Spam not being flagged revisited

Darian Rafie darian at BEPINC.COM
Fri May 24 20:07:42 IST 2002 

Julian,

Okay having captured three different spam messages that scored above the
threshold but didn't have their subjects rewritten -- I dropped one back
into mqueue.in as you suggested.

4/5 times the scores were above threshold and still the subject was not
re-written.  Apparently a consistent and persistent bug rearing its head
when this particular message crosses its path.

Now the plot thickens, but let me begin by saying I have not been
drinking.

Each of the 5 times I dropped the dfg/qfg combo into mqueue.in it came
to me with different spam scores.  Once registering -4.4.  I'll throw
that one away as an anomaly.  Each of the other times the scores
exceeded the threshold but differed by as many as 15 points.

I pieced the dfg/qfg back together and piped them through spamassassin
using "spamassassin -t < test-spam > spam.out" and each time it
registered 8.5 hits.

So is it possible we are looking at two different problems or the same
problem manifesting itself in different ways?  I've attached the dfg/qfg
to this email.

Thanks,
D.


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Wednesday, May 22, 2002 12:25 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Spam not being flagged revisited


At 18:09 22/05/2002, you wrote:
>It seems like a mailscanner issue where for some odd reason once in a
>while the subject line doesn't get re-written as it should.  Is there
>some way for me to pipe these messages back through mailscanner and see
>if I can replicate the error?

If you set the Archive Mail options, then it will save the qf and df
files
out of the queue for you. Then you can later drop them back into
mqueue.in
to see what happens if it has a second go at them.

What's interesting is your report that it only does this sometimes, not
always. Stinks of being a Perl bug, but I would like to prove it or work
out how to avoid it.

>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Sent: Wednesday, May 22, 2002 11:07 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Spam not being flagged revisited
>
>
>At 16:42 22/05/2002, you wrote:
> >I received four more messages, where the Spamscore was greater than
the
> >threshold but the message was not marked as spam.  I am including one
> >header, as the rest are similar  Everthing in spam.whitelist is
> >commented out and only my local IP address is specified in
> >mailscanner.conf.   I don't see how this is a whitelist problem.  Any
> >ideas?
>
>I have just wiped my spam.whitelist.conf and commented out all "Accept
>Spam
>From" lines in mailscanner.conf.
>I then set
>          Use SpamAssassin = yes
>          Always Include SpamAssassin Report = yes
>and restarted MailScanner.
>
>Using the 2 SpamAssassin test messages sample-spam.txt and
>sample-nonspam.txt that they supply for the purpose, I get these
>results:
>sample-spam.txt
> >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
> >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
> >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
> >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
> >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)
>
>sample-nonspam.txt
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required
>5,
> >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE)
>
>I then set
>          Use SpamAssassin = yes
>          Always Include SpamAssassin Report = no
>and restarted MailScanner.
>
>Using the same pair of messages again, I get
>sample-spam.txt
> >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
> >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
> >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
> >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
> >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)
>
>sample-nonspam.txt
> >(no SpamCheck header at all)
>
>So either
>          a) something weird is happening that is affecting your system
>and
>not mine
>or      b) we are running different code.
>
>(b) is the most likely. I've got 1 more little feature to test out (RBL
>checks timeout setting), then I'll release the code again. Any of you
>having problems can then upgrade to that version and we'll see if your
>problems go away.
>
> >Return-Path: <susanepapelej at jippii.fi>
> >Received: from mail1.alluneedhosting.com ([208.46.132.87])
> >         by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id
g4M9DW103272
> >         for <darian at bepinc.com>; Wed, 22 May 2002 04:13:32 -0500
> >To: darian at bepinc.com
> >Date: Wed, 22 May 2002 05:11:15 -0500
> >Message-ID: <1022058675.2071 at localhost.localdomain>
> >X-Mailer: Becky! ver. 2.00.03
> >From: susanepapelej at jippii.fi
> >Sender: <susanjqhnomac at jippii.fi>
> >X-Sender: <susanqbiyhrhn at jippii.fi>
> >Reply-To: <susanhhfnsjye at jippii.fi>
> >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid!
> >X-VirusScan: Found to be clean
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required
5,
> >         INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW,
NORMAL_HTTP_TO_IP,
> >         WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML)
> >Status:
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >Behalf Of Mike Wallis
> >Sent: Tuesday, May 21, 2002 10:24 AM
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Spam not being flagged
> >
> >
> >I just upgraded to 3.15-3 and noticed something odd while testing.
> >
> >---begin---
> >X-MailScanner: Found to be clean
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5,
> >         SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW,
> >         SUBJ_REMOVE)
> >---end---
> >
> >In this particular instance, I forwarded myself some spam (the
original
> >generated a much higher score) and thought it rather odd that a score
>in
> >excess of the required score would get a 'not spam' designation.
> >
> >Any ideas?
> >
> >--
> >Mike Wallis
> >mw at unixsecurity.org
>
>--
>Julian Field                Teaching Systems Manager
>jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
>Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ
-------------- next part --------------
<html>
<head>
<title>I Pay Debt - Lower your debt and WIN $1000</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#CCCCCC" text="#000000" background="http://www.ipaydebt.com/creatives/popunders/panic/1pixel.gif" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table border="0" cellspacing="0" cellpadding="5">
<tr>
<td><!-- #BeginLibraryItem "/Library/topmail.lbi" --><font face="Arial, Helvetica, sans-serif" size="2">You are receiving this because you are on  the special offers list of Bestcheapstuff.com. If you would no longer like to receive special offers from Bestcheapstuff.com, go to  <a href="http://unsubscribe.bestcheapstuff.com" target="_blank">http://unsubscribe.bestcheapstuff.com</a> and you will be promptly unsubscribed.
</font>

