You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by server <se...@wecanhost4u.com> on 2012/07/02 01:17:45 UTC
Tagging Spam
I am getting this
-39.4 points, 5.2 required
and it is tagging as spam.
Why?
Re: Tagging Spam
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-07-02 01:17, server skrev:
> I am getting this
>
> -39.4 points, 5.2 required
>
> and it is tagging as spam.
>
> Why?
next week lotto numbers is ?, 42?
it pay off to show more info, paste the email in full-content on
pastebin.com and give link to this paste here, otherwise contact your
mail admin
Re: Tagging Spam
Posted by Dave Funk <db...@engineering.uiowa.edu>.
On Sun, 1 Jul 2012, server wrote:
> On 7/1/2012 7:29 PM, John Hardin wrote:
>> On Sun, 1 Jul 2012, server wrote:
>>
>>> I am getting this
>>>
>>> -39.4 points, 5.2 required
>>>
>>> and it is tagging as spam.
>>>
>>> Why?
>>
>> We can't possibly do more than guess without seeing the actual headers on
>> such a message, as well as having some information about what your MTA is
>> and how you have SA glued onto it.
>>
> Sorry I thought it was something simple that I have over looked.
>
> Exim 4.77
> spamd_address = 127.0.0.1 783
> # put headers in all messages (no matter if spam or not)
> warn message = X-Spam-Score: $spam_score ($spam_bar)
> spam = BOGUS:true
>
> warn message = X-Spam-Report: $spam_report
> spam = BOGUS:true
>
> # add second subject line with *SPAM* marker when message
> # is over threshold
> warn message = Subject: *THIS IS SPAM* $h_Subject:
> spam = BOGUS
>
> # reject spam at high scores (> 5.2)
> deny message = This message scored $spam_score spam points.
> spam = BOGUS:true
> condition = ${if >{$spam_score_int}{52}{1}{0}}
>
> What part of the header should I post?
>
>
> This is a C/P from my log (exact with a couple of edits where you see blah
> blah blah and my tld info)
> ****************************
>
> X-HELO-Warning: Remote host xx.xx.xx.xx incorrectly presented itself as
> [192.168.1.100]
> X-Spam-Score: -39.4 (---------------------------------------)
> X-Spam-Report: Spam detection software, running on the system "my tld", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> postmaster for details.
> Content preview: -------- Original Message -------- Subject: Maxine's
> Memorial
> Date: Sat, 30 Jun 2012 16:49:59 -0400 (EDT) From: blah blah blah
> Content analysis details: (-39.4 points, 5.2 required)
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -48 ALL_TRUSTED Passed through trusted hosts only via SMTP
> -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
> domain
> 1.8 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
> 0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.4309]
> 2.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
> 2.5 LOTS_OF_MONEY Huge... sums of money
> X-Spam-Score: 8.7 (++++++++)
> X-Spam-Report: Spam detection software, running on the system
> "server.edschooler.com", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> postmaster for details.
> Content preview: -------- Original Message -------- Subject: Maxine's
> Memorial
> Date: Sat, 30 Jun 2012 16:49:59 -0400 (EDT) From: same blah blah blah
>
>
> Content analysis details: (8.7 points, 5.2 required)
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
> domain
> 1.8 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
> 0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.5000]
> 2.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily valid
> 2.5 LOTS_OF_MONEY Huge... sums of money
> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> Subject: *THIS IS SPAM* Fwd: Maxine's Memorial
>
> *****************************************************
There are at least a couple of things wrong here.
1) where did that -48 points score for ALL_TRUSTED come from? That's not a
standard SA score for that rule.
2) it appears that this message has been passed thru SA at least twice.
That's tricky to do correctly and get valid scores, even with the best of
configurations. Given this message has two different spam-score headers
with wildly differing values, your setup is broken.
3) a proper SA installation should always add a Checker-Version header,
regardless of whether the message is spam or ham. In what you've posted
it's missing, so either you've left out that part or your kit is broken
in a way that it doesn't get added.
As I've never used Exim, I cannot comment on your mail server config.
Can you capture a copy of a message as it enters your system -before-
you feed it to SA to see what headers the message already has?
There may be some up-stream system that is doing SA processing on your
mail. If so, you either need to get them to not do that, not run your own
SA & be willing to accept their scoring, or find some other way to get
unfiltered mail service.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Tagging Spam
Posted by server <se...@wecanhost4u.com>.
On 7/2/2012 6:09 AM, Benny Pedersen wrote:
> Den 2012-07-02 14:56, server skrev:
>
>> What I posted was the the exact post to my log file without breaks.
>> As what Dave posted it is double scanning for whatever reason.
>> At this point I am not sure if it is Exim or Spamassassin or both.
