False positives

Kevin Miller Kevin_Miller at CI.JUNEAU.AK.US
Tue Dec 2 22:13:11 GMT 2003 

Last week I upgraded SA to 2.6, and am catching a lot more spam, but I'm
also getting a number of false positives, and what's just as weird, spam is
being caught that doesn't add up to 5.  The false positives are often
negative numbers, the low scoring (but still caught) true positives are
usually in the 3 - 4.99 range.  At least the one's I've looked at.

Spam Actions are:
        Spam Actions = forward Alphonse_Spamdog at mx.ci.juneau.ak.us delete
        High Scoring Spam Actions = forward
Alphonse_Spamdog at mx.ci.juneau.ak.us delete

I've also noticed that some, but not all, the notices to postmaster are
being rerouted as spam too.  I'm running Exchange on the inside.  Anybody
have any clues as to why/how a low scoring message would still be getting
zapped?  Here's the headers from one - as you can see, it scored a -19.9:

Received: from mis-mxg-lnx.ci.juneau.ak.us (mail.ci.juneau.ak.us
[199.58.55.24]) by city-exch-nts.ci.juneau.ak.us with SMTP (Microsoft
Exchange Internet Mail Service Version 5.5.2653.13)
        id YBVH5H42; Tue, 2 Dec 2003 00:34:00 -0900
Received: from abv-sfo1-acmta3.cnet.com (abv-sfo1-acmta3.cnet.com
[206.16.1.138])
        by mis-mxg-lnx.ci.juneau.ak.us (8.12.3/8.12.3/SuSE Linux 0.6) with
SMTP id hB29Xtch004167
        for <kevin_miller at ci.juneau.ak.us>; Tue, 2 Dec 2003 00:33:56 -0900
Received: by abv-sfo1-acmta3.cnet.com (PowerMTA(TM) v2.0r1) id hphe88042i03;
Tue, 2 Dec 2003 04:33:55 -0500 (envelope-from
<CNET_Networks_#3.110928.3330383834393234.b at newsletters.online.com>)
Message-ID: <2723353.1070357635567.JavaMail.accucast at 206.16.1.138>
Date: Tue, 2 Dec 2003 01:33:55 -0800 (PST)
From: "Linux Tips at TechRepublic.com"
<CNET_Networks_Member_Services at newsletter.online.com>
Reply-To: CNET_Networks_#3.110928.3330383834353230 at newsletters.online.com
To: kevin_miller at ci.juneau.ak.us
Subject: {Spam?} [TechRepublic] Find system holes with chkrootkit
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer-Version: 3.5.3 build 710
X-Mailer: Accucast
X-Accutrak: CNET_Networks_#3.110928.3330383834353230 at newsletters.online.com
X-MailScanner-Information: For more information see www . mailscanner . info
X-CBJ-MailScanner: Found to be clean
X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=-19.9,
        required 5, BAYES_00, USER_IN_DEF_WHITELIST)


Thanks...

...Kevin
-------------------
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

More information about the MailScanner mailing list