<!-- #EndLibraryItem --></td>
</tr>
<tr>
<td><a href="http://www.bestcheapstuff.com/cgi-bin/ipaydebt_sub.cgi?name=darian@bepinc.com"><img src="http://www.ipaydebt.com/creatives/popunders/panic/Panic.jpg" width="720" height="300" alt="Lower your debt by up to 50% and Win $1,000 - iPayDebt.Com" border=0></a>
<img src="http://www.bestcheapstuff.com/images/pixels/ipaydebt.gif" width="1" height="1">
</td>
</tr>
<tr>
<td><!-- #BeginLibraryItem "/Library/botmail.lbi" --><font face="Arial, Helvetica, sans-serif" size="2">REMOVAL NOTICE: If you would no longer like to receive special offers from Bestcheapstuff.com, go to <a href="http://unsubscribe.bestcheapstuff.com" target="_blank">http://unsubscribe.bestcheapstuff.com</a> and you will be promptly unsubscribed. For additional information or comments <a href="mailto:info at bestcheapstuff.com">contact us</a> at  info at bestcheapstuff.com .</font><!-- #EndLibraryItem --></td>
</tr>
</table>
</body>
</html>
-------------- next part --------------
V4
T1022200121
K0
N0
P32043
I3/2/375816
Fb
$_sdsl-64-7-14-13.dsl.bos.megapath.net [64.7.14.13]
$rSMTP
$sAster59
${daemon_flags}
${if_addr}209.219.201.11
S<Offers at allbestcheapstuff.com>
RPFD:<darian at bepinc.com>
H?P?Return-Path: <g>
H??Received: from Aster59 (sdsl-64-7-14-13.dsl.bos.megapath.net [64.7.14.13])
        by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id g4O0SQA08654
        for <darian at bepinc.com>; Thu, 23 May 2002 19:28:41 -0500
H?M?Message-Id: <200205240028.g4O0SQA08654 at vulcan.bepinc.com>
H??From: "Offers" <Offers at allbestcheapstuff.com>
H??To: <darian at bepinc.com>
H??Subject: Lower your debt and win 1000 dollars
H??Sender: "Offers" <Offers at allbestcheapstuff.com>
H??Mime-Version: 1.0
H??Content-Type: text/html; charset="iso-8859-1"
H??Date: Thu, 23 May 2002 20:39:00 -0400
.

More information about the MailScanner mailing list