Some Spam still not being marked as Spam
Michael Keightley
mk at quadstone.com
Thu Mar 13 10:29:48 GMT 2003
On Thu, Mar 13, 2003 at 10:50:50AM +0100, Jan-Peter Koopmann wrote:
>
> Hi Michael,
>
> > I'm using MailScanner-4.13-3 with SpamAssassin-2.50 (no AWL)
> > on Solaris 9.
> > About 5% of Spam we receive isn't marked as Spam. If I save
> > these messages and run "spamassassin -t" on these messages
> > they get a much higer score (e.g. 9 instead of 4). Why is
> > the score lower when they are processed by MailScanner? Is
> > this a bug?
>
> Not necessarily. I am troubled with the same problem btw. The scoring
> depends a lot on your settings and whether or not
> MailScanner/SpamAssassin is using the same set of configuration files
> than SA alone started by your user. Are you using Exim btw? Please post
> the SCORES that a suspicious message gets via MS/SA and via spamassassin
> -t.
I'm using sendmail-8.12.8.
Attached is a Spam message, MS.txt is the message that got delivered, SA.txt is
the output of "spamassassin -t".
The only change I've made spam.assassin.prefs.conf is to uncomment
skip_rbl_checks 1
Michael
>
> Regards,
> JP
--
Michael Keightley <Michael.Keightley at quadstone.com> Tel: +44 131 220 4491
Systems Manager, Quadstone Limited, Fax: +44 131 220 4492
16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com
-------------- next part --------------
>From Yaelijy at private.21cn.com Wed Mar 12 22:59:30 2003
Return-Path: <Yaelijy at private.21cn.com>
Received: from quadstone.com (postie.quadstone.co.uk [194.80.190.3])
by edinburgh.quadstone.com (8.12.8/8.12.8) with ESMTP id h2CMxQ77011882
for <hostmaster at edinburgh.quadstone.com>; Wed, 12 Mar 2003 22:59:30 GMT
Received: from sxrqwew (ns.htu.or.jp [61.127.212.66])
by quadstone.com (8.12.8/8.12.8) with SMTP id h2CMxLaJ023684
for <hostmaster at quadstone.com>; Wed, 12 Mar 2003 22:59:23 GMT
Message-Id: <200303122259.h2CMxLaJ023684 at quadstone.com>
From: Tracee Scatena <Yaelijy at private.21cn.com>
Subject:
Date: Wed, 12 Mar 2003 17:15:50 -0500
Mime-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: base64
X-MailScanner: Found to be clean
X-MailScanner-SpamScore: ssss
Status: RO
Content-Length: 410
Lines: 6
PGh0bWw+DQo8Ym9keQ0KPGJyPg0KSGksIGhvc3RtYXN0ZXIgLDxicj4NCjxicj4NCjxhIGhy
ZWY9Imh0dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tLz9vYz0yMzkwIj5BIG5pY2UgbGFk
eSB3YW50cyB0byBjb3JyZXNwb25kIHdpdGggeW91Ljxicj4NCjxicj4NCjxhIGhyZWY9Imh0
dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tL3JlbW92ZS8/b2M9MjM5MCI+TGV0IG1lIGtu
b3cgYW5kIEkgd29uJ3Qgd3JpdGUgeW91IGFnYWluLjxicj4NCjxicj4NCjwvYT48L2Rpdj48
L2JvZHk+PC9odG1sPg0KPC9ib2R5Pg0KPC9odG1sPg==
-------------- next part --------------
>From Yaelijy at private.21cn.com Wed Mar 12 22:59:30 2003
Received: from localhost [127.0.0.1] by gromit.quadstone.co.uk
with SpamAssassin (2.50 1.173-2003-02-20-exp);
Thu, 13 Mar 2003 09:38:39 %z
From: Tracee Scatena <Yaelijy at private.21cn.com>
Subject:
Date: Wed, 12 Mar 2003 17:15:50 -0500
Message-Id: <200303122259.h2CMxLaJ023684 at quadstone.com>
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=9.1 required=5.0
tests=BASE64_ENC_TEXT,HTML_50_60,HTML_MESSAGE,
HTML_TAG_BALANCE_BODY,MIME_HTML_ONLY,MISSING_HEADERS,
MSG_ID_ADDED_BY_MTA_3,RCVD_IN_NJABL,RCVD_IN_OPM,
RCVD_IN_OSIRUSOFT_COM,REMOVE_PAGE
version=2.50
X-Spam-Level: *********
X-Spam-Checker-Version: SpamAssassin 2.50 1.173-2003-02-20-exp
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_3E70519F.B453720D"
This is a multi-part message in MIME format.
------------=_3E70519F.B453720D
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
This mail is probably spam. The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: Hi, hostmaster ,
URI:http://www.myrussianlover.com/?oc#90 A nice lady wants to
correspond with you. URI:http://www.myrussianlover.com/remove/?oc#90
Let me know and I won't write you again. [...]
