Spam not being flagged revisited

Julian Field jkf at ecs.soton.ac.uk
Sat May 25 15:41:12 IST 2002


At 15:36 25/05/2002, you wrote:
>Yes, a dramatically different list of tests.
>Is there some information I can pass on to the SpamAssassin developers to
>give them insight into the bug?

The message (including all the headers) and the 2 lists of results,
together with an explanation of how it happened, should be enough for them
I would hope.

>----- Original Message -----
>From: "Julian Field" <jkf at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Saturday, May 25, 2002 2:38 AM
>Subject: Re: Spam not being flagged revisited
>
>
> > This looks like a variation of the SpamAssassin bug that caused me to stop
> > calling the "compile_now" method, which did speed up the SA analysis a
>bit,
> > but caused it to produce random output results. I'm pretty sure this is a
> > combination of a possible SA bug, and a possible Perl bug. I've checked
>the
> > MailScanner code pretty carefully, and it's doing everything correctly
> > according to the docs.
> >
> > As well as getting a different score, do you get a different list of
> > successful tests as well?
> >
> > At 20:07 24/05/2002, you wrote:
> > >Julian,
> > >
> > >Okay having captured three different spam messages that scored above the
> > >threshold but didn't have their subjects rewritten -- I dropped one back
> > >into mqueue.in as you suggested.
> > >
> > >4/5 times the scores were above threshold and still the subject was not
> > >re-written.  Apparently a consistent and persistent bug rearing its head
> > >when this particular message crosses its path.
> > >
> > >Now the plot thickens, but let me begin by saying I have not been
> > >drinking.
> > >
> > >Each of the 5 times I dropped the dfg/qfg combo into mqueue.in it came
> > >to me with different spam scores.  Once registering -4.4.  I'll throw
> > >that one away as an anomaly.  Each of the other times the scores
> > >exceeded the threshold but differed by as many as 15 points.
> > >
> > >I pieced the dfg/qfg back together and piped them through spamassassin
> > >using "spamassassin -t < test-spam > spam.out" and each time it
> > >registered 8.5 hits.
> > >
> > >So is it possible we are looking at two different problems or the same
> > >problem manifesting itself in different ways?  I've attached the dfg/qfg
> > >to this email.
> > >
> > >Thanks,
> > >D.
> > >
> > >
> > >-----Original Message-----
> > >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > >Behalf Of Julian Field
> > >Sent: Wednesday, May 22, 2002 12:25 PM
> > >To: MAILSCANNER at JISCMAIL.AC.UK
> > >Subject: Re: Spam not being flagged revisited
> > >
> > >
> > >At 18:09 22/05/2002, you wrote:
> > > >It seems like a mailscanner issue where for some odd reason once in a
> > > >while the subject line doesn't get re-written as it should.  Is there
> > > >some way for me to pipe these messages back through mailscanner and see
> > > >if I can replicate the error?
> > >
> > >If you set the Archive Mail options, then it will save the qf and df
> > >files
> > >out of the queue for you. Then you can later drop them back into
> > >mqueue.in
> > >to see what happens if it has a second go at them.
> > >
> > >What's interesting is your report that it only does this sometimes, not
> > >always. Stinks of being a Perl bug, but I would like to prove it or work
> > >out how to avoid it.
> > >
> > > >-----Original Message-----
> > > >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > > >Behalf Of Julian Field
> > > >Sent: Wednesday, May 22, 2002 11:07 AM
> > > >To: MAILSCANNER at JISCMAIL.AC.UK
> > > >Subject: Re: Spam not being flagged revisited
> > > >
> > > >
> > > >At 16:42 22/05/2002, you wrote:
> > > > >I received four more messages, where the Spamscore was greater than
> > >the
> > > > >threshold but the message was not marked as spam.  I am including one
> > > > >header, as the rest are similar  Everthing in spam.whitelist is
> > > > >commented out and only my local IP address is specified in
> > > > >mailscanner.conf.   I don't see how this is a whitelist problem.  Any
> > > > >ideas?
> > > >
> > > >I have just wiped my spam.whitelist.conf and commented out all "Accept
> > > >Spam
> > > >From" lines in mailscanner.conf.
> > > >I then set
> > > >          Use SpamAssassin = yes
> > > >          Always Include SpamAssassin Report = yes
> > > >and restarted MailScanner.
> > > >
> > > >Using the 2 SpamAssassin test messages sample-spam.txt and
