Problems qmail + spamassassin + simscan (score 0/0)

[Rejaine Monteiro <re...@bhz.jamef.com.br>]

Hi,

Sometimes I get spam that has been classified correctly in spamaassin as 
spam, but simscan classifies it with a score different from that 
processed by the spamd process. Sorry for my English, but I'll try to 
explain .. :)

   Here's an example:

spamd.log --> Here we see an email that was classified by the spamd 
process as suspect (score 14)

2017-03-13 18:10:48.998753500 Mon Mar 13 18:10:48 2017 [23159] info: 
spamd: processing message 
<20...@vmi108295.contaboserver.net> for qscand:1001
2017-03-13 18:10:51.668508500 Mon Mar 13 18:10:51 2017 [23159] info: 
spamd: identified spam (14.5/5.0) for qscand:1001 in 2.7 seconds, 64622 
bytes.
2017-03-13 18:10:51.668685500 [23159] info: spamd: result: Y 14 - 
BAYES_99,DCC_CHECK,HTML_MIME_NO_HTML_TAG,JAMEF_SUBJ_BOLETO_FATURA,JAMEF_ZIP_ATTACHED,MIME_HTML_ONLY,RDNS_NONE,TROJAN_JAMEF_ZIP,TVD_SPACE_RATIO 
scantime=2.7,size=64622,user=qscand,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57553,mid=<20...@vmi108295.contaboserver.net>,bayes=0.999667,autolearn=spam

simscan.log --> However, here we see that the same email, in the simscan 
log, received 0/0

2017-03-13 18:10:51.677616500 simscan:[25948]:CLEAN 
(0.00/0.00):3.8362s::213.136.86.230:financeiro@admconsultoria.com.br:user@mydomain.com

So I saved the email and executed the command simscam manually (at 
command line,  as below)  with  DEBUG option. Note that it also ranked 
the same as spam, as it should be:

# env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=2 
/var/qmail/bin/qmail-inject user@mydomain.com < savedspam.txt

<cut>
simscan: calling /usr/bin/spamc  spamc -s 1500000
simscan:[16216]:SPAM DROPPED (14.50/5.00):2.8341s:2.via 
Boleto:(null):user@server.mydomain.com:user@mydomain.com
simscan: check_spam detected spam refuse message
simscan: Putting the message in quarantine: 
/var/qmail/quarantine/msg.1489441975.579680.16217
simscan: Message recorded in quarantine successful
simscan: droping the message
simscan: exit error code: 0
<cut>

So I do not know where else to check for why simscan running 
automatically sometimes can not classify a spam, and manually, running 
the same command  manually, works fine... Strange...

I've enabled the DEBUG option in qmail-smtp.rules (SIMSCAN_DEBUG = "2"), 
but I saw nothing abnormal, no error or things like ... I'm going crazy 
here ...

Any tips? I really appreciate any hint!!

More information:

simscan version 1.4.0
compile options:
./configure --enable-user=abc  --enable-spam=y --enable-spam-hits=5 
--enable-clamav=y --enable-clamdscan=/usr/bin/clamdscan 
--enable-clamavdb-path=/var/lib/clamav 
--enable-workdir=/var/qmail/simscan/work/ 
--enable-quarantinedir=/var/qmail/simscan/quarantine/ --enable-dropmsg=y 
--enable-spamc-args="-s 1500000" --enable-ripmime=/usr/bin/ripmime 
--enable-attach=y --enable-per-domain=y

Re: Problems qmail + spamassassin + simscan (score 0/0)

[Rejaine Monteiro <re...@bhz.jamef.com.br>]

The problem was the sa_quarantine_over parameter .. I think I was
interpreting it incorrectly .. as in my case I want for everything that
spam classifies above 5 in quarantine, then the value should be 0.1 and
not 5, as was before.
because this line:

   if ($sa_quarantine_over > 0 && ($sa_score - $sa_required_hits) >=
$sa_quarantine_over) {
     &debug("SA: seriously spammy - quarantine and don't deliver");

thanks!!


