You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Craig <cc...@unitedwayqc.org> on 2006/12/01 17:47:10 UTC
How does some spam pass through?
Below are the results from a Spamassassin -D test of a message that was
previously delivered this morning. How does something like this pass
through- when I run the checks on the email after it is delivered the
system clearly knows its spam.
Thanks
Craig
X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report:
* 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
* [80.171.36.179 listed in dnsbl.sorbs.net]
* 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [80.171.36.179 listed in sbl-xbl.spamhaus.org]
* 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
* [80.171.36.179 listed in combined.njabl.org]
* 1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline
image
* 0.0 BOTNET_CLIENT Hostname looks like a client hostname
* 5.0 BOTNET Any Botnet rule hit
Re: How does some spam pass through?
Posted by Loren Wilton <lw...@earthlink.net>.
SA tags both spam and non-spam messages with the rules that hit. A typical non-spam report look like
X-Spam-Status: No, score=3.3 required=4.6 tests=BAYES_20,DK_POLICY_SIGNSOME,
FORGED_RCVD_HELO,HELO_MISMATCH_COM,HOST_MISMATCH_NET,JD_LO_BAYES,
JD_VLO_BAYES,LW_PRINTERS,MAILTO_TO_SPAM_ADDR autolearn=disabled
version=3.1.4
You should be seeing this on non-spam mails, IF you are running thru spamd or the like. If you are using amvis-new and some of the other things, they throw the SA markup away on non-spam messages by default. There are usually ways to get it back, depending on the tool you are using. Not being sure what you are using (and not using any of them myself) I can't help much on what you might have to fiddle to get non-spam report info. But someone here will know, just tell us what you are running.
The idea is you want to see what rules hit when it wasn't marked as spam, and compare it to what you get manually. If the difference is the network tests, then probably you were just a lucky early winner on a new spam run. OTOH, if there are NO network tests (and never are) then you have a config problem, since you see them when you run the spam manually. Likewise if you see bayes in debug and not in normal mail you have a config problem. Etc.
Loren
----- Original Message -----
From: Craig
To: users@spamassassin.apache.org
Sent: Friday, December 01, 2006 9:34 AM
Subject: Re: How does some spam pass through?
Thanks for your quick reply
Ok, I am new to this-and I am sure its a "no brainer" but "non-spam tagging" -I do not understand. If you could explain-or if its documented feel free to scold me-I would appreciate it.
Craig
>>> "Loren Wilton" <lw...@earthlink.net> 12/1/2006 11:05 AM >>>
Typical case is that you were one of the lucky early recipients before the spam made it into all the blocklists, so it got a low score.
You should have got a pretty hefty score from the local tests, but there is another 10+ points in net tests there too.
It looks like bayes should have caught it with your 4.0 limit. This makes me suspect bayes didn't run. Look at the original mail tagging and see, if you have a setup where you have non-spam tagging. (and if not, fix things so you do, it makes this easier to debug.)
Loren
----- Original Message -----
From: Craig
To: users@spamassassin.apache.org
Sent: Friday, December 01, 2006 8:47 AM
Subject: How does some spam pass through?
Below are the results from a Spamassassin -D test of a message that was previously delivered this morning. How does something like this pass through- when I run the checks on the email after it is delivered the system clearly knows its spam.
Thanks
Craig
X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report:
* 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
* [80.171.36.179 listed in dnsbl.sorbs.net]
* 3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL
* [80.171.36.179 listed in sbl-xbl.spamhaus.org]
* 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
* [80.171.36.179 listed in combined.njabl.org]
* 1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
* 0.0 BOTNET_CLIENT Hostname looks like a client hostname
* 5.0 BOTNET Any Botnet rule hit
Re: How does some spam pass through?
Posted by Craig <cc...@unitedwayqc.org>.
Thanks for your quick reply
Ok, I am new to this-and I am sure its a "no brainer" but "non-spam
tagging" -I do not understand. If you could explain-or if its documented
feel free to scold me-I would appreciate it.
Craig
>>> "Loren Wilton" <lw...@earthlink.net> 12/1/2006 11:05 AM >>>
Typical case is that you were one of the lucky early recipients before
the spam made it into all the blocklists, so it got a low score.
You should have got a pretty hefty score from the local tests, but
there is another 10+ points in net tests there too.
It looks like bayes should have caught it with your 4.0 limit. This
makes me suspect bayes didn't run. Look at the original mail tagging
and see, if you have a setup where you have non-spam tagging. (and if
not, fix things so you do, it makes this easier to debug.)
Loren
----- Original Message -----
From: Craig ( mailto:ccanfield@unitedwayqc.org )
To: users@spamassassin.apache.org
Sent: Friday, December 01, 2006 8:47 AM
Subject: How does some spam pass through?
Below are the results from a Spamassassin -D test of a message that was
previously delivered this morning. How does something like this pass
through- when I run the checks on the email after it is delivered the
system clearly knows its spam.
Thanks
Craig
X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report:
* 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
* [80.171.36.179 listed in dnsbl.sorbs.net]
* 3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL
* [80.171.36.179 listed in sbl-xbl.spamhaus.org]
* 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
* [80.171.36.179 listed in combined.njabl.org]
* 1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline
image
* 0.0 BOTNET_CLIENT Hostname looks like a client hostname
* 5.0 BOTNET Any Botnet rule hit
Re: How does some spam pass through?
Posted by Loren Wilton <lw...@earthlink.net>.
Typical case is that you were one of the lucky early recipients before the spam made it into all the blocklists, so it got a low score.
You should have got a pretty hefty score from the local tests, but there is another 10+ points in net tests there too.
It looks like bayes should have caught it with your 4.0 limit. This makes me suspect bayes didn't run. Look at the original mail tagging and see, if you have a setup where you have non-spam tagging. (and if not, fix things so you do, it makes this easier to debug.)
Loren
----- Original Message -----
From: Craig
To: users@spamassassin.apache.org
Sent: Friday, December 01, 2006 8:47 AM
Subject: How does some spam pass through?
Below are the results from a Spamassassin -D test of a message that was previously delivered this morning. How does something like this pass through- when I run the checks on the email after it is delivered the system clearly knows its spam.
Thanks
Craig
X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report:
* 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
* [80.171.36.179 listed in dnsbl.sorbs.net]
* 3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL
* [80.171.36.179 listed in sbl-xbl.spamhaus.org]
* 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
* [80.171.36.179 listed in combined.njabl.org]
* 1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
* 0.0 BOTNET_CLIENT Hostname looks like a client hostname
* 5.0 BOTNET Any Botnet rule hit