Mailscanner not catching SPAM but manual run via SA catches it

René Berber r.berber at computer.org
Mon Nov 13 20:46:44 GMT 2006 

Dan Carl wrote:

> I dont understand whats going on.
> Here's a header that was marked as spam.
> X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.897,
>  required 6, BAYES_99 3.50, FORGED_RCVD_HELO 0.14, HTML_40_50 0.50,
>  HTML_IMAGE_ONLY_12 1.87, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00,
>  RCVD_IN_XBL 3.90)
> Doesn't this tell me that mailscanner is using Spamassassin?

Yes.

> If it is, why when I manually run spam that doesn't get marked through
> spamassassin I get an output like this?
> 
> Content analysis details:   (9.0 points, 5.0 required)
> 
>  pts rule name              description
> ---- ---------------------- ------------------------------------------------
> --
>  0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
>  1.0 BAYES_60               BODY: Bayesian spam probability is 60 to 80%
>                             [score: 0.7092]
>  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
> address
>                             [151.41.202.96 listed in dnsbl.sorbs.net]
>  3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
>                             [151.41.202.96 listed in sbl-xbl.spamhaus.org]
>  1.9 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
>                             [151.41.202.96 listed in combined.njabl.org]

7.9 / 9.0 is from RBLs, perhaps you have configured MS to use its own RBL checks
(or none at all) and they are different from what SA uses by default.  That
would mean that you didn't configure SA as recommended (link MS's
etc/spam.assassin.prefs.conf to /etc/mail/spamassassin/mailscanner.cf or to
local.cf, so they use the same configuration).

> The header shows:
> X-Bluestar-SpamScore: sssss
> X-Spam-Status: No
[snip]

About 5 (for the same message?), this could also be caused by AWL.  If you are
running SA as a different user, this happens all the time, I prefer to run
`spamassassin -x ...` to avoid this (but not cache hits or image hits, which are
more difficult to avoid) and erase the email address from the whitelist (i.e.
`spamassassin --remove-addr-from-whitelist=...`).

You need to analyze just one message in detail, what scores differ, what rules
match or don't match.  Then look at what is causing the differences.
-- 
René Berber

More information about the MailScanner mailing list