Em 13-03-2017 19:15, Rejaine Monteiro escreveu:
> Hi,
>
> Sometimes I get spam that has been classified correctly in spamaassin
> as spam, but simscan classifies it with a score different from that
> processed by the spamd process. Sorry for my English, but I'll try to
> explain .. :)
>
>   Here's an example:
>
> spamd.log --> Here we see an email that was classified by the spamd
> process as suspect (score 14)
>
> 2017-03-13 18:10:48.998753500 Mon Mar 13 18:10:48 2017 [23159] info:
> spamd: processing message
> <20...@vmi108295.contaboserver.net> for qscand:1001
> 2017-03-13 18:10:51.668508500 Mon Mar 13 18:10:51 2017 [23159] info:
> spamd: identified spam (14.5/5.0) for qscand:1001 in 2.7 seconds,
> 64622 bytes.
> 2017-03-13 18:10:51.668685500 [23159] info: spamd: result: Y 14 -
> BAYES_99,DCC_CHECK,HTML_MIME_NO_HTML_TAG,JAMEF_SUBJ_BOLETO_FATURA,JAMEF_ZIP_ATTACHED,MIME_HTML_ONLY,RDNS_NONE,TROJAN_JAMEF_ZIP,TVD_SPACE_RATIO
> scantime=2.7,size=64622,user=qscand,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57553,mid=<20...@vmi108295.contaboserver.net>,bayes=0.999667,autolearn=spam
>
>
> simscan.log --> However, here we see that the same email, in the
> simscan log, received 0/0
>
> 2017-03-13 18:10:51.677616500 simscan:[25948]:CLEAN
> (0.00/0.00):3.8362s::213.136.86.230:financeiro@admconsultoria.com.br:user@mydomain.com
>
> So I saved the email and executed the command simscam manually (at
> command line,  as below)  with  DEBUG option. Note that it also ranked
> the same as spam, as it should be:
>
> # env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=2
> /var/qmail/bin/qmail-inject user@mydomain.com < savedspam.txt
>
> <cut>
> simscan: calling /usr/bin/spamc  spamc -s 1500000
> simscan:[16216]:SPAM DROPPED (14.50/5.00):2.8341s:2.via
> Boleto:(null):user@server.mydomain.com:user@mydomain.com
> simscan: check_spam detected spam refuse message
> simscan: Putting the message in quarantine:
> /var/qmail/quarantine/msg.1489441975.579680.16217
> simscan: Message recorded in quarantine successful
> simscan: droping the message
> simscan: exit error code: 0
> <cut>
>
> So I do not know where else to check for why simscan running
> automatically sometimes can not classify a spam, and manually, running
> the same command  manually, works fine... Strange...
>
> I've enabled the DEBUG option in qmail-smtp.rules (SIMSCAN_DEBUG =
> "2"), but I saw nothing abnormal, no error or things like ... I'm
> going crazy here ...
>
> Any tips? I really appreciate any hint!!
>
> More information:
>
> simscan version 1.4.0
> compile options:
> ./configure --enable-user=abc  --enable-spam=y --enable-spam-hits=5
> --enable-clamav=y --enable-clamdscan=/usr/bin/clamdscan
> --enable-clamavdb-path=/var/lib/clamav
> --enable-workdir=/var/qmail/simscan/work/
> --enable-quarantinedir=/var/qmail/simscan/quarantine/
> --enable-dropmsg=y --enable-spamc-args="-s 1500000"
> --enable-ripmime=/usr/bin/ripmime --enable-attach=y --enable-per-domain=y
>
>

--
Rejaine da Silveira Monteiro
Suporte-TI
Tel: (31) 2102-8854
Jamef Encomendas Urgentes - Matriz - Belo Horizonte/MG
www.jamef.com.br

Re: Problems qmail + spamassassin + simscan (score 0/0)

[Rejaine Monteiro <re...@bhz.jamef.com.br>]

The problem was the sa_quarantine_over parameter .. I think I was 
interpreting it incorrectly .. as in my case I want for everything that 
spam classifies above 5 in quarantine, then the value should be 0.1 and 
not 5, as was before.
because this line:

   if ($sa_quarantine_over > 0 && ($sa_score - $sa_required_hits) >= 
$sa_quarantine_over) {
     &debug("SA: seriously spammy - quarantine and don't deliver");

thanks!!


