Munged spam report (revisited)

Jim Barry jim at SASHBOX.NET
Thu Feb 3 17:44:29 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Here is a perfect example of what I was trying to explain in the previous
post:

These are cut/pasted from the raw text of the email, so it is all intact:

Notice the header includes the Bayes rule hit, spam report in the body of
the message does not mention bayes, but lists the 'bayes' score after the
Razor rule hit.  I believe the razor 'cf' factor is supposed to be listed
there, not a bayes 'score' value.

(mail 1 MS HEADER)
X-Sashbox-MailScanner-SpamCheck: spam, SpamAssassin (score=5.252, required 5,
     BAYES_40 -1.10, DCC_CHECK 1.55, DIGEST_MULTIPLE 0.10,
     RAZOR2_CF_RANGE_51_100 1.75, RAZOR2_CHECK 1.75,
     SPF_HELO_SOFTFAIL 1.20)

(mail 1 text REPORT)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.2 SPF_HELO_SOFTFAIL      SPF: HELO does not match SPF record (softfail)
[SPF failed: Please see
http://spf.pobox.com/why.html?sender=host4u.net&ip=209.150.128.153&receiver=kudzu.sashbox.net]
 1.8 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50
                            [score: 0.3415]
 1.6 DCC_CHECK              Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
 1.8 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.1 DIGEST_MULTIPLE        Message hits more than one network digest check



***
And in the following email, the problem was reversed:  The razor 'cf'
factor was listed in the report under the Bayes rule hit, and the Razor
score rule RAZOR2_CF_RANGE_51_100 was completely left off the report.

(mail 2 MS HEADER)
X-Sashbox-MailScanner-SpamCheck: spam, SpamAssassin (score=8.706, required 5,
     BAYES_60 1.20, FB_PRESSHERE 0.25, HTML_10_20 0.25, HTML_MESSAGE 0.00,
     MIME_HTML_ONLY 0.18, RAZOR2_CF_RANGE_51_100 1.75, RAZOR2_CHECK 1.75,
     SARE_HTML_HTML_QUOT 1.67, SARE_RECV_IP_218080 1.67)

(mail 2 text REPORT)

pts rule name description
---- ---------------------- -----------------------------------------------=
---
1.7 SARE_RECV_IP_218080 Spam passed through possible spammer relay
0.2 FB_PRESSHERE BODY: FB_PRESSHERE
0.2 HTML_10_20 BODY: Message is 10 HTML
0.0 HTML_MESSAGE BODY: HTML included in message
1.2 BAYES_60 BODY: Bayesian spam probability is 60 to 80
[cf: 90]
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.7 SARE_HTML_HTML_QUOT FULL: Message body has very strange HTML sequen=
ce
1.8 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list