Certain Spamassassin rules do not seem to be firing all of the time

Duncan, Brian M. brian.duncan at kattenlaw.com
Wed Jun 12 22:05:37 IST 2013 

spamassassin-3.3.1-3.el5.rf
mailscanner-4.83.5-1

Looking for some help here, it looks like sometimes Mailscanner is causing SpamAssassin to not use some rules. (Not exactly sure on this I assume it is Mailscanner based on the behavior I am seeing)

I receive the message and it is not tagged as Spam and winds up in my inbox.  The headers show on this example:

X-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.8,required 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00,RP_MATCHES_RCVD -0.00)

I then take that message and drag it into a separate mailbox I had setup on our Exchange server, then pull it down to my Sendmail/Mailscanner/SpamAssassin box through imap in rfc822 format.

I then run the same message through Spamassassin with -test-mode locally from my mail server I get different scoring on, it looks like I am missing some of the checks because now it defiantly shows as Spam:

Content analysis details:   (17.3 hits, 6.5 required)
 5.0 URIBL_DBL_SPAM         Contains an URL listed in the DBL blocklist
                            [URIs: eelefs.net]
-0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5050]
 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 8.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 0.0 LOTS_OF_MONEY          Huge... sums of money

------ End of SpamAssassin results, Original message follows --------

So I was wondering if it had to with my MailScanner.conf having this line: SpamAssassin Local State Dir = # /var/lib/spamassassin

But based on my debug of MailScanner, it does not matter if the # is present or not, MailScanner seems to think it knows where all the rules are.  The below output is with SpamAssassin Local State Dir = /var/lib/spamassassin

In Debugging mode, not forking...
Trying to setlogsock(unix)
15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: adding facilities: all
15:54:01 Jun 12 15:54:01.475 [32352] dbg: logger: logging level is DBG
15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: SpamAssassin version 3.3.1
15:54:01 Jun 12 15:54:01.475 [32352] dbg: generic: Perl 5.008008, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spam
assassin
15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: timing enabled
15:54:01 Jun 12 15:54:01.475 [32352] dbg: config: score set 0 chosen.
15:54:01 Jun 12 15:54:01.477 [32352] dbg: util: running in taint mode? no
15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: is Net::DNS::Resolver available? yes
15:54:01 Jun 12 15:54:01.480 [32352] dbg: dns: Net::DNS version: 0.65
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules pre files
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/init.pre
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v310.pre
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v312.pre
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v320.pre
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: read file /etc/mail/spamassassin/v330.pre
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for sys rules pre files
15:54:01 Jun 12 15:54:01.481 [32352] dbg: config: using "/var/lib/spamassassin/3.003001" for default rules dir
15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /var/lib/spamassassin/3.003001/updates_spamassassin_org.cf
15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: using "/etc/mail/spamassassin" for site rules dir
15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf
15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf
15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/chickenpox.cf
15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/local.cf
15:54:01 Jun 12 15:54:01.482 [32352] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf
15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file
15:54:01 Jun 12 15:54:01.483 [32352] dbg: config: read file /root/.spamassassin/user_prefs
15:54:01 Jun 12 15:54:01.484 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
15:54:01 Jun 12 15:54:01.488 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
15:54:01 Jun 12 15:54:01.491 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
15:54:01 Jun 12 15:54:01.494 [32352] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC
15:54:01 Jun 12 15:54:01.496 [32352] dbg: pyzor: network tests on, attempting Pyzor

The odd thing here to me, is if I search my maillog for some of the hits from above, Like URIBL_DBL_SPAM, I am seeing many hits on this..  It just seems to be skipping some of the rules for a certain messages.  I looked through

Anyone have any ideas where I can start to figure this one out?  I checked my rules, but since some of the rules are firing I assumed it can't have anything to do with that..

Here is the complete output from the message I give as an example from above: (minus the spammy body)

Received: from CHI-US-HT-01.us.kmz.com (10.18.17.28) by
 CHI-US-CAS-1B.us.kmz.com (10.125.15.2) with Microsoft SMTP Server (TLS) id
 14.3.123.3; Wed, 12 Jun 2013 15:44:04 -0500
Received: from chi-us-vwall-01.us.kmz.com (10.18.16.181) by
 CHI-US-HT-01.us.kmz.com (10.18.17.28) with Microsoft SMTP Server id
 14.3.123.3; Wed, 12 Jun 2013 15:44:03 -0500
Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com
 ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 844d8c4f001d4ac4
 ; Wed, 12 Jun 2013 15:44:01 -0500
Received: from smtp1.eelefs.net (smtp1.eelefs.net [66.197.143.105])     by
 venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5CKi0H8028960       for
 <brian.duncan at kmzr.com>; Wed, 12 Jun 2013 15:44:03 -0500
From: 2013 Models <Jorge.Mendoza at eelefs.net>
To: "Duncan, Brian M." <brian.duncan at kattenlaw.com>
Subject: *Reduction Information* 2013's for thousands less
Thread-Topic: *Reduction Information* 2013's for thousands less
Thread-Index: AQHOZ62T+0z+e2LgwkiBidggfWeC0A==
Date: Wed, 12 Jun 2013 15:43:58 -0500
Message-ID: <29295056e3e7741908e644022e5f0220 at smtp1.eelefs.net>
Reply-To: "Jorge.Mendoza at eelefs.net" <Jorge.Mendoza at eelefs.net>
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: CHI-US-HT-01.us.kmz.com
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailscanner-from: jorgemendoza at smtp1.eelefs.net
x-mailscanner-spamcheck: not spam, SpamAssassin (cached, score=0.8,     required
 6.5, BAYES_50 0.80, LOTS_OF_MONEY 0.00,        RP_MATCHES_RCVD -0.00)
x-kattenlaw-mailscanner-information:
x-mailscanner-spam: no
x-kattenlaw-mailscanner-id: r5CKi0H8028960
x-tm-imss-message-id: <844d8c4f001d4ac4 at us.kmz.com>
x-kattenlaw: NS
Content-Type: text/plain; charset="us-ascii"
Content-ID: <8737EB66163E6F4DA060748F2D862AD0 at kattenlaw.com>
MIME-Version: 1.0

Thanks for any help.


===========================================================
CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
Service, any tax advice contained herein is not intended or written to be used and cannot be used
by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
===========================================================
CONFIDENTIALITY NOTICE:
This electronic mail message and any attached files contain information intended for the exclusive
use of the individual or entity to whom it is addressed and may contain information that is
proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you
are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or 
distribution of this information may be subject to legal restriction or sanction.  Please notify
the sender, by electronic mail or telephone, of any unintended recipients and delete the original 
message without making any copies.
===========================================================
NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
elected to be governed by the Illinois Uniform Partnership Act (1997).
===========================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130612/690ca823/attachment.html

More information about the MailScanner mailing list