Spam not being flagged revisited

Darian Rafie darian at BEPINC.COM
Wed May 22 18:09:10 IST 2002 

I should further detail ...

I have Always Include SpamAssassin Report = yes.  The vast vast majority
of mail that has a spam score exceeding the threshold has it's subject
rewritten, as configured in mailscanner.conf.  However, there are a few
instances (four this morning) where messages are coming through and the
SpamAssassin report indicates the score exceeds the threshold, but the
subject line is not getting changed to indicate that the message is
spam.

That's the problem.  At first I thought this had to do with spammers
using my email address as the sender and thus tripping the whitelist
rules.  So I disabled those, but still saw a message to two getting
through.  So I commented out the Accept Spam From = lines, but I still
see a trickle of messages getting through.

It seems like a mailscanner issue where for some odd reason once in a
while the subject line doesn't get re-written as it should.  Is there
some way for me to pipe these messages back through mailscanner and see
if I can replicate the error?

D.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Wednesday, May 22, 2002 11:07 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Spam not being flagged revisited


At 16:42 22/05/2002, you wrote:
>I received four more messages, where the Spamscore was greater than the
>threshold but the message was not marked as spam.  I am including one
>header, as the rest are similar  Everthing in spam.whitelist is
>commented out and only my local IP address is specified in
>mailscanner.conf.   I don't see how this is a whitelist problem.  Any
>ideas?

I have just wiped my spam.whitelist.conf and commented out all "Accept
Spam
From" lines in mailscanner.conf.
I then set
         Use SpamAssassin = yes
         Always Include SpamAssassin Report = yes
and restarted MailScanner.

Using the 2 SpamAssassin test messages sample-spam.txt and
sample-nonspam.txt that they supply for the purpose, I get these
results:
sample-spam.txt
>X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
>FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
>SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
>ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
>LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)

sample-nonspam.txt
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required
5,
>GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE)

I then set
         Use SpamAssassin = yes
         Always Include SpamAssassin Report = no
and restarted MailScanner.

Using the same pair of messages again, I get
sample-spam.txt
>X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
>FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
>SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
>ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
>LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)

sample-nonspam.txt
>(no SpamCheck header at all)

So either
         a) something weird is happening that is affecting your system
and
not mine
or      b) we are running different code.

(b) is the most likely. I've got 1 more little feature to test out (RBL
checks timeout setting), then I'll release the code again. Any of you
having problems can then upgrade to that version and we'll see if your
problems go away.

>Return-Path: <susanepapelej at jippii.fi>
>Received: from mail1.alluneedhosting.com ([208.46.132.87])
>         by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4M9DW103272
>         for <darian at bepinc.com>; Wed, 22 May 2002 04:13:32 -0500
>To: darian at bepinc.com
>Date: Wed, 22 May 2002 05:11:15 -0500
>Message-ID: <1022058675.2071 at localhost.localdomain>
>X-Mailer: Becky! ver. 2.00.03
>From: susanepapelej at jippii.fi
>Sender: <susanjqhnomac at jippii.fi>
>X-Sender: <susanqbiyhrhn at jippii.fi>
>Reply-To: <susanhhfnsjye at jippii.fi>
>Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid!
>X-VirusScan: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required 5,
>         INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW, NORMAL_HTTP_TO_IP,
>         WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML)
>Status:
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Mike Wallis
>Sent: Tuesday, May 21, 2002 10:24 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Spam not being flagged
>
>
>I just upgraded to 3.15-3 and noticed something odd while testing.
>
>---begin---
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5,
>         SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW,
>         SUBJ_REMOVE)
>---end---
>
>In this particular instance, I forwarded myself some spam (the original
>generated a much higher score) and thought it rather odd that a score
in
>excess of the required score would get a 'not spam' designation.
>
>Any ideas?
>
>--
>Mike Wallis
>mw at unixsecurity.org

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list