Hi,
This user "[EMAIL PROTECTED]" keeps getting spam because the
test USER_IN_ALL_SPAM_TO is triggered. But he is not listed in local.cf
(or any files in /usr/share/spamassassin) in a "all_spam_to" entry. When I
run this mail by hand with "spamassassin -D < mail" there is no hit for
USER_IN_ALL_SPAM_TO. Here are the headers of the mail and the full mail is
attached along with "spamassassin -D" output. I can't send my
"all_spam_to" entries for privacy. I am running SA-2.61. Can someone tell
me what I am overlooking?
X-UIDL: 3fcf2cc40005ddfd
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from orion.linuxseclabs.com (orion.inside.linuxseclabs.com
[192.168.1.1])
by mastermind.inside.linuxseclabs.com (Postfix) with ESMTP
id 58E603A40B6; Tue, 30 Dec 2003 07:11:44 -0500 (EST)
Received: from smtp.linuxseclabs.com (jug [209.11.107.37])
by orion.linuxseclabs.com (8.9.3/8.9.3) with ESMTP id HAA28051;
Tue, 30 Dec 2003 07:11:44 -0500
Received: from localhost (localhost [127.0.0.1])
by localhost (Postfix) with ESMTP
id 06C8F44F26; Tue, 30 Dec 2003 07:11:44 -0500 (EST)
Received: from smtp.linuxseclabs.com ([127.0.0.1])
by localhost (smtp.linuxseclabs.com [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id 23444-01; Tue, 30 Dec 2003 07:11:42 -0500 (EST)
Received: from pppa19-city-1r7114.dialinx.net (unknown [4.4.228.80])
by smtp.linuxseclabs.com (Postfix) with SMTP
id 82EB544DD3; Tue, 30 Dec 2003 07:11:04 -0500 (EST)
Received: from [9.12.181.192] by pppa19-city-1r7114.dialinx.net SMTP id
bzK1U1gC3HQJ3g; Tue, 30 Dec 2003 07:02:56 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "Karina Berry" <[EMAIL PROTECTED]>
Reply-To: "Karina Berry" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: last evening arkady oha cm
Date: Tue, 30 Dec 2003 07:02:56 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="F0AED4E1F5..D.8C3950."
X-Virus-Scanned: by amavisd-new at linuxseclabs.com
X-Spam-Status: No, hits=-66.5 tagged_above=-300.0 required=4.9 use_bayes=1
tests=BAYES_99, HTML_70_80, HTML_IMAGE_ONLY_04, HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG, J_BACKHAIR_11, J_BACKHAIR_12, J_BACKHAIR_13,
J_BACKHAIR_21, J_BACKHAIR_22, J_BACKHAIR_23, J_BACKHAIR_24,
J_BACKHAIR_25,
J_BACKHAIR_26, J_BACKHAIR_32, J_BACKHAIR_34, J_BACKHAIR_35,
J_BACKHAIR_42,
J_BACKHAIR_43, MIME_HTML_NO_CHARSET, MIME_HTML_ONLY,
MIME_HTML_ONLY_MULTI,
RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL,
RCVD_IN_NJABL_DIALUP,
RCVD_IN_SORBS, USERPASS, USER_IN_ALL_SPAM_TO
X-Spam-Level:
Status: O
If more info is needed I will be happy to provide it.