Content analysis details: (9.10 points, 5 required)
HTML_50_60 (0.2 points) BODY: Message is 50% to 60% HTML
HTML_MESSAGE (0.1 points) BODY: HTML included in message
HTML_TAG_BALANCE_BODY (0.6 points) BODY: HTML has unbalanced "body" tags
BASE64_ENC_TEXT (1.7 points) RAW: Message text disguised using base-64 encoding
REMOVE_PAGE (0.1 points) URI: URL of page called "remove"
MSG_ID_ADDED_BY_MTA_3 (0.3 points) 'Message-Id' was added by a relay (3)
MISSING_HEADERS (0.1 points) Missing To: header
RCVD_IN_NJABL (1.0 points) RBL: Received via a relay in dnsbl.njabl.org
[RBL check: found 66.212.127.61.dnsbl.njabl.org.,]
[type: 127.0.0.9]
RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com
[RBL check: found 66.212.127.61.relays.osirusoft.com., type: 127.0.0.9]
RCVD_IN_OPM (4.3 points) RBL: Received via a relay in opm.blitzed.org
[RBL check: found 66.212.127.61.opm.blitzed.org.,]
[type: 127.1.0.16]
MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts
The original message did not contain plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_3E70519F.B453720D
Content-Type: message/rfc822
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path: <Yaelijy at private.21cn.com>
Received: from quadstone.com (postie.quadstone.co.uk [194.80.190.3])
by edinburgh.quadstone.com (8.12.8/8.12.8) with ESMTP id h2CMxQ77011882
for <hostmaster at edinburgh.quadstone.com>; Wed, 12 Mar 2003 22:59:30 GMT
Received: from sxrqwew (ns.htu.or.jp [61.127.212.66])
by quadstone.com (8.12.8/8.12.8) with SMTP id h2CMxLaJ023684
for <hostmaster at quadstone.com>; Wed, 12 Mar 2003 22:59:23 GMT
Message-Id: <200303122259.h2CMxLaJ023684 at quadstone.com>
From: Tracee Scatena <Yaelijy at private.21cn.com>
Subject:
Date: Wed, 12 Mar 2003 17:15:50 -0500
Mime-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: base64
X-MailScanner: Found to be clean
X-MailScanner-SpamScore: ssss
Status: RO
Content-Length: 410
Lines: 6
PGh0bWw+DQo8Ym9keQ0KPGJyPg0KSGksIGhvc3RtYXN0ZXIgLDxicj4NCjxicj4NCjxhIGhy
ZWY9Imh0dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tLz9vYz0yMzkwIj5BIG5pY2UgbGFk
eSB3YW50cyB0byBjb3JyZXNwb25kIHdpdGggeW91Ljxicj4NCjxicj4NCjxhIGhyZWY9Imh0
dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tL3JlbW92ZS8/b2M9MjM5MCI+TGV0IG1lIGtu
b3cgYW5kIEkgd29uJ3Qgd3JpdGUgeW91IGFnYWluLjxicj4NCjxicj4NCjwvYT48L2Rpdj48
L2JvZHk+PC9odG1sPg0KPC9ib2R5Pg0KPC9odG1sPg==
------------=_3E70519F.B453720D--
This mail is probably spam. The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: Hi, hostmaster ,
URI:http://www.myrussianlover.com/?oc#90 A nice lady wants to
correspond with you. URI:http://www.myrussianlover.com/remove/?oc#90
Let me know and I won't write you again. [...]
Content analysis details: (9.10 points, 5 required)
HTML_50_60 (0.2 points) BODY: Message is 50% to 60% HTML
HTML_MESSAGE (0.1 points) BODY: HTML included in message
HTML_TAG_BALANCE_BODY (0.6 points) BODY: HTML has unbalanced "body" tags
BASE64_ENC_TEXT (1.7 points) RAW: Message text disguised using base-64 encoding
REMOVE_PAGE (0.1 points) URI: URL of page called "remove"
MSG_ID_ADDED_BY_MTA_3 (0.3 points) 'Message-Id' was added by a relay (3)
MISSING_HEADERS (0.1 points) Missing To: header
RCVD_IN_NJABL (1.0 points) RBL: Received via a relay in dnsbl.njabl.org
[RBL check: found 66.212.127.61.dnsbl.njabl.org.,]
[type: 127.0.0.9]
RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com
[RBL check: found 66.212.127.61.relays.osirusoft.com., type: 127.0.0.9]
RCVD_IN_OPM (4.3 points) RBL: Received via a relay in opm.blitzed.org
[RBL check: found 66.212.127.61.opm.blitzed.org.,]
[type: 127.1.0.16]
MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts
More information about the MailScanner
mailing list