Spam not being flagged revisited

Darian Rafie darian at BEPINC.COM
Sat May 25 15:36:04 IST 2002


Yes, a dramatically different list of tests.

Is there some information I can pass on to the SpamAssassin developers to
give them insight into the bug?

Thanks,
d.

----- Original Message -----
From: "Julian Field" <jkf at ECS.SOTON.AC.UK>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Saturday, May 25, 2002 2:38 AM
Subject: Re: Spam not being flagged revisited


> This looks like a variation of the SpamAssassin bug that caused me to stop
> calling the "compile_now" method, which did speed up the SA analysis a
bit,
> but caused it to produce random output results. I'm pretty sure this is a
> combination of a possible SA bug, and a possible Perl bug. I've checked
the
> MailScanner code pretty carefully, and it's doing everything correctly
> according to the docs.
>
> As well as getting a different score, do you get a different list of
> successful tests as well?
>
> At 20:07 24/05/2002, you wrote:
> >Julian,
> >
> >Okay having captured three different spam messages that scored above the
> >threshold but didn't have their subjects rewritten -- I dropped one back
> >into mqueue.in as you suggested.
> >
> >4/5 times the scores were above threshold and still the subject was not
> >re-written.  Apparently a consistent and persistent bug rearing its head
> >when this particular message crosses its path.
> >
> >Now the plot thickens, but let me begin by saying I have not been
> >drinking.
> >
> >Each of the 5 times I dropped the dfg/qfg combo into mqueue.in it came
> >to me with different spam scores.  Once registering -4.4.  I'll throw
> >that one away as an anomaly.  Each of the other times the scores
> >exceeded the threshold but differed by as many as 15 points.
> >
> >I pieced the dfg/qfg back together and piped them through spamassassin
> >using "spamassassin -t < test-spam > spam.out" and each time it
> >registered 8.5 hits.
> >
> >So is it possible we are looking at two different problems or the same
> >problem manifesting itself in different ways?  I've attached the dfg/qfg
> >to this email.
> >
> >Thanks,
> >D.
> >
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >Behalf Of Julian Field
> >Sent: Wednesday, May 22, 2002 12:25 PM
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Re: Spam not being flagged revisited
> >
> >
> >At 18:09 22/05/2002, you wrote:
> > >It seems like a mailscanner issue where for some odd reason once in a
> > >while the subject line doesn't get re-written as it should.  Is there
> > >some way for me to pipe these messages back through mailscanner and see
> > >if I can replicate the error?
> >
> >If you set the Archive Mail options, then it will save the qf and df
> >files
> >out of the queue for you. Then you can later drop them back into
> >mqueue.in
> >to see what happens if it has a second go at them.
> >
> >What's interesting is your report that it only does this sometimes, not
> >always. Stinks of being a Perl bug, but I would like to prove it or work
> >out how to avoid it.
> >
> > >-----Original Message-----
> > >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > >Behalf Of Julian Field
> > >Sent: Wednesday, May 22, 2002 11:07 AM
> > >To: MAILSCANNER at JISCMAIL.AC.UK
> > >Subject: Re: Spam not being flagged revisited
> > >
> > >
> > >At 16:42 22/05/2002, you wrote:
> > > >I received four more messages, where the Spamscore was greater than
> >the
> > > >threshold but the message was not marked as spam.  I am including one
> > > >header, as the rest are similar  Everthing in spam.whitelist is
> > > >commented out and only my local IP address is specified in
> > > >mailscanner.conf.   I don't see how this is a whitelist problem.  Any
> > > >ideas?
> > >
> > >I have just wiped my spam.whitelist.conf and commented out all "Accept
> > >Spam
> > >From" lines in mailscanner.conf.
> > >I then set
> > >          Use SpamAssassin = yes
> > >          Always Include SpamAssassin Report = yes
> > >and restarted MailScanner.
> > >
> > >Using the 2 SpamAssassin test messages sample-spam.txt and
> > >sample-nonspam.txt that they supply for the purpose, I get these
> > >results:
> > >sample-spam.txt
> > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
> > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
> > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
> > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
> > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)
> > >
> > >sample-nonspam.txt
> > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required
> > >5,
> > > >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE)
> > >
> > >I then set
> > >          Use SpamAssassin = yes
> > >          Always Include SpamAssassin Report = no
> > >and restarted MailScanner.
> > >
> > >Using the same pair of messages again, I get
> > >sample-spam.txt
> > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
> > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
> > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
> > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
> > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)
> > >
> > >sample-nonspam.txt
> > > >(no SpamCheck header at all)
> > >
> > >So either
> > >          a) something weird is happening that is affecting your system
> > >and
> > >not mine
> > >or      b) we are running different code.
> > >
> > >(b) is the most likely. I've got 1 more little feature to test out (RBL
> > >checks timeout setting), then I'll release the code again. Any of you
> > >having problems can then upgrade to that version and we'll see if your
> > >problems go away.
> > >
> > > >Return-Path: <susanepapelej at jippii.fi>
> > > >Received: from mail1.alluneedhosting.com ([208.46.132.87])
> > > >         by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id
> >g4M9DW103272
> > > >         for <darian at bepinc.com>; Wed, 22 May 2002 04:13:32 -0500
> > > >To: darian at bepinc.com
> > > >Date: Wed, 22 May 2002 05:11:15 -0500
> > > >Message-ID: <1022058675.2071 at localhost.localdomain>
> > > >X-Mailer: Becky! ver. 2.00.03
> > > >From: susanepapelej at jippii.fi
> > > >Sender: <susanjqhnomac at jippii.fi>
> > > >X-Sender: <susanqbiyhrhn at jippii.fi>
> > > >Reply-To: <susanhhfnsjye at jippii.fi>
> > > >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid!
> > > >X-VirusScan: Found to be clean
> > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required
> >5,
> > > >         INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW,
> >NORMAL_HTTP_TO_IP,
> > > >         WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML)
> > > >Status:
> > > >
> > > >-----Original Message-----
> > > >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > > >Behalf Of Mike Wallis
> > > >Sent: Tuesday, May 21, 2002 10:24 AM
> > > >To: MAILSCANNER at JISCMAIL.AC.UK
> > > >Subject: Spam not being flagged
> > > >
> > > >
> > > >I just upgraded to 3.15-3 and noticed something odd while testing.
> > > >
> > > >---begin---
> > > >X-MailScanner: Found to be clean
> > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5,
> > > >         SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW,
> > > >         SUBJ_REMOVE)
> > > >---end---
> > > >
> > > >In this particular instance, I forwarded myself some spam (the
> >original
> > > >generated a much higher score) and thought it rather odd that a score
> > >in
> > > >excess of the required score would get a 'not spam' designation.
> > > >
> > > >Any ideas?
> > > >
> > > >--
> > > >Mike Wallis
> > > >mw at unixsecurity.org
> > >
> > >--
> > >Julian Field                Teaching Systems Manager
> > >jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > >Tel. 023 8059 2817          University of Southampton
> > >                              Southampton SO17 1BJ
> >
> >--
> >Julian Field                Teaching Systems Manager
> >jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> >Tel. 023 8059 2817          University of Southampton
> >                              Southampton SO17 1BJ
> >
>
> --
> Julian Field                Teaching Systems Manager
> jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ



More information about the MailScanner mailing list