Em 13-03-2017 19:15, Rejaine Monteiro escreveu:
> Hi,
>
> Sometimes I get spam that has been classified correctly in spamaassin 
> as spam, but simscan classifies it with a score different from that 
> processed by the spamd process. Sorry for my English, but I'll try to 
> explain .. :)
>
>   Here's an example:
>
> spamd.log --> Here we see an email that was classified by the spamd 
> process as suspect (score 14)
>
> 2017-03-13 18:10:48.998753500 Mon Mar 13 18:10:48 2017 [23159] info: 
> spamd: processing message 
> <20...@vmi108295.contaboserver.net> for qscand:1001
> 2017-03-13 18:10:51.668508500 Mon Mar 13 18:10:51 2017 [23159] info: 
> spamd: identified spam (14.5/5.0) for qscand:1001 in 2.7 seconds, 
> 64622 bytes.
> 2017-03-13 18:10:51.668685500 [23159] info: spamd: result: Y 14 - 
> BAYES_99,DCC_CHECK,HTML_MIME_NO_HTML_TAG,JAMEF_SUBJ_BOLETO_FATURA,JAMEF_ZIP_ATTACHED,MIME_HTML_ONLY,RDNS_NONE,TROJAN_JAMEF_ZIP,TVD_SPACE_RATIO 
> scantime=2.7,size=64622,user=qscand,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57553,mid=<20...@vmi108295.contaboserver.net>,bayes=0.999667,autolearn=spam 
>
>
> simscan.log --> However, here we see that the same email, in the 
> simscan log, received 0/0
>
> 2017-03-13 18:10:51.677616500 simscan:[25948]:CLEAN 
> (0.00/0.00):3.8362s::213.136.86.230:financeiro@admconsultoria.com.br:user@mydomain.com
>
> So I saved the email and executed the command simscam manually (at 
> command line,  as below)  with  DEBUG option. Note that it also ranked 
> the same as spam, as it should be:
>
> # env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=2 
> /var/qmail/bin/qmail-inject user@mydomain.com < savedspam.txt
>
> <cut>
> simscan: calling /usr/bin/spamc  spamc -s 1500000
> simscan:[16216]:SPAM DROPPED (14.50/5.00):2.8341s:2.via 
> Boleto:(null):user@server.mydomain.com:user@mydomain.com
> simscan: check_spam detected spam refuse message
> simscan: Putting the message in quarantine: 
> /var/qmail/quarantine/msg.1489441975.579680.16217
> simscan: Message recorded in quarantine successful
> simscan: droping the message
> simscan: exit error code: 0
> <cut>
>
> So I do not know where else to check for why simscan running 
> automatically sometimes can not classify a spam, and manually, running 
> the same command  manually, works fine... Strange...
>
> I've enabled the DEBUG option in qmail-smtp.rules (SIMSCAN_DEBUG = 
> "2"), but I saw nothing abnormal, no error or things like ... I'm 
> going crazy here ...
>
> Any tips? I really appreciate any hint!!
>
> More information:
>
> simscan version 1.4.0
> compile options:
> ./configure --enable-user=abc  --enable-spam=y --enable-spam-hits=5 
> --enable-clamav=y --enable-clamdscan=/usr/bin/clamdscan 
> --enable-clamavdb-path=/var/lib/clamav 
> --enable-workdir=/var/qmail/simscan/work/ 
> --enable-quarantinedir=/var/qmail/simscan/quarantine/ 
> --enable-dropmsg=y --enable-spamc-args="-s 1500000" 
> --enable-ripmime=/usr/bin/ripmime --enable-attach=y --enable-per-domain=y
>
>

-- 
Rejaine da Silveira Monteiro
Suporte-TI
Tel: (31) 2102-8854
Jamef Encomendas Urgentes - Matriz - Belo Horizonte/MG
www.jamef.com.br