> > > >sample-nonspam.txt that they supply for the purpose, I get these
> > > >results:
> > > >sample-spam.txt
> > > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
> > > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
> > > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
> > > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
> > > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)
> > > >
> > > >sample-nonspam.txt
> > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.8, required
> > > >5,
> > > > >GAPPY_TEXT, LINES_OF_YELLING, PGP_SIGNATURE)
> > > >
> > > >I then set
> > > >          Use SpamAssassin = yes
> > > >          Always Include SpamAssassin Report = no
> > > >and restarted MailScanner.
> > > >
> > > >Using the same pair of messages again, I get
> > > >sample-spam.txt
> > > > >X-MailScanner-SpamCheck: SpamAssassin (score=17, required 5,
> > > > >FROM_HAS_MIXED_NUMS, INVALID_MSGID, INVALID_DATE, MSGID_HAS_NO_AT,
> > > > >SMTPD_IN_RCVD, UNDISC_RECIPS, NO_REAL_NAME, HOME_EMPLOYMENT,
> > > > >ONCE_IN_LIFETIME, CALL_FREE, REMOVE_SUBJ, LINES_OF_YELLING,
> > > > >LINES_OF_YELLING_2, LINES_OF_YELLING_3, RCVD_IN_OSIRUSOFT_COM)
> > > >
> > > >sample-nonspam.txt
> > > > >(no SpamCheck header at all)
> > > >
> > > >So either
> > > >          a) something weird is happening that is affecting your system
> > > >and
> > > >not mine
> > > >or      b) we are running different code.
> > > >
> > > >(b) is the most likely. I've got 1 more little feature to test out (RBL
> > > >checks timeout setting), then I'll release the code again. Any of you
> > > >having problems can then upgrade to that version and we'll see if your
> > > >problems go away.
> > > >
> > > > >Return-Path: <susanepapelej at jippii.fi>
> > > > >Received: from mail1.alluneedhosting.com ([208.46.132.87])
> > > > >         by vulcan.bepinc.com (8.11.6/8.11.6) with SMTP id
> > >g4M9DW103272
> > > > >         for <darian at bepinc.com>; Wed, 22 May 2002 04:13:32 -0500
> > > > >To: darian at bepinc.com
> > > > >Date: Wed, 22 May 2002 05:11:15 -0500
> > > > >Message-ID: <1022058675.2071 at localhost.localdomain>
> > > > >X-Mailer: Becky! ver. 2.00.03
> > > > >From: susanepapelej at jippii.fi
> > > > >Sender: <susanjqhnomac at jippii.fi>
> > > > >X-Sender: <susanqbiyhrhn at jippii.fi>
> > > > >Reply-To: <susanhhfnsjye at jippii.fi>
> > > > >Subject: INC 500 Co. Seeks Mgrs. / High $$ Paid!
> > > > >X-VirusScan: Found to be clean
> > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=9.8, required
> > >5,
> > > > >         INVALID_DATE_ODD_MONTH, PLING, CLICK_BELOW,
> > >NORMAL_HTTP_TO_IP,
> > > > >         WEB_BUGS, CLICK_HERE_LINK, CTYPE_JUST_HTML)
> > > > >Status:
> > > > >
> > > > >-----Original Message-----
> > > > >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> > > > >Behalf Of Mike Wallis
> > > > >Sent: Tuesday, May 21, 2002 10:24 AM
> > > > >To: MAILSCANNER at JISCMAIL.AC.UK
> > > > >Subject: Spam not being flagged
> > > > >
> > > > >
> > > > >I just upgraded to 3.15-3 and noticed something odd while testing.
> > > > >
> > > > >---begin---
> > > > >X-MailScanner: Found to be clean
> > > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=7, required 5,
> > > > >         SUBJ_HAS_Q_MARK, EXCUSE_3, EXCUSE_7, OPT_IN, CLICK_BELOW,
> > > > >         SUBJ_REMOVE)
> > > > >---end---
> > > > >
> > > > >In this particular instance, I forwarded myself some spam (the
> > >original
> > > > >generated a much higher score) and thought it rather odd that a score
> > > >in
> > > > >excess of the required score would get a 'not spam' designation.
> > > > >
> > > > >Any ideas?
> > > > >
> > > > >--
> > > > >Mike Wallis
> > > > >mw at unixsecurity.org
> > > >
> > > >--
> > > >Julian Field                Teaching Systems Manager
> > > >jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > > >Tel. 023 8059 2817          University of Southampton
> > > >                              Southampton SO17 1BJ
> > >
> > >--
> > >Julian Field                Teaching Systems Manager
> > >jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > >Tel. 023 8059 2817          University of Southampton
> > >                              Southampton SO17 1BJ
> > >
> >
> > --
> > Julian Field                Teaching Systems Manager
> > jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
> > Tel. 023 8059 2817          University of Southampton
> >                              Southampton SO17 1BJ

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list