You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Asif Iqbal <iq...@qwestip.net> on 2004/10/23 00:40:06 UTC

Spam score mismatch

Hi All

(I am also going to send this email to qmail-scanner's mailing list)

I get conflicting report in my spam score here. I am running
qmail-scanner-1.22+st

The spamd log shows

@4000000041797c9113d8cd8c 2004-10-22 21:32:55 [13829] i: checking message <04...@insite-europe.co.uk> for iqbala@qwestip.net:7794.
@4000000041797c921b8ffdfc 2004-10-22 21:32:56 [13829] i: clean message (1.6/5.0) for iqbala@qwestip.net:7794 in 1.1 seconds, 1227 bytes.  
@4000000041797c921b98ef0c 2004-10-22 21:32:56 [13829] i: result: .  1 - BAYES_00,MSGID_DOLLARS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK scantime=1.1,size=1227,mid=<04...@insite-europe.co.uk>,bayes=0.00449588856409078,autolearn=no

The spamassassin -t -D < /tmp/spam running as qmailq shows

X-Spam-Status: Yes, score=15.0 required=5.0 tests=BAYES_00,MSGID_DOLLARS,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_AB_SURBL,URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no
version=3.0.0

I am running spamd like this

#!/bin/sh
exec 2>&1
exec /usr/local/bin/spamd -m 20 -s stderr --syslog-socket=inet -u qmailq


Any idea why I am getting this conflicted score?
-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
"...it said: Install Windows XP or better...so I installed Solaris..."

Re: Spam score mismatch

Posted by Matt Kettler <mk...@comcast.net>.

At 06:40 PM 10/22/2004 -0400, Asif Iqbal wrote:
>@4000000041797c921b8ffdfc 2004-10-22 21:32:56 [13829] i: clean message 
>(1.6/5.0) for iqbala@qwestip.net:7794 in 1.1 seconds, 1227 bytes.
>@4000000041797c921b98ef0c 2004-10-22 21:32:56 [13829] i: result: .  1 - 
>BAYES_00,MSGID_DOLLARS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK 
>scantime=1.1,size=1227,mid=<04...@insite-europe.co.uk>,bayes=0.00449588856409078,autolearn=no
>
>The spamassassin -t -D < /tmp/spam running as qmailq shows
>
>X-Spam-Status: Yes, score=15.0 required=5.0 tests=BAYES_00,MSGID_DOLLARS,
>RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_AB_SURBL,URIBL_JP_SURBL,
>URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no
>version=3.0.0
>
>I am running spamd like this
>
>#!/bin/sh
>exec 2>&1
>exec /usr/local/bin/spamd -m 20 -s stderr --syslog-socket=inet -u qmailq
>
>
>Any idea why I am getting this conflicted score?

 From the looks of it... Time.

The only difference between the two runs is the second one matched a whole 
bunch of SURBL rules. This leads me to belive that sometime between 
2004-10-22 21:32:56 and the time you ran spamassassin -t -D that one of the 
links in the mail got reported as spam to many of the SURBL lists.

SURBL lists are highly dynamic, as are most DNSBLs. You shouldn't be 
surprised when new spam gets added to them swiftly. However, if the spammer 
just bought a brand new domain name, there's no way for SURBL to have a 
listing before any spam gets sent. SURBL is good, but it's not psychic.

If the message really is spam, I'd be a bit concerned about your bayes 
training. You should never have a spam message hit BAYES_00 unless your 
bayes DB is not well trained.

My bayes DB is pretty stable, and I consider it a cause for alarm if a spam 
matches BAYES_10 or lower.

Check out the bayes tokens it's matching in spamassassin -t -D. Dump it 
into sa-learn --spam, then check the tokens again. From there, see if 
there's a particular kind of spam that would fit the low-scoring tokens 
that you might want to focus a little extra spam training on.