Thanks for any help,
JohnX-UIDL: 3fcf2cc40005ddfd
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from orion.linuxseclabs.com (orion.inside.linuxseclabs.com [192.168.1.1])
by mastermind.inside.linuxseclabs.com (Postfix) with ESMTP
id 58E603A40B6; Tue, 30 Dec 2003 07:11:44 -0500 (EST)
Received: from smtp.linuxseclabs.com (jug [209.11.107.37])
by orion.linuxseclabs.com (8.9.3/8.9.3) with ESMTP id HAA28051;
Tue, 30 Dec 2003 07:11:44 -0500
Received: from localhost (localhost [127.0.0.1])
by localhost (Postfix) with ESMTP
id 06C8F44F26; Tue, 30 Dec 2003 07:11:44 -0500 (EST)
Received: from smtp.linuxseclabs.com ([127.0.0.1])
by localhost (smtp.linuxseclabs.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 23444-01; Tue, 30 Dec 2003 07:11:42 -0500 (EST)
Received: from pppa19-city-1r7114.dialinx.net (unknown [4.4.228.80])
by smtp.linuxseclabs.com (Postfix) with SMTP
id 82EB544DD3; Tue, 30 Dec 2003 07:11:04 -0500 (EST)
Received: from [9.12.181.192] by pppa19-city-1r7114.dialinx.net SMTP id
bzK1U1gC3HQJ3g; Tue, 30 Dec 2003 07:02:56 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "Karina Berry" <[EMAIL PROTECTED]>
Reply-To: "Karina Berry" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: last evening arkady oha cm
Date: Tue, 30 Dec 2003 07:02:56 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="F0AED4E1F5..D.8C3950."
X-Virus-Scanned: by amavisd-new at linuxseclabs.com
X-Spam-Status: No, hits=-66.5 tagged_above=-300.0 required=4.9 use_bayes=1
tests=BAYES_99, HTML_70_80, HTML_IMAGE_ONLY_04, HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG, J_BACKHAIR_11, J_BACKHAIR_12, J_BACKHAIR_13,
J_BACKHAIR_21, J_BACKHAIR_22, J_BACKHAIR_23, J_BACKHAIR_24, J_BACKHAIR_25,
J_BACKHAIR_26, J_BACKHAIR_32, J_BACKHAIR_34, J_BACKHAIR_35, J_BACKHAIR_42,
J_BACKHAIR_43, MIME_HTML_NO_CHARSET, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,
RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL, RCVD_IN_NJABL_DIALUP,
RCVD_IN_SORBS, USERPASS, USER_IN_ALL_SPAM_TO
X-Spam-Level:
Status: O
--F0AED4E1F5..D.8C3950.
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<body><glnw cwr
a xbli o
vzhgxiepyqmj >
<p>T</helm>he ul</brucellosis>timate digi</stair>tal
cab</hayes>le fi</fungal>lter</p>
<p>Th</certainty>e <input eplg bxd zozf bl xndex
dcrb tuapv mq i p jk
rpmwpplwispohthkmxqf hgkymi w trkyv zlxd type=3D"hidden"
value=3D"ow b ko br mthn
vyhp">fi</celesta>lter w</caricature>ill al</=
sicken>low
yo</pocket>u t</budapest>o re</eyeful>ceive al</=
finicky>l
t</lome>he cha</coccidiosis>nnels th</effusive>at y</=
admission>ou
or</axiom>der wi</willowy>th yo</labyrinth>ur remo</=
trudy>ve
con</lysine>trol!</mcbride></p>
<p>pay</cardiod>perviews, adu</neologism>lt mo</essay>vies,=
spo</stalk>rt
ev</gem>ents,spe</covariant>cial <input tn jhlwc jc u efqnoc ob ii nceukfyli
qtmqch tpltmkpk hfvqgqc type=3D"h=
idden"
value=3D"vjuilxj r
m
ckyhbkn ymdwe i ">ev</issue>ents!<a href=3D"http://=
beget:[EMAIL PROTECTED]/cable/?hans">
se<herringbone>e no</medford>w!</a></p><p ytteje fdwrja sia
w
ri ><a =
dwcssf a gkmquxe dnvgtcwvzizsrunyausazf
