<div dir="ltr">Looks like you've set the 'is defintely not spam" for the address or domain to me. Thsi will override what SA says about the email, indeed of the spam is coming from your local 10.0 domain you may want to look deeper at what addersses you whitelist..<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">-- <br>Martin Hepworth, CISSP<br>Oxford, UK</div></div>
<br><div class="gmail_quote">On 9 December 2015 at 15:06, Oliver Kutscher <span dir="ltr"><<a href="mailto:ok@addix.net" target="_blank">ok@addix.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">To give you an overview:<br>
<br>
the <a href="http://company.net" rel="noreferrer" target="_blank">company.net</a> rule has been hit for 1381 time where 4 of them have the strange "required 3.5" value and / or score > required score problem. An example for an expected log:<br>
<br>
Dec 9 15:52:52 mailscan1.mydomain.campus MailScanner[11325]: Message 1a6g6g-0004SR-Bx from 10.0.0.3 (<a href="mailto:mail@somedomain.net" target="_blank">mail@somedomain.net</a>) to <a href="http://company.net" rel="noreferrer" target="_blank">company.net</a> is not spam, SpamAssassin (score=1.1, required 8, KAM_LAZY_DOMAIN_SECURITY 1.00, TVD_SPACE_RATIO 0.10)<br>
<br>
The required score is ok in this case.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Tabs? Are you using tabs in your rules?<br>
</blockquote>
<br></span>
Yes. Tabs are used. I think if the rules file is messed up the rules will never take effect.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Any whitelists for say … the server it came from?<br>
</blockquote>
<br></span>
If there are any whitelist entries present (ip, domain, full address) a "(whitelisted)" is passed to the log. 2 of the 4 strange mails were virus infected spam mails from an unknown ip (definitely not wl).<br>
<br>
Mit freundlichen Grüßen,<br>
i.A.<br>
Oliver Kutscher<br>
<br>
-- <br>
<br>
Postanschrift:<br>
<br>
ADDIX Internet Services GmbH<br>
Postfach 1225<br>
D-24011 Kiel<br>
<br>
Tel: <a href="tel:%2B49%20431%207755%20140" value="+494317755140" target="_blank">+49 431 7755 140</a><br>
Fax: <a href="tel:%2B49%20431%207755%20105" value="+494317755105" target="_blank">+49 431 7755 105</a><br>
<br>
<a href="mailto:ok@addix.net" target="_blank">ok@addix.net</a><br>
<a href="http://www.addix.net" rel="noreferrer" target="_blank">www.addix.net</a><div class="HOEnZb"><div class="h5"><br>
<br>
Am 09.12.2015 um 15:51 schrieb Jerry Benton:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
And I am still sitting here blinking …. trying to remember what would cause a “is not spam” marking when the score exceeds the threshold. (Besides whitelisting)<br>
<br>
Any whitelists for say … the server it came from?<br>
<br>
-<br>
Jerry Benton<br>
<a href="http://www.mailborder.com" rel="noreferrer" target="_blank">www.mailborder.com</a><br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <<a href="mailto:ok@addix.net" target="_blank">ok@addix.net</a>> wrote:<br>
<br>
Hi,<br>
<br>
we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:<br>
<br>
Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (<a href="mailto:spammer@spam.com" target="_blank">spammer@spam.com</a>) to <a href="http://mydomain.net" rel="noreferrer" target="_blank">mydomain.net</a> is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)<br>