>
> if both is same mail, then its rescanning on return from spamc ?, here
> i am using postfix and amavisd and have no problem with spamassassin
> at all, but real men use exim ? :=)
>
>
>
>
This is not happening on every email I have only noticed on maybe 2
emails in the last 30 days or so.
Re: Tagging Spam
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-07-02 14:56, server skrev:
> What I posted was the the exact post to my log file without breaks.
> As what Dave posted it is double scanning for whatever reason.
> At this point I am not sure if it is Exim or Spamassassin or both.
if both is same mail, then its rescanning on return from spamc ?, here
i am using postfix and amavisd and have no problem with spamassassin at
all, but real men use exim ? :=)
Re: Tagging Spam
Posted by server <se...@wecanhost4u.com>.
On 7/2/2012 3:28 AM, Benny Pedersen wrote:
> Den 2012-07-02 05:44, server skrev:
>
>> What part of the header should I post?
>
> does not help since problem is the above is done before spamd is called
>
> and you pasted one ham, and one spam, check exim config, its not a
> spamassassin issue
>
>
>
What I posted was the the exact post to my log file without breaks. As
what Dave posted it is double scanning for whatever reason.
At this point I am not sure if it is Exim or Spamassassin or both.
Thanks
Re: Tagging Spam
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-07-02 05:44, server skrev:
> What part of the header should I post?
does not help since problem is the above is done before spamd is called
and you pasted one ham, and one spam, check exim config, its not a
spamassassin issue
Re: Tagging Spam
Posted by server <se...@wecanhost4u.com>.
On 7/1/2012 7:29 PM, John Hardin wrote:
> On Sun, 1 Jul 2012, server wrote:
>
>> I am getting this
>>
>> -39.4 points, 5.2 required
>>
>> and it is tagging as spam.
>>
>> Why?
>
> We can't possibly do more than guess without seeing the actual headers
> on such a message, as well as having some information about what your
> MTA is and how you have SA glued onto it.
>
Sorry I thought it was something simple that I have over looked.
Exim 4.77
spamd_address = 127.0.0.1 783
# put headers in all messages (no matter if spam or not)
warn message = X-Spam-Score: $spam_score ($spam_bar)
spam = BOGUS:true
warn message = X-Spam-Report: $spam_report
spam = BOGUS:true
# add second subject line with *SPAM* marker when message
# is over threshold
warn message = Subject: *THIS IS SPAM* $h_Subject:
spam = BOGUS
# reject spam at high scores (> 5.2)
deny message = This message scored $spam_score spam points.
spam = BOGUS:true
condition = ${if >{$spam_score_int}{52}{1}{0}}
What part of the header should I post?
This is a C/P from my log (exact with a couple of edits where you see
blah blah blah and my tld info)
****************************
X-HELO-Warning: Remote host xx.xx.xx.xx incorrectly presented itself as [192.168.1.100]
X-Spam-Score: -39.4 (---------------------------------------)
X-Spam-Report: Spam detection software, running on the system "my tld", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
postmaster for details.
Content preview: -------- Original Message -------- Subject: Maxine's Memorial
Date: Sat, 30 Jun 2012 16:49:59 -0400 (EDT) From: blah blah blah
Content analysis details: (-39.4 points, 5.2 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-48 ALL_TRUSTED Passed through trusted hosts only via SMTP
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
1.8 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4309]
2.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
2.5 LOTS_OF_MONEY Huge... sums of money
X-Spam-Score: 8.7 (++++++++)
X-Spam-Report: Spam detection software, running on the system "server.edschooler.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
postmaster for details.
Content preview: -------- Original Message -------- Subject: Maxine's Memorial
Date: Sat, 30 Jun 2012 16:49:59 -0400 (EDT) From: same blah blah blah
Content analysis details: (8.7 points, 5.2 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
1.8 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
2.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
2.5 LOTS_OF_MONEY Huge... sums of money
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
Subject: *THIS IS SPAM* Fwd: Maxine's Memorial
*****************************************************
Re: Tagging Spam
Posted by John Hardin <jh...@impsec.org>.
On Sun, 1 Jul 2012, server wrote:
> I am getting this
>
> -39.4 points, 5.2 required
>
> and it is tagging as spam.
>
> Why?
We can't possibly do more than guess without seeing the actual headers on
such a message, as well as having some information about what your MTA is
and how you have SA glued onto it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Justice is justice, whereas "social justice" is code for one set
of rules for the rich, another for the poor; one set for whites,
another set for minorities; one set for straight men, another for
women and gays. In short, it's the opposite of actual justice.
-- Burt Prelutsky
-----------------------------------------------------------------------
3 days until the 236th anniversary of the Declaration of Independence