zdrclv ikrysshaer
href=3D"http://trisyllable:[EMAIL PROTECTED]/cable/?=
nonagenarian"><input cyl yteoy il hsj thurw
vuil nxzd
type=3D"hidden" value=3D"vntrfdagcthrttkvorycve
lvi n clo zrqcj vuiuax
w
ojhizazr hq
yxgk orqvk qcgvcei"><img m eyvzqid pvdkmwj yltzmm mhxa fzeusw
egdpk h
zuopgryej border=3D"0"
src=3D"http://www.2004hosting.net/fiter1.jpg";></a></p>
</oc wntbv dwmog
zd gdpknzj
smtozidjgzvxrl agslsrjgxkxdejnt
vv></body>saypu b
vvpf jikqi pfxrhjtmbpylokfzcm
znary
kbatw
lo
--F0AED4E1F5..D.8C3950.--
X-UIDL: 3fcf2cc40005ddfd
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from orion.inside.linuxseclabs.com (orion.inside.linuxseclabs.com
[192.168.1.1])
by mastermind.inside.linuxseclabs.com (Postfix) with ESMTP
id 58E603A40B6; Tue, 30 Dec 2003 07:11:44 -0500 (EST)
Received: from juggernaut.linuxseclabs.com (jug [209.11.107.37])
by orion.inside.linuxseclabs.com (8.9.3/8.9.3) with ESMTP id HAA28051;
Tue, 30 Dec 2003 07:11:44 -0500
Received: from localhost (localhost [127.0.0.1])
by localhost (Postfix) with ESMTP
id 06C8F44F26; Tue, 30 Dec 2003 07:11:44 -0500 (EST)
Received: from juggernaut.linuxseclabs.com ([127.0.0.1])
by localhost (juggernaut.linuxseclabs.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 23444-01; Tue, 30 Dec 2003 07:11:42 -0500 (EST)
Received: from pppa19-city-1r7114.dialinx.net (unknown [4.4.228.80])
by juggernaut.linuxseclabs.com (Postfix) with SMTP
id 82EB544DD3; Tue, 30 Dec 2003 07:11:04 -0500 (EST)
Received: from [9.12.181.192] by pppa19-city-1r7114.dialinx.net SMTP id
bzK1U1gC3HQJ3g; Tue, 30 Dec 2003 07:02:56 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "Karina Berry" <[EMAIL PROTECTED]>
Reply-To: "Karina Berry" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: last evening arkady oha cm
Date: Tue, 30 Dec 2003 07:02:56 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="F0AED4E1F5..D.8C3950."
X-Virus-Scanned: by amavisd-new at linuxseclabs.com
Status: O
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
juggernaut.linuxseclabs.com
X-Spam-Report:
* 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML
* 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.5 HTML_IMAGE_ONLY_04 BODY: HTML: images with 200-400 bytes of words
* 0.7 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
* 3.1 USERPASS URI: URL contains username and (optional) password
* 1.0 J_BACKHAIR_32 BODY: 3 letters - Unsightly html tag - 2 letters
* 1.0 J_BACKHAIR_34 BODY: 3 letters - Unsightly html tag - 4 letters
* 1.0 J_BACKHAIR_35 BODY: 3 letters - Unsightly html tag - 5 letters
* 1.0 J_BACKHAIR_42 BODY: 4 letters - Unsightly html tag - 2 letters
* 1.0 J_BACKHAIR_43 BODY: 4 letters - Unsightly html tag - 3 letters
* 1.0 J_BACKHAIR_11 BODY: 1 letters - Unsightly html tag - 1 letters
* 1.0 J_BACKHAIR_12 BODY: 1 letters - Unsightly html tag - 2 letters
* 1.0 J_BACKHAIR_13 BODY: 1 letters - Unsightly html tag - 3 letters
* 1.0 J_BACKHAIR_21 BODY: 2 letters - Unsightly html tag - 1 letters
* 1.0 J_BACKHAIR_22 BODY: 2 letters - Unsightly html tag - 2 letters
