You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Russell Jones <rj...@eggycrew.com> on 2008/02/26 18:56:39 UTC

Spamd and SpamAssassin scoring very different scores

For some reason spamd is not scoring email nearly as high as 
spamassassin scores if you run the message through manually. I do not 
understand this, and it is causing spam to get through that should have 
been blocked. As you can see when running spamassassin manually it 
scored it a 7.5, but spamd scored it only a 4.5 when it first came in.

Below is the message spamassassin shows when I run it through manually, 
and you can see the original email as well as the original score spamd 
gave it towards the bottom of the message.

What do I need to do to get spamd to give the same score spamassassin is 
giving? It looks to me like the rcvd_in_xbl rule did not fire for spamd, 
but did for spamassassin. What accounts for that?

Received: from localhost by server1.eggycrew.com
    with SpamAssassin (version 3.2.0);
    Tue, 26 Feb 2008 11:43:09 -0600
From: "Ahmad Mcfadden" <dw...@popula.com>
To: <pi...@pittershawn.com>
Subject: Is generic medication just as effective as the brand named 
products?
Date: Tue, 26 Feb 2008 19:43:00 +0800
Message-Id: <01...@dwpopulam>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on 
server1.eggycrew.com
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.5 required=5.0 tests=BAYES_50,RCVD_IN_PBL,
    RCVD_IN_XBL,RDNS_NONE,URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL
    autolearn=disabled version=3.2.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_47C44FAD.87C8E643"

This is a multi-part message in MIME format.

------------=_47C44FAD.87C8E643
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

SpamAssassin, running on the system "mail.eggycrew.com", has identified
this incoming email as possible spam.  The original message has been
attached to this so you can view it (if it isn't spam).

You may update your SpamAssassin configuration at any time in your
DirectAdmin Control Panel under "Advanced Features".

If you have any questions, please contact the Helpdesk.


Content preview:  Is generic medication just as effective as the brand named
   products? Generic medication is just as safe and effective as their brand
   named competitors. Our generic products are produced in India by 
pharmaceutical
   manufacturers in the highest quality facilities that fully comply 
with the
   Good Manufacturing Practices (GMP), the stipulations laid down by the US
  FDA. [...]

Content analysis details:   (7.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- 
--------------------------------------------------
 0.1 RDNS_NONE              Delivered to trusted network by a host with 
no rDNS
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4419]
 1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                            [URIs: bnorbovea.com]
 1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                            [URIs: bnorbovea.com]
 0.5 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
                            [URIs: bnorbovea.com]
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [60.10.108.162 listed in zen.spamhaus.org]
 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL



------------=_47C44FAD.87C8E643
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-path: <dw...@popula.com>
Envelope-to: pittershawn@pittershawn.com
Delivery-date: Tue, 26 Feb 2008 06:00:44 -0600
Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67)
    (envelope-from <dw...@popula.com>)
    id 1JTyUF-0005OA-Ld
    for pittershawn@pittershawn.com; Tue, 26 Feb 2008 06:00:44 -0600
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on 
server1.eggycrew.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.5 required=5.0 
tests=BAYES_50,RCVD_IN_PBL,RDNS_NONE,
    URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled 
version=3.2.0
Received: from [60.10.108.162] (helo=0769d38b7bb44bd)
    by mail.eggycrew.com with esmtp (Exim 4.67)
    (envelope-from <dw...@popula.com>)
    id 1JTyUE-0005Nh-JK
    for pittershawn@pittershawn.com; Tue, 26 Feb 2008 06:00:43 -0600
Received: from [60.10.108.162] by yippee.popula.com; Tue, 26 Feb 2008 
19:43:00 +0800
From: "Ahmad Mcfadden" <dw...@popula.com>
To: <pi...@pittershawn.com>
Subject: Is generic medication just as effective as the brand named 
products?
Date: Tue, 26 Feb 2008 19:43:00 +0800
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QF5B2T0X0GZ6NQJKYUH3R6M37Y==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <01...@dwpopulam>
X-Antivirus-ClamAV-Scanner: This message was scanned for viruses and 
other harmful content on mail.eggycrew.com before being delivered.

 Is generic medication just as effective as the brand named products?

Generic medication is just as safe and effective as their brand named
 competitors.
 Our generic products are produced in India by pharmaceutical
 manufacturers in the highest quality facilities that fully comply with the
Good Manufacturing Practices (GMP), the stipulations laid down by the US 
FDA.

   http://bnorbovea.com


------------=_47C44FAD.87C8E643--

Re: Spamd and SpamAssassin scoring very different scores

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 26.02.08 11:56, Russell Jones wrote:
> For some reason spamd is not scoring email nearly as high as 
> spamassassin scores if you run the message through manually. I do not 
> understand this, and it is causing spam to get through that should have 
> been blocked. As you can see when running spamassassin manually it 
> scored it a 7.5, but spamd scored it only a 4.5 when it first came in.
> 
> Below is the message spamassassin shows when I run it through manually, 
> and you can see the original email as well as the original score spamd 
> gave it towards the bottom of the message.
> 
> X-Spam-Status: Yes, score=7.5 required=5.0 tests=BAYES_50,RCVD_IN_PBL,
>    RCVD_IN_XBL,RDNS_NONE,URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL
>    autolearn=disabled version=3.2.0

> 3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL

> X-Spam-Status: No, score=4.5 required=5.0 
> tests=BAYES_50,RCVD_IN_PBL,RDNS_NONE,
>    URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled 
> version=3.2.0
> Received: from localhost by server1.eggycrew.com
>    with SpamAssassin (version 3.2.0);
>    Tue, 26 Feb 2008 11:43:09 -0600

the only difference is RCVD_IN_XBL, checking XBL reveals that the IP
(60.10.108.162) was listed in XBL after it appeared in CBL, which was at
2008-02-26 11:00 GMT (+/- 30 minutes) - 6 hours after the mail entered your
mailserver and was checked by SA.

When you manually checked it again, the address was in XBL, which meaned 3
points more. Many rules start hitting after some delay, mostly network tests.

You can delay receiving messages for some time (12 hours) if you want higher
scores ;-)
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.