Hi-scoring spam delivered

Tue Jan 19 10:04:46 GMT 2010

I have just had my attention drawn to a case where a spam was identified:

2010-01-18T19:32:50+00:00 MailScanner[7837]: Message 1NWxLB-0008IA-8E from 
87.248.114.81 (badspammer at example.com) to strath.ac.uk is spam, 
SpamAssassin (cached, score=10.098, required 6.5, autolearn=disabled, 
ADVANCE_FEE_2 2.05, ADVANCE_FEE_3 1.44, ADVANCE_FEE_4 1.50, DKIM_SIGNED 
0.00, DKIM_VERIFIED -0.00, HTML_MESSAGE 0.00, MILLION_USD 1.78, 
SARE_FRAUD_X3 1.67, SARE_FRAUD_X4 1.67)

The score was 10.098.  My "high scoring" threshold is 11, so I would 
normally expect this message to have been delivered with the inline 
warning added, and "{spam?}" added to the Subject.  This is how it has 
operated successfully for years.

In this case, the message was delivered to the end user with the inline 
warning, but "{spam?}" was not added to the Subject.

I have examples of the same spam at about the same time being delivered to 
the end user with "{spam?}" successfully added.

The only thing that may be different here is that the one without 
"{spam?}" was scored as a result of the SA cache.  But I've never seen 
this lack of "{spam?}" happen before.  (Not to say that it hasn't done, of 
course!).  It seems unlikely to me that whether it is cached has any 
bearing on the actions taken.

Spam Modify Subject = yes
Spam Subject Text = {spam?}
High Scoring Spam Modify Subject = yes
High Scoring Spam Subject Text = {SPAM?}

spam.actions.rules:
...
To:     default                         deliver striphtml attachment

Anyone have any ideas?  I am running FreeBSD dev port from a while ago, 
4.78.15_1.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK