You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by rsmits-l <rs...@tudelft.nl> on 2014/07/23 10:19:14 UTC

High score for email but no rules are being triggered

Hello,

We have an incoming email which was discarded because of the high spam 
score. In the logging we see no rules being triggered. What could be the 
cause of this ?
I have never seen this before.

Thank you for any help offered.

Greetings, Richard.

Logging below :
----
Jul 23 03:56:08 mx3 amavis[23021]: (23021-14) ESMTP::10026 
/data1/tmp/amavis-20140723T030805-23021-wnWVJInl: <xx...@xxxxxx.com> 
-> <xx...@mail.xxx> SIZE=39241 Received: from mail.xxxx.nl 
([130.161.131.74]) by localhost (xxxxxxxx.nl [127.0.0.1]) (amavisd-new, 
port 10026) with ESMTP for <xx...@mail.xxx>; Wed, 23 Jul 2014 
03:56:08 +0200 (CEST)
Jul 23 03:56:08 mx3 amavis[23021]: (23021-14) Checking: hAn9gito5pOy 
[209.85.220.54] <we...@xxxxxx.com> -> <xx...@xxxxxx.xxxxxx.net>
Jul 23 03:56:08 mx3 amavis[23021]: (23021-14) p003 1 Content-Type: 
multipart/alternative
Jul 23 03:56:08 mx3 amavis[23021]: (23021-14) p001 1/1 Content-Type: 
text/plain, size: 2378 B, name:
Jul 23 03:56:08 mx3 amavis[23021]: (23021-14) p002 1/2 Content-Type: 
text/html, size: 28368 B, name:
Jul 23 03:56:09 mx3 amavis[23021]: (23021-14) do_notify_and_quarantine: 
spam level exceeds quarantine cutoff level 20
Jul 23 03:56:09 mx3 amavis[23021]: (23021-14) Blocked SPAM 
{DiscardedInbound}, [209.85.220.54]:51315 [58.216.164.98] 
<we...@xxxxxx.com> -> <xx...@xxxxxx.xxxxxx.net>, Message-ID: 
<00...@xxxxxx.com>, mail_id: hAn9gito5pOy, 
Hits: 41.149, size: 39241, 1024 ms
Jul 23 03:56:09 mx3 amavis[23021]: (23021-14) TIMING-SA total 932 ms - 
parse: 6 (0.6%), extract_message_metadata: 32 (3.5%), 
get_uri_detail_list: 3 (0.3%), tests_pri_-1000: 6 (0.6%), 
tests_pri_-950: 0.89 (0.1%), tests_pri_-900: 10 (1.1%), tests_pri_-400: 
28 (3.0%), check_bayes: 27 (2.9%), tests_pri_0: 826 (88.6%), 
check_dkim_signature: 9 (1.0%), check_spf: 55 (5.9%), poll_dns_idle: 38 
(4.1%), check_razor2: 327 (35.1%), check_pyzor: 0.03 (0.0%), 
tests_pri_500: 8 (0.9%), get_report: 0.87 (0.1%)
Jul 23 03:56:09 mx3 postfix/smtp[24645]: CBA4E660079: 
to=<xx...@xxxxxx.xxxxxx.net>, orig_to=<xx...@xxxxxx.nl>, 
relay=127.0.0.1[127.0.0.1]:10026, delay=1.8, delays=0.77/0/0/1, 
dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=23021-14 - spam)
Jul 23 03:56:09 mx3 amavis[23021]: (23021-14) size: 39241, TIMING [total 
1025 ms] - SMTP greeting: 1 (0%)0, SMTP EHLO: 0 (0%)0, SMTP pre-MAIL: 1 
(0%)0, SMTP pre-DATA-flush: 1 (0%)0, SMTP DATA: 39 (4%)4, check_init: 0 
(0%)4, digest_hdr: 1 (0%)4, digest_body: 1 (0%)4, custom-new: 1 (0%)4, 
mime_decode: 14 (1%)6, get-file-type2: 11 (1%)7, parts_decode: 0 (0%)7, 
check_header: 1 (0%)7, AV-scan-1: 12 (1%)8, AV-scan-2: 2 (0%)8, 
spam-wb-list: 1 (0%)8, SA msg read: 0 (0%)8, SA parse: 6 (1%)9, SA 
check: 921 (90%)99, custom-checks: 6 (1%)99, decide_mail_destiny: 1 
(0%)100, notif-quar: 0 (0%)100, custom-before_send: 0 (0%)100, 
custom-after_send: 0 (0%)100, prepare-dsn: 0 (0%)100, main_log_entry: 3 
(0%)100, custom-mail_done: 0 (0%)100, SMTP pre-response: 0 (0%)100, SMTP 
response: 0 (0%)100, unlink-2-files: 0 (0%)100, rundown: 0 (0%)100

Re: High score for email but no rules are being triggered

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Wed, 2014-07-23 at 10:19 +0200, rsmits-l wrote:
> We have an incoming email which was discarded because of the high spam 
> score. In the logging we see no rules being triggered. What could be the 
> cause of this ?

This is an amavis question. SA does not reject (or discard) mail.

(Speaking of "discarding", you don't actually mean simply throwing an
already accepted message into the great bit-bucket after SMTP stage, do
you?)

The logs do not show any list of rules at all. This does not mean no
rules being triggered. It does mean that important information is
missing from your logs. Seems to be a mis-configuration to me, given
those extensive timings being logged.

Add logging of SA rules (tests) to your Amavis configuration.


> Jul 23 03:56:09 mx3 amavis[23021]: (23021-14) do_notify_and_quarantine: 
> spam level exceeds quarantine cutoff level 20
> Jul 23 03:56:09 mx3 amavis[23021]: (23021-14) Blocked SPAM 
> {DiscardedInbound}, [209.85.220.54]:51315 [58.216.164.98] 
> <we...@xxxxxx.com> -> <xx...@xxxxxx.xxxxxx.net>, Message-ID: 
> <00...@xxxxxx.com>, mail_id: hAn9gito5pOy, 
> Hits: 41.149, size: 39241, 1024 ms

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}