Spamassassin works but not with MS

Fri Oct 18 18:41:15 IST 2002

Ok, SpamAssassin's AWL is not a "whitelist" per se.. it's a "average score
bias"... It tries to push the scores of an email towards the average for
that from/originating IP combination. So if a given from/ip combination has
sent a lot of nonspam emails, any emails which get a high score will be
pushed down towards the low-scoring average.

I'm taking a wild guess that you ran SpamAssassin 2.42 for a while, then
upgraded to 2.43.

Unfortunately 2.42 contained a severe bug which caused it to pollute the
AWL database with very high negative scores for mass-spammers. This was a
side-effect of a feature intended to help the average fall off faster for
people who sent one high-scoring mail, followed by several low-scoring
ones. Unfortunately it had the side effect that if you have a global AWL
for your entire site (ie: like mailscanner does) any spammer sending the
same email to a large number of users on your system would have a HUGE
negative score.

Upgrading to 2.43 fixes the bug, but does not delete the existing database.

If you EVER ran SA 2.42 via MailScanner you MUST delete your AWL database
(auto-whitelist.db probably in /root/.spamassassin).

Personally, I've never had the problem, because I don't like the AWL
concept or it's behavior so I always turn it off. I have yet to see a
version of SA where the AWL gets it "right". Even if 2.43 does get it
"right" it will have the collateral-damage side effect of blacklisting
users who forward you a copy of a joke-file email containing a lot of terms
that rack up a high score by matching a lot of porn/V*agra rules. It's not
a feature I want on my system.

>No, but I might be ;-) My understanding of white lists is that they
>contain real addresses which should not be considered as spam. The
>message of the header above is clearly spam but is not marked as such.
>Some how I am confusing the purpose of AWL.
>
>The other issue I have is that I'm forwarding spam from another server
>which has almost the identical setup as the problem server (same version
>of MS, SA, Perl and OS). The mailscanner.conf files for both machines
>are identical. The "good" machine tagged the above message as spam and
>had the following header portion:
>
>X-Spam-Flag: YES
>X-Spam-Level: Spam-Level SSSSS
>X-Spam-Checker-Version: SpamAssassin 2.42 (1.115.2.14-2002-10-04-exp)
>X-Spam-Report: 5.80 hits, 5 required; * 0.9 -- From: ends in numbers *
>-0.1 -- BODY: Free money! * 3.2 -- BODY: Free Investment * 0.4 -- BODY:
>Nigerian scam key phrase ($NN,NNN,NNN.NN) * 1.1 -- BODY: Spam phrases
>score is 03 to 05 (medium) [score: 4] * 0.3 -- RAW: Message contains a
>lot of ^M characters
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: SpamAssassin (score=5.5, required 4,
>FREE_INVESTMENT, FREE_MONEY, FROM_ENDS_IN_NUMS, SPAM_PHRASE_03_05,
>US_DOLLARS_3)
>
>The only thing that I can think of is that once I forwarded the spam to
>the "problem" machine, I messed-up the header so that it wasn't detected
>as spam anymore. Am I out in left field?
>
>Thanks,
>Stephen