<br>
This mail passes the mail system an reached the recepient. I'm curious about two things:<br>
<br>
Why was the mail ranked as "is not spam" (score > required score)?<br>
<br>
Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:<br>
<br>
To: *@<a href="http://mycompany.com" rel="noreferrer" target="_blank">mycompany.com</a> 4<br>
To: *@<a href="http://mycompany.net" rel="noreferrer" target="_blank">mycompany.net</a> 8<br>
FromOrTo: default 3.5<br>
<br>
To make it more complicated: Most time the required score for <a href="http://mycompany.net" rel="noreferrer" target="_blank">mycompany.net</a> is shown as 8 which is the required score that I'm expecting.<br>
<br>
I would be very appreciated for any suggestions.<br>
<br>
==============<br>
Versions / OS<br>
==============<br>
Running on<br>
Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux<br>
This is CentOS Linux release 7.1.1503 (Core)<br>
This is Perl version 5.016003 (5.16.3)<br>
<br>
This is MailScanner version 4.85.2<br>
Module versions are:<br>
1.01 AnyDBM_File<br>
1.30 Archive::Zip<br>
0.29 bignum<br>
1.26 Carp<br>
2.061 Compress::Zlib<br>
1.119 Convert::BinHex<br>
0.18 Convert::TNEF<br>
2.145 Data::Dumper<br>
2.30 Date::Parse<br>
1.04 DirHandle<br>
1.11 Fcntl<br>
2.84 File::Basename<br>
2.23 File::Copy<br>
2.02 FileHandle<br>
2.09 File::Path<br>
0.2301 File::Temp<br>
0.92 Filesys::Df<br>
3.69 HTML::Entities<br>
3.71 HTML::Parser<br>
3.69 HTML::TokeParser<br>
1.25_06 IO<br>
1.16 IO::File<br>
1.15 IO::Pipe<br>
2.12 Mail::Header<br>
1.998 Math::BigInt<br>
0.2603 Math::BigRat<br>
3.13 MIME::Base64<br>
5.505 MIME::Decoder<br>
5.505 MIME::Decoder::UU<br>
5.505 MIME::Head<br>
5.505 MIME::Parser<br>
3.13 MIME::QuotedPrint<br>
5.505 MIME::Tools<br>
0.17 Net::CIDR<br>
1.26 Net::IP<br>
0.19 OLE::Storage_Lite<br>
1.04 Pod::Escapes<br>
3.28 Pod::Simple<br>
1.30 POSIX<br>
1.27 Scalar::Util<br>
2.010 Socket<br>
2.45 Storable<br>
1.5 Sys::Hostname::Long<br>
0.33 Sys::Syslog<br>
1.48 Test::Pod<br>
0.98 Test::Simple<br>
1.9725 Time::HiRes<br>
1.02 Time::localtime<br>
<br>
Optional module versions are:<br>
1.92 Archive::Tar<br>
0.29 bignum<br>
2.06 Business::ISBN<br>
20120719.001 Business::ISBN::Data<br>
missing Data::Dump<br>
1.83 DB_File<br>
1.39 DBD::SQLite<br>
1.627 DBI<br>
1.17 Digest<br>
1.03 Digest::HMAC<br>
2.52 Digest::MD5<br>
missing Digest::SHA1<br>
1.01 Encode::Detect<br>
0.17020 Error<br>
missing ExtUtils::CBuilder<br>
3.18 ExtUtils::ParseXS<br>
2.4 Getopt::Long<br>
missing Inline<br>
missing IO::String<br>
1.10 IO::Zlib<br>
2.28 IP::Country<br>
missing Mail::ClamAV<br>
3.004000 Mail::SpamAssassin<br>
v2.008 Mail::SPF<br>
missing Mail::SPF::Query<br>
missing Module::Build<br>
missing Net::CIDR::Lite<br>
0.72 Net::DNS<br>
missing Net::DNS::Resolver::Programmable<br>
missing Net::LDAP<br>
4.069 NetAddr::IP<br>
missing Parse::RecDescent<br>
missing SAVI<br>
3.28 Test::Harness<br>
missing Test::Manifest<br>
2.02 Text::Balanced<br>
1.60 URI<br>
0.9907 version<br>
missing YAML<br>
<br>
<br>
Kind Regards,<br>
i.A.<br>
Oliver Kutscher<br>
<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/listinfo/mailscanner</a><br>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
<br>
-- <br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/listinfo/mailscanner</a><br>
<br>
</div></div></blockquote></div><br></div>