* 1.0 J_BACKHAIR_23 BODY: 2 letters - Unsightly html tag - 3 letters
* 1.0 J_BACKHAIR_24 BODY: 2 letters - Unsightly html tag - 4 letters
* 1.0 J_BACKHAIR_25 BODY: 2 letters - Unsightly html tag - 5 letters
* 1.0 J_BACKHAIR_26 BODY: 2 letters - Unsightly html tag - 6 letters
* 0.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local SMTP
* [4.4.228.80 listed in dnsbl.njabl.org]
* 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
* [4.4.228.80 listed in dnsbl.sorbs.net]
* 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
* [4.4.228.80 listed in dnsbl.njabl.org]
* 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
* [<http://dsbl.org/listing?ip=4.4.228.80>]
* 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?4.4.228.80>]
* 1.7 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
* 1.1 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
X-Spam-Status: Yes, hits=26.4 required=5.0 tests=HTML_70_80,
HTML_IMAGE_ONLY_04,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,J_BACKHAIR_11,
J_BACKHAIR_12,J_BACKHAIR_13,J_BACKHAIR_21,J_BACKHAIR_22,J_BACKHAIR_23,
J_BACKHAIR_24,J_BACKHAIR_25,J_BACKHAIR_26,J_BACKHAIR_32,J_BACKHAIR_34,
J_BACKHAIR_35,J_BACKHAIR_42,J_BACKHAIR_43,MIME_HTML_NO_CHARSET,
MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_DSBL,RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP,RCVD_IN_SORBS,
USERPASS autolearn=no version=2.61
X-Spam-Level: **************************
--F0AED4E1F5..D.8C3950.
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<body><glnw cwr
a xbli o
vzhgxiepyqmj >
<p>T</helm>he ul</brucellosis>timate digi</stair>tal
cab</hayes>le fi</fungal>lter</p>
<p>Th</certainty>e <input eplg bxd zozf bl xndex
dcrb tuapv mq i p jk
rpmwpplwispohthkmxqf hgkymi w trkyv zlxd type=3D"hidden"
value=3D"ow b ko br mthn
vyhp">fi</celesta>lter w</caricature>ill al</=
sicken>low
yo</pocket>u t</budapest>o re</eyeful>ceive al</=
finicky>l
t</lome>he cha</coccidiosis>nnels th</effusive>at y</=
admission>ou
or</axiom>der wi</willowy>th yo</labyrinth>ur remo</=
trudy>ve
con</lysine>trol!</mcbride></p>
<p>pay</cardiod>perviews, adu</neologism>lt mo</essay>vies,=
spo</stalk>rt
ev</gem>ents,spe</covariant>cial <input tn jhlwc jc u efqnoc ob ii nceukfyli
qtmqch tpltmkpk hfvqgqc type=3D"h=
idden"
value=3D"vjuilxj r
m
ckyhbkn ymdwe i ">ev</issue>ents!<a href=3D"http://=
beget:[EMAIL PROTECTED]/cable/?hans">
se<herringbone>e no</medford>w!</a></p><p ytteje fdwrja sia
w
ri ><a =
dwcssf a gkmquxe dnvgtcwvzizsrunyausazf
zdrclv ikrysshaer
href=3D"http://trisyllable:[EMAIL PROTECTED]/cable/?=
nonagenarian"><input cyl yteoy il hsj thurw
vuil nxzd
type=3D"hidden" value=3D"vntrfdagcthrttkvorycve
lvi n clo zrqcj vuiuax
w
ojhizazr hq
yxgk orqvk qcgvcei"><img m eyvzqid pvdkmwj yltzmm mhxa fzeusw
egdpk h
zuopgryej border=3D"0"
src=3D"http://www.2004hosting.net/fiter1.jpg";></a></p>
</oc wntbv dwmog
zd gdpknzj
smtozidjgzvxrl agslsrjgxkxdejnt
vv></body>saypu b
vvpf jikqi pfxrhjtmbpylokfzcm
znary
kbatw
lo
--F0AED4E1F5..D.8C3950.--
![http://www.2004hosting.net/fiter1.jpg"](http://www.2004hosting.net/fiter1.jpg"){kind=link}