MS and SA diuffer

Duncan, Brian M. brian.duncan at kattenlaw.com
Fri Oct 6 19:17:52 IST 2006


If you figure this out, please post back to the list to why it is
happening.

When I use either Imageinfo.pm or Fuzzyocr.pm with a .cf in the
/etc/mail/spamassassin dir MailScanner seems to cause Spam Assasin to
ignore these??

I JUST finished installing FuzzyOCR and all the accompanying tools to
make it work on 2 different relays here.  I never see any hits from test
Spam messages I send from outside. 

For the heck of it I also installed Imageinfo.pm and installed
imageinfo.cf into my /etc/mail/spamassassin directory and the same
results occurred. (more later on this)

Both servers are running:

spamassassin-3.1.4
mailscanner-4.54.6-1

A stock spam with inline gif processed through Mailscanner:

X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55,
	required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20,
	SARE_GIF_ATTACH 4.25)
X-MailScanner-SpamScore: sssss

Saved and processed locally on the SAME mail sever with - cat test.txt |
spamassassin -t

Content analysis details:   (12.6 hits, 6.5 required)
 0.8 HTML_00_10             BODY: Message is 0% to 10% HTML
-2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                            [score: 0.0000]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 4.2 SARE_GIF_ATTACH        FULL: Email has a inline gif
 0.2 DNS_FROM_RFC_ABUSE     RBL: Envelope sender in
abuse.rfc-ignorant.org
  10 FUZZY_OCR              BODY: Mail contains an image with common
spam text inside
                            Words found:
                            "target" in 1 lines
                            "symbol" in 1 lines
                            "stock" in 1 lines
                            "price" in 1 lines
                            "company" in 1 lines
                            "breaking" in 1 lines
                            "banking" in 1 lines
                            "news" in 1 lines
                            (8 word occurrences found)


Appropriate output regarding Fuzzy_OCR from spamassassin -D --lint:

[30731] dbg: plugin: fixed relative path:
/etc/mail/spamassassin/FuzzyOcr.pm
[30731] dbg: plugin: loading FuzzyOcr from
/etc/mail/spamassassin/FuzzyOcr.pm
[30731] dbg: plugin: registered FuzzyOcr=HASH(0xa4200b4)
[30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements 'parse_config'
[30731] dbg: FuzzyOcr: Found scan: $gocr -i $pfile
[30731] dbg: FuzzyOcr: Found scan: $gocr -l 180 -d 2 -i $pfile
[30731] dbg: FuzzyOcr: Found scan: $gocr -l 140 -d 2 -i $pfile
[30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements
'finish_parsing_end'
[30731] dbg: FuzzyOcr: Using giffix => /usr/bin/giffix
[30731] dbg: FuzzyOcr: Using giftext => /usr/bin/giftext
[30731] dbg: FuzzyOcr: Using gifinter => /usr/bin/gifinter
[30731] dbg: FuzzyOcr: Using giftopnm => /usr/bin/giftopnm
[30731] dbg: FuzzyOcr: Using jpegtopnm => /usr/bin/jpegtopnm
[30731] dbg: FuzzyOcr: Using pngtopnm => /usr/bin/pngtopnm
[30731] dbg: FuzzyOcr: Using bmptopnm => /usr/bin/bmptopnm
[30731] dbg: FuzzyOcr: Using ppmhist => /usr/bin/ppmhist
[30731] dbg: FuzzyOcr: Using gocr => /usr/bin/gocr
[30731] dbg: FuzzyOcr: Loaded <43> words from
"/etc/mail/spamassassin/FuzzyOcr.words"
[30731] dbg: FuzzyOcr: Using scan: $gocr -i $pfile
[30731] dbg: FuzzyOcr: Using scan: $gocr -l 180 -d 2 -i $pfile
[30731] dbg: FuzzyOcr: Using scan: $gocr -l 140 -d 2 -i $pfile

I do NOT have anything set in Mailscanner.conf specific to SpamAssassin
aside from site rules dir.  Should I?

SpamAssassin Install Prefix =

SpamAssassin Site Rules Dir = /etc/mail/spamassassin

SpamAssassin Local Rules Dir =

SpamAssassin Local State Dir = # /var/lib

SpamAssassin Default Rules Dir =


Now with a different plugin loaded, ImageInfo.pm -

[2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from
/etc/mail/spamassassin/ImageInfo.pm
[2013] dbg: plugin: registered
Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc)

[2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from
/etc/mail/spamassassin/ImageInfo.pm
[2013] dbg: plugin: registered
Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc)


A stock spam with inline gif processed through Mailscanner:

X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55,
	required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20,
	SARE_GIF_ATTACH 4.25)
X-MailScanner-SpamScore: sssss

Saved and processed locally on the SAME mail sever with - cat test.txt |
spamassassin -t

Content analysis details:   (11.1 hits, 6.5 required)
 0.8 HTML_00_10             BODY: Message is 0% to 10% HTML
-2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                            [score: 0.0000]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 5.5 DC_IMAGE001_GIF        BODY: Contains image named image001.gif
 4.2 SARE_GIF_ATTACH        FULL: Email has a inline gif
 0.2 DNS_FROM_RFC_ABUSE     RBL: Envelope sender in
abuse.rfc-ignorant.org
 3.0 DC_GIF_UNO_LARGO       Message contains a single large inline gif

(imageinfo.cf had this specific rule I added JUST for the spam because I
already knew the inline GIF was named DDT.gif)
# you can match by image name
body            DC_IMAGE001_GIF         eval:image_named('DDT.gif')
describe        DC_IMAGE001_GIF         Contains image named
image001.gif
score           DC_IMAGE001_GIF         5.50



-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Garry
Glendown
Sent: Thursday, October 05, 2006 11:54 PM
To: MailScanner discussion
Subject: MS and SA diuffer

Hi,

I've just set up FuzzyOCR to take care of the Image spam that has
increased recently ... after still receiving untagged stock spam, I've
checked into the scores and stuff and noticed on a test message, that MS
has a lot less rule hits (and therefore less score points) than when
calling spamassassin directly ...

Here's what I got originally from MS:

X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=3.905,
	benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05,
	HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50)

whereas the -t run from SA resulted in:

X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99,
FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE,
        MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no

MailScanner.conf points to the right SA directory
(/etc/mail/spamassassin), there ARE image spams that get tagged with the
OCR-tags, so I don't really get it why the scoring differs this much ...
also with the Bayes score ... none on MS, 99 on SA ... !?

I'm still running MS 4.50, SA is 3.1.5 ...

Any idea where I could look for the cause of this?

Tnx!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

===========================================================
CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
===========================================================
CONFIDENTIALITY NOTICE:
This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction.  Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies.
===========================================================
NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997).
===========================================================


More information about the MailScanner mailing list