Use this forum for discussions about SpamAssassin and anti-spam in general.
-
Nime
- Normal user
- Posts: 172
- Joined: 2009-03-12 11:50
-
Contact:
Post
by Nime » 2021-04-22 17:29
Hi
I'm maintaining SpamAssassin to make things better. I just discovered SA gets different scores from very same message file.
If I restart spamd output of the very first test gets score of 5.3
Received: from localhost by webserver
with SpamAssassin (version 3.4.1);
Thu, 22 Apr 2021 18:10:18 +0300
From: Tim Friedrichsen <
horeca@ade-germany.de>
To:
izsmmmo@izsmmmo.com
Subject: =?UTF-8?B?5Zue5aSNOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiAg?=izsmmmo.com
- ORDER 700198/ 1031757-22.04.2021
Date: 21 Apr 2021 21:29:16 -0700
Message-Id: <
20210421212915.6261CD680F3B43E9@ade-germany.de>
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,KHOP_HELO_FCRDNS,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,
MPART_ALT_DIFF,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
Consequent tests get score of -0.1
Return-Path:
horeca@ade-germany.de
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MPART_ALT_DIFF,
RCVD_IN_DNSWL_HI,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
And now I did more tests, results are random; -0.1 or 5.3
What's wrong with SA? Does it skip some tests?
Last edited by
Nime on 2021-04-22 17:51, edited 1 time in total.
-
Nime
- Normal user
- Posts: 172
- Joined: 2009-03-12 11:50
-
Contact:
Post
by Nime » 2021-04-22 17:47
I've examined different X-Spam-Status side by side; when
RCVD_IN_DNSWL_HI is missing the score was -4.9, when it is not missing the score was 0.1
X-Spam-Status: No, score=-4.9 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1
X-Spam-Status: No, score=0.1 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1
I'm tired of seeing the same trained spam messages with very low scores
-
SorenR
- Senior user
- Posts: 6315
- Joined: 2006-08-21 15:38
- Location: Denmark
Post
by SorenR » 2021-04-22 19:46
Nime wrote: ↑2021-04-22 17:47
I've examined different X-Spam-Status side by side; when
RCVD_IN_DNSWL_HI is missing the score was -4.9, when it is not missing the score was 0.1
X-Spam-Status: No, score=-4.9 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1
X-Spam-Status: No, score=0.1 required=3.2 tests=BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,PDS_TONAME_EQ_TOLOCAL_SHORT, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=3.4.1
I'm tired of seeing the same trained spam messages with very low scores
It was a big issue back in 2013..
http://spamassassin.1065346.n5.nabble.c ... 03391.html
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
-
katip
- Senior user
- Posts: 1161
- Joined: 2006-12-22 07:58
- Location: Istanbul
Post
by katip » 2021-04-22 20:10
Code: Select all
# useless DNS WL
score RCVD_IN_DNSWL_NONE 0 0 0 0
score RCVD_IN_DNSWL_LOW 0 0 0 0
score RCVD_IN_DNSWL_MED 0 0 0 0
score RCVD_IN_DNSWL_HI 0 0 0 0
score RCVD_IN_DNSWL_BLOCKED 0 0 0 0
in my user_prefs since i was aware of this garbage.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8
-
RvdH
- Senior user
- Posts: 3235
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2021-04-22 22:18
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3235
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2021-04-22 22:21
Nime wrote: ↑2021-04-22 17:29
Hi
I'm maintaining SpamAssassin to make things better. I just discovered SA gets different scores from very same message file.
If I restart spamd output of the very first test gets score of 5.3
Received: from localhost by webserver
with SpamAssassin (version 3.4.1);
Thu, 22 Apr 2021 18:10:18 +0300
From: Tim Friedrichsen <
horeca@ade-germany.de>
To:
izsmmmo@izsmmmo.com
Subject: =?UTF-8?B?5Zue5aSNOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiBBVzogQVc6IEFXOiAg?=izsmmmo.com
- ORDER 700198/ 1031757-22.04.2021
Date: 21 Apr 2021 21:29:16 -0700
Message-Id: <
20210421212915.6261CD680F3B43E9@ade-germany.de>
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,KHOP_HELO_FCRDNS,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,
MPART_ALT_DIFF,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
Consequent tests get score of -0.1
Return-Path:
horeca@ade-germany.de
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=3.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MPART_ALT_DIFF,
RCVD_IN_DNSWL_HI,SPF_FAIL,SPF_HELO_FAIL,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.1
And now I did more tests, results are random; -0.1 or 5.3
What's wrong with SA? Does it skip some tests?
Without seeing the exact ip addresses those mails originating from it's hard to tell what and if something is wrong.... if they are different then you have to ask yourself why they use multiple servers to send their mail, if not...well katip has a nice suggestion/solution above...although i would prefer to disable them checks completely (to reduce DNS lookups)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3235
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2021-04-22 22:24
Whoops...
http://spamassassin.apache.org/full/3.4 ... _Conf.html
"Setting a rule's score to 0 will disable that rule from running."
score 0 is sufficient as it seems
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
Nime
- Normal user
- Posts: 172
- Joined: 2009-03-12 11:50
-
Contact:
Post
by Nime » 2021-04-22 22:38
I've just added what Katip mentioned above and I'll monitor it closely. Thanks guys!
-
RvdH
- Senior user
- Posts: 3235
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2021-04-22 22:43
Nime wrote: ↑2021-04-22 22:38
I've just added what Katip mentioned above and I'll monitor it closely. Thanks guys!
We learn something new every day
https://spamassassin.apache.org/full/3. ... _Conf.html
If no score is given for a test by the end of the configuration, a default score is assigned: a score of 1.0 is used for all tests, except those whose names begin with 'T_' (this is used to indicate a rule in testing) which receive 0.01.
Code: Select all
# Score on unauthenticated unsecure connections
describe T_LOCAL_UNAUTHUNSEC Score on unauthenticated unsecure connections
header T_LOCAL_UNAUTHUNSEC Received =~ /^.*\s(ESMTP)(?!ESMTPA|ESMTPS|ESMTPSA)\s.*$/i
score T_LOCAL_UNAUTHUNSEC 1.0
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup