 +0100
Received: from 82-35-6-77.cable.ubr01.hari.blueyonder.co.uk (@82.35.6.77)
by secure.roshan.name with SMTP; 20 May 2005 22:45:07 +0100
Language: English
X-MIME-Autoconverted: Yes
Alternate-Recipient: Allowed
Resent-Reply-To: "Marylou" <kl...@mcrmail.com>
Reply-To: "Marylou" <kl...@mcrmail.com>
From: "Marylou" <kl...@mcrmail.com>
To: contact@sembacuttiaratchy.com
Subject: Easily earn $925, 879 this year
Date: Sat, 21 May 2005 01:39:52 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--142-39995-7611-328-538-423"
Earn $1000 in the next 24 hours!
Work from home - never drive to work again
No product to purchase
Unlimited income potential
You can earn $250,000 in the next 6 to 12 months.
Totally automated - No selling.
Copy and Paste this link into your browser to make money:
mfcpjs.mywealthbiz.info/appl_form_flower.html
thank you,
Marylou Farris
2816 Central Avenue
Richmond, VA
Re: randomly fluctuating scores
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Raphael Clifford wrote:
> Daryl C. W. O'Shea wrote:
>> Actually, SpamAssassin 3.0.3 can't parse the first received header
>> either, due to the @ in front of the IP. Even if you were to set
>> trusted_networks all trusted would fire and there'd be no RBL lookups
>> etc.
>>
>> Daryl
>>
>
> I think that is exactly right. If you remove the '@' everything is fixed
> and the spam gets a very high score!
>
> This parsing problem looks like something that would be fixable in
> spamassassin or does it classify as a mail server problem that shouldn't
> be worked around?
>
> Raphael
SpamAssassin 3.1 will correctly parse the received header (with the @ in
front of the IP). Until then, there may be a way to get qmail(?) to
stop adding the @... I don't know for sure though.
Daryl
Re: randomly fluctuating scores
Posted by Raphael Clifford <ra...@clifford.net>.
Daryl C. W. O'Shea wrote:
> Loren Wilton wrote:
>
>>> I am not NAT'ed so I can see no reason why it is ALL_TRUSTED
>>
>>
>> I think I can:
>>
>>> Delivered-To: 6-contact@sembacuttiaratchy.com
>>> Received: (qmail 19588 invoked from network); 20 May 2005 22:45:07 +0100
>>> Received: from 82-35-6-77.cable.ubr01.hari.blueyonder.co.uk
>>> (@82.35.6.77)
>>> by secure.roshan.name with SMTP; 20 May 2005 22:45:07 +0100
>>> Language: English
>>
>>
>> I suspect the qmail header either isn't parsable by SA or doesn't contain
>> enough information to be interesting, or is considered local
>> delivery. This
>> means that the next and only header would be from your gateway and
>> would be
>> trusted, I assume. Since it is directly from the spammer with no
>> indication
>> of a local gateway, SA makes the wrong guess.
>>
>> I *think* that normally SA expects to see a received header from your
>> local
>> MTA in the mail, and in this case there isn't one. You might be able
>> to get
>> around this by setting trusted_networks to local only, but I suspect the
>> right fix is to get a received header for your MTA in there.
>
>
> Actually, SpamAssassin 3.0.3 can't parse the first received header
> either, due to the @ in front of the IP. Even if you were to set
> trusted_networks all trusted would fire and there'd be no RBL lookups etc.
>
> Daryl
>
I think that is exactly right. If you remove the '@' everything is fixed
and the spam gets a very high score!
This parsing problem looks like something that would be fixable in
spamassassin or does it classify as a mail server problem that shouldn't
be worked around?
Raphael
Re: randomly fluctuating scores
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Loren Wilton wrote:
>>I am not NAT'ed so I can see no reason why it is ALL_TRUSTED
>
> I think I can:
>
>>Delivered-To: 6-contact@sembacuttiaratchy.com
>>Received: (qmail 19588 invoked from network); 20 May 2005 22:45:07 +0100
>>Received: from 82-35-6-77.cable.ubr01.hari.blueyonder.co.uk (@82.35.6.77)
>> by secure.roshan.name with SMTP; 20 May 2005 22:45:07 +0100
>>Language: English
>
> I suspect the qmail header either isn't parsable by SA or doesn't contain
> enough information to be interesting, or is considered local delivery. This
> means that the next and only header would be from your gateway and would be
> trusted, I assume. Since it is directly from the spammer with no indication
> of a local gateway, SA makes the wrong guess.
>
> I *think* that normally SA expects to see a received header from your local
> MTA in the mail, and in this case there isn't one. You might be able to get
> around this by setting trusted_networks to local only, but I suspect the
> right fix is to get a received header for your MTA in there.
Actually, SpamAssassin 3.0.3 can't parse the first received header
either, due to the @ in front of the IP. Even if you were to set
trusted_networks all trusted would fire and there'd be no RBL lookups etc.
Daryl
Re: randomly fluctuating scores
Posted by Loren Wilton <lw...@earthlink.net>.
I'm not sure why your score is changing, since the list of hit tests seems
to be the same. Two points though:
> (command "spamassassin spam.txt")
I had always thought it was "spamassassin <spam.txt". I suppose maybe SA
will pick up an unrecognized parameter as a file name to parse though.
> I am not NAT'ed so I can see no reason why it is ALL_TRUSTED
I think I can:
> Delivered-To: 6-contact@sembacuttiaratchy.com
> Received: (qmail 19588 invoked from network); 20 May 2005 22:45:07 +0100
> Received: from 82-35-6-77.cable.ubr01.hari.blueyonder.co.uk (@82.35.6.77)
> by secure.roshan.name with SMTP; 20 May 2005 22:45:07 +0100
> Language: English
I suspect the qmail header either isn't parsable by SA or doesn't contain
enough information to be interesting, or is considered local delivery. This
means that the next and only header would be from your gateway and would be
trusted, I assume. Since it is directly from the spammer with no indication
of a local gateway, SA makes the wrong guess.
I *think* that normally SA expects to see a received header from your local
MTA in the mail, and in this case there isn't one. You might be able to get
around this by setting trusted_networks to local only, but I suspect the
right fix is to get a received header for your MTA in there.
Loren