Weird SpamAssassin scores on same message

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
User avatar
Nime
Normal user
Normal user
Posts: 169
Joined: 2009-03-12 11:50
Contact:

Weird SpamAssassin scores on same message

Post by Nime » 2021-04-22 17:29

Hi

I'm maintaining SpamAssassin to make things better. I just discovered SA gets different scores from very same message file.

If I restart spamd output of the very first test gets score of 5.3
Received: from localhost by webserver
with SpamAssassin (version 3.4.1);
Thu, 22 Apr 2021 18:10:18 +0300
From: Tim Friedrichsen <horeca@ade-germany.de>
To: izsmmmo@izsmmmo.com
Subject: =?UTF-8?B?5Zue5aSNOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiAg?=izsmmmo.com
- ORDER 700198/ 1031757-22.04.2021
Date: 21 Apr 2021 21:29:16 -0700
Message-Id: <20210421212915.6261CD680F3B43E9@ade-germany.de>
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,KHOP_HELO_FCRDNS,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,
MPART_ALT_DIFF,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
Consequent tests get score of -0.1
Return-Path: horeca@ade-germany.de
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MPART_ALT_DIFF,
RCVD_IN_DNSWL_HI,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
And now I did more tests, results are random; -0.1 or 5.3 :(

What's wrong with SA? Does it skip some tests?
Last edited by Nime on 2021-04-22 17:51, edited 1 time in total.

User avatar
Nime
Normal user
Normal user
Posts: 169
Joined: 2009-03-12 11:50
Contact:

Re: Weird SpamAssassin scores on same message

Post by Nime » 2021-04-22 17:47

I've examined different X-Spam-Status side by side; when RCVD_IN_DNSWL_HI is missing the score was -4.9, when it is not missing the score was 0.1
X-Spam-Status: No, score=-4.9 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1

X-Spam-Status: No, score=0.1 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1
I'm tired of seeing the same trained spam messages with very low scores :(

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: Weird SpamAssassin scores on same message

Post by SorenR » 2021-04-22 19:46

Nime wrote:
2021-04-22 17:47
I've examined different X-Spam-Status side by side; when RCVD_IN_DNSWL_HI is missing the score was -4.9, when it is not missing the score was 0.1
X-Spam-Status: No, score=-4.9 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1

X-Spam-Status: No, score=0.1 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1
I'm tired of seeing the same trained spam messages with very low scores :(
It was a big issue back in 2013..

http://spamassassin.1065346.n5.nabble.c ... 03391.html
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
katip
Senior user
Senior user
Posts: 1158
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Weird SpamAssassin scores on same message

Post by katip » 2021-04-22 20:10

Code: Select all

# useless DNS WL
score RCVD_IN_DNSWL_NONE 0 0 0 0
score RCVD_IN_DNSWL_LOW 0 0 0 0
score RCVD_IN_DNSWL_MED 0 0 0 0
score RCVD_IN_DNSWL_HI 0 0 0 0
score RCVD_IN_DNSWL_BLOCKED 0 0 0 0
in my user_prefs since i was aware of this garbage.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Weird SpamAssassin scores on same message

Post by RvdH » 2021-04-22 22:18

CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Weird SpamAssassin scores on same message

Post by RvdH » 2021-04-22 22:21

Nime wrote:
2021-04-22 17:29
Hi

I'm maintaining SpamAssassin to make things better. I just discovered SA gets different scores from very same message file.

If I restart spamd output of the very first test gets score of 5.3
Received: from localhost by webserver
with SpamAssassin (version 3.4.1);
Thu, 22 Apr 2021 18:10:18 +0300
From: Tim Friedrichsen <horeca@ade-germany.de>
To: izsmmmo@izsmmmo.com
Subject: =?UTF-8?B?5Zue5aSNOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiAg?=izsmmmo.com
- ORDER 700198/ 1031757-22.04.2021
Date: 21 Apr 2021 21:29:16 -0700
Message-Id: <20210421212915.6261CD680F3B43E9@ade-germany.de>
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,KHOP_HELO_FCRDNS,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,
MPART_ALT_DIFF,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
Consequent tests get score of -0.1
Return-Path: horeca@ade-germany.de
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MPART_ALT_DIFF,
RCVD_IN_DNSWL_HI,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
And now I did more tests, results are random; -0.1 or 5.3 :(

What's wrong with SA? Does it skip some tests?
Without seeing the exact ip addresses those mails originating from it's hard to tell what and if something is wrong.... if they are different then you have to ask yourself why they use multiple servers to send their mail, if not...well katip has a nice suggestion/solution above...although i would prefer to disable them checks completely (to reduce DNS lookups)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Weird SpamAssassin scores on same message

Post by RvdH » 2021-04-22 22:24

Whoops...http://spamassassin.apache.org/full/3.4 ... _Conf.html

"Setting a rule's score to 0 will disable that rule from running."

score 0 is sufficient as it seems :)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
Nime
Normal user
Normal user
Posts: 169
Joined: 2009-03-12 11:50
Contact:

Re: Weird SpamAssassin scores on same message

Post by Nime » 2021-04-22 22:38

I've just added what Katip mentioned above and I'll monitor it closely. Thanks guys!

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Weird SpamAssassin scores on same message

Post by RvdH » 2021-04-22 22:43

Nime wrote:
2021-04-22 22:38
I've just added what Katip mentioned above and I'll monitor it closely. Thanks guys!
We learn something new every day :lol:
https://spamassassin.apache.org/full/3. ... _Conf.html
If no score is given for a test by the end of the configuration, a default score is assigned: a score of 1.0 is used for all tests, except those whose names begin with 'T_' (this is used to indicate a rule in testing) which receive 0.01.

Code: Select all

# Score on unauthenticated unsecure connections
describe	T_LOCAL_UNAUTHUNSEC	Score on unauthenticated unsecure connections
header		T_LOCAL_UNAUTHUNSEC Received =~ /^.*\s(ESMTP)(?!ESMTPA|ESMTPS|ESMTPSA)\s.*$/i
score		T_LOCAL_UNAUTHUNSEC 1.0
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply