Stops after RCVD_IN_BL_SPAMCOP_NET

Joe Garvey garvey at pushormitchell.com
Fri Jan 9 23:03:33 GMT 2009 

Here are the top 15 results from the spamassassin hits.

RCVD_IN_BL_SPAMCOP_NET is sitting at 74,756. There are a few other rules that hit over 45,000 but it drops dramatically after that with most rules only being hit with an average of 5,000. With RCVD_IN_BL_SPAMCOP_NET having such as high hit count compared to everything else it really makes me wonder why no other rules are getting hit as much as it is.

required  	 	112,503  	8,110  	7.2  	104,393  	92.8
DCC_CHECK 	Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 	86,708 	1,066 	1.2 	85,642 	98.8
autolearn=spam 		84,906 	0 	0 	84,906 	100
RCVD_IN_BL_SPAMCOP_NET 	Received via a relay in bl.spamcop.net 	74,756 	256 	0.3 	74,500 	99.7
BAYES_99 	Bayesian spam probability is 99 to 100% 	73,555 	87 	0.1 	73,468 	99.9
URIBL_JP_SURBL 	Contains an URL listed in the JP SURBL blocklist 	66,847 	40 	0.1 	66,807 	99.9
URIBL_SBL 	Contains an URL listed in the SBL blocklist 	64,011 	15 	0 	63,996 	100
URIBL_SBLXBL 	Contains a URL listed in the SBL/XBL blocklist 	59,950 	13 	0 	59,937 	100
URIBL_AB_SURBL 	Contains an URL listed in the AB SURBL blocklist 	57,969 	72 	0.1 	57,897 	99.9
HTML_MESSAGE 	HTML included in message 	57,796 	5,932 	10.3 	51,864 	89.7
URIBL_OB_SURBL 	Contains an URL listed in the OB SURBL blocklist 	54,305 	28 	0.1 	54,277 	99.9
URIBL_WS_SURBL 	Contains an URL listed in the WS SURBL blocklist 	46,946 	18 	0 	46,928 	100
RAZOR2_CHECK 	Listed in Razor2 (http://razor.sf.net/) 	46,385 	227 	0.5 	46,158 	99.5
RAZOR2_CF_RANGE_51_100 	Razor2 gives confidence level above 50% 	45,793 	188 	0.4 	45,605 	99.6
RCVD_IN_XBL 	Received via a relay in Spamhaus XBL 	44,779 	2 	0 	44,777 	100
DIGEST_MULTIPLE 	Message hits more than one network digest check 	40,121 	50 	0.1 	40,071 	99.9


Here is the values from sa-learn --dump magic
0.000          0          3          0  non-token data: bayes db version
0.000          0       6493          0  non-token data: nspam
0.000          0        847          0  non-token data: nham
0.000          0     207718          0  non-token data: ntokens
0.000          0 1231449300          0  non-token data: oldest atime
0.000          0 1231541795          0  non-token data: newest atime
0.000          0 1231541368          0  non-token data: last journal sync atime
0.000          0 1231519200          0  non-token data: last expiry atime
0.000          0      86400          0  non-token data: last expire atime delta
0.000          0       1792          0  non-token data: last expire reduction count 

Thanks

Joe


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kai Schaetzl
Sent: Friday, January 09, 2009 2:31 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Stops after RCVD_IN_BL_SPAMCOP_NET

Joe Garvey wrote on Fri, 9 Jan 2009 11:32:49 -0800:

> My /etc/mail/spamassassin/spam.assassin.prefs.conf is a link to /etc/MailScanner/spam.assassin.prefs.conf

right, yes, that's fine then. I sometimes think we are two years ago ;-)


> I find it very confusing and lacking confidence in the system when
> the system provides a score for bl.spamcop.net and don't see any other
> results from any other rules. 

Use Mailwatch to checks the Rule Hits. Go to Reports/Spamassassin Rule Hits.
I can't see a reason that the spamcop RBL rule stop all processing. Unless you use
short-circuiting and use this rule as short-circuit rule.

> I also converted my bayes database to MySQL. After reviewing the conversion
> I noticed that I have no ham messages in the database. I am loading
> up some from various users to see if this will also make a difference
> as I find the Bayesian score usually shows a negative even for the
> most obvious spam.

Well, I suppose you didn't do "sa-learn --dump magic" before this. It would have
shown you that you have no ham. That symptom would be normal for a freshly started
Bayes DB that gets trained only with autolearning, but you seem to have it running
much longer? This would then indicate that your autolearning for ham is non-existent
because your ham isn't scoring low enough - which should not happen.
What's the dump magic output now?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list