SA+MS miss spam, scored with 0.00.

Steve Barnes pumzika at gmail.com
Sat Jun 6 01:51:28 IST 2009


Hi

MS 4.77.7
SA 3.2.5
Postfix 2.6.0
FreeBSD 7.2

I'm trying to understand why MS and SA missed a spam the first time
round (scored with 0.00). Resubmitting from quarantine as root with:

spamassassin -x -D <
/var/spool/MailScanner/quarantine/20090605/nonspam/8F54D11485.A3CE1

it was scored at 11.2. I don't believe it's a case of online checks
"catching up" since the majority of rules that matched 2nd time round
aren't time-related:

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.8 SUBJ_ALL_CAPS          Subject is all capitals
 1.6 MISSING_HEADERS        Missing To: header
 1.4 DCC_CHECK              Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
 1.5 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 0.7 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
 4.2 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook

Even without DCC_CHECK, it should have scored 9.8. The SA report contains:

not spam, SpamAssassin (not cached, score=0, required 6, autolearn=)

I keep seeing this "autolearn=)" truncation in cases where spam is
missed. Can anyone else confirm seeing it in their maillog? Otherwise,
MS + SA are catching 99% of the other spams coming in. I've included
the corresponding maillog entry at the bottom of this message.

Thanks

Steve

-------------

Jun  5 21:45:57 mail postfix/smtpd[17839]: connect from
proxy1.bredband.net[195.54.101.71]
Jun  5 21:45:58 mail postfix/smtpd[17839]: 8F54D11485:
client=proxy1.bredband.net[195.54.101.71]
Jun  5 21:45:59 mail postfix/cleanup[17849]: 8F54D11485: hold: header
Received: from proxy1.bredband.net (proxy1.bredband.net
[195.54.101.71])??by mail.domain.com (Postfix) with ESMTP id
8F54D11485??for <mail at domain.com>; Fri,  5 Jun 2009
21:45:58 +0300 (EAT) from proxy1.bredband.net[195.54.101.71];
from=<ahlstrom.carola at bredband.net> to=<mail at domain.com> proto=ESMTP
helo=<proxy1.bredband.net>
Jun  5 21:45:59 mail postfix/cleanup[17849]:
8F54D11485:message-id=<70dols$ft7kqn at ironport1.bredband.com>
Jun  5 21:46:45 mail postfix/smtpd[17839]: disconnect from
proxy1.bredband.net[195.54.101.71]
Jun  5 21:46:49 mail MailScanner[17743]: New Batch: Scanning 1
messages, 1977 bytes
Jun  5 21:46:49 mail MailScanner[17743]: Expired 3 records from the
SpamAssassin cache
Jun  5 21:47:09 mail MailScanner[17743]: Virus and Content Scanning: Starting
Jun  5 21:47:09 mail MailScanner[17743]: Requeue: 8F54D11485.A3CE1 to 855B7116D3
Jun  5 21:47:09 mail postfix/qmgr[772]: 855B7116D3:
from=<ahlstrom.carola at bredband.net>, size=1299, nrcpt=1 (queue active)
Jun  5 21:47:09 mail MailScanner[17743]: Uninfected: Delivered 1 messages
Jun  5 21:47:09 mail MailScanner[17743]: Deleted 1 messages from
processing-database
Jun  5 21:47:09 mail MailScanner[17743]: Logging message 8F54D11485.A3CE1 to SQL
Jun  5 21:47:09 mail MailScanner[17745]: 8F54D11485.A3CE1: Logged to
MailWatch SQL
Jun  5 21:47:09 mail postfix/smtp[17856]:
855B7116D3:to=<mail at domain.com>,
relay=192.168.0.15[192.168.0.15]:30025,
delay=71,delays=71/0.02/0.11/0.12, dsn=2.0.0, status=sent (250 Ok,
message saved <Message-ID: 70dols$ft7kqn at ironport1.bredband.com>)
Jun  5 21:47:09 mail postfix/qmgr[772]: 855B7116D3: removed


More information about the MailScanner mailing list