There are bugtrack entries for the ALL_TRUSTED problem that you are describing. On my own network we were seeing all spam hit with -3.3 on ALL_TRUSTED. We are using SA on Postfix as a "man in the middle" relay from our AV to our main mail server.
MAIL <--> Postfix+SA <--> AV <--> Inernet The current theory is that the headers coming from the AV server are triggering the ALL_TRUSTED rule to fire. This may or may not be related to other bagtrack entries for ALL_TRUSTED. Maybe one of the developers could address this better. In the mean time it is easy to just leave the ALL_TRUSTED 0 in your local.cf Ray Dzek Network Operations Supervisor Specialized Bicycle Components -----Original Message----- From: Potato Chip [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 9:31 AM To: users@spamassassin.apache.org Subject: SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low? Thank you everyone for your input and for directing me to the real problem -- SPF. For now, I have had to score ALL_TRUSTED -0.01 but would still like to get to the bottom of this SPF, TRUSTED issue. I have a spam which hits ALL_TRUSTED. I've attached the "spamassassin -D < spam" output below. I've excerpted some of the relevant SPF output: debug: metadata: X-Spam-Relays-Trusted: [ ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident= envfrom= intl=0 id=1CDRsz-0001DQ-LQ ] debug: metadata: X-Spam-Relays-Untrusted: debug: all '*From' addrs: [EMAIL PROTECTED] debug: SPF: message was delivered entirely via trusted relays, not required >>From my limited understanding of SPF, the relay should be an UNTRUSTED server. # dig frontier.net txt ==> ;; ANSWER SECTION: frontier.net. 26222 IN TXT "v=spf1 ip4:66.118.220.14 ip4:66.118.220.16 ip4:66.118.193.229 -all" However, the sending MTA is ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at which is not listed in the SPF txt block. "-all" should make the SPF test fail. Does anyone with a better eye than I, see the problem? Jae # spamassassin -D < myspam debug: SpamAssassin version 3.0.0 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/home/BLOCK/bin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin/X11', keeping. debug: PATH included '/usr/games', keeping. debug: Final PATH set to: /home/BLOCK/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games debug: using "/etc/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/spamassassin/init.pre debug: using "/usr/share/spamassassin" for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: config: read file /usr/share/spamassassin/65_debian.cf debug: using "/etc/spamassassin" for site rules dir debug: config: read file /etc/spamassassin/local.cf debug: using "/home/BLOCK/.spamassassin" for user state dir debug: using "/home/BLOCK/.spamassassin/user_prefs" for user prefs file debug: config: read file /home/BLOCK/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) inhibited further callbacks debug: using "/home/BLOCK/.spamassassin" for user state dir debug: bayes: 24567 tie-ing to DB file R/O /home/BLOCK/.spamassassin/bayes_toks debug: bayes: 24567 tie-ing to DB file R/O /home/BLOCK/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: using "/home/BLOCK/.spamassassin" for user state dir debug: Score set 3 chosen. debug: received-header: parsed as [ ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident= envfrom= intl=0 id=1CDRsz-0001DQ-LQ ] debug: is Net::DNS::Resolver available? yes debug: Net::DNS version: 0.48 debug: trying (3) doubleclick.com... debug: looking up NS for 'doubleclick.com' debug: NS lookup of doubleclick.com succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: looking up A records for 'dbox.jline.com' debug: A records for 'dbox.jline.com': 192.168.9.4 debug: looking up A records for 'dbox.jline.com' debug: A records for 'dbox.jline.com': 192.168.9.4 debug: received-header: 'by' dbox.jline.com has reserved IP 192.168.9.4 debug: received-header: 'by' dbox.jline.com has no public IPs debug: received-header: relay 80.110.248.122 trusted? yes internal? no debug: metadata: X-Spam-Relays-Trusted: [ ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident= envfrom= intl=0 id=1CDRsz-0001DQ-LQ ] debug: metadata: X-Spam-Relays-Untrusted: debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) implements 'parsed_metadata' debug: ---- MIME PARSER START ---- debug: main message type: multipart/alternative debug: parsing multipart, got boundary: --4671406479602045 debug: found part of type text/plain, boundary: --4671406479602045 debug: parsing normal part debug: added part, type: text/plain debug: found part of type text/html, boundary: --4671406479602045 debug: parsing normal part debug: added part, type: text/html debug: ---- MIME PARSER END ---- debug: decoding: other encoding type (8bit), ignoring debug: decoding: other encoding type (8bit), ignoring debug: uri found: http://www.accountrepetition.co.nz.zinkuq.com/0/p/ debug: uri found: http://www.hungrybeen.co.nz.zinkuq.com/0/c.html debug: URIDNSBL: domains to query: nz.zinkuq.com debug: is Net::DNS::Resolver available? yes debug: Net::DNS version: 0.48 debug: all '*From' addrs: [EMAIL PROTECTED] debug: Running tests for priority: 0 debug: running header regexp tests; score so far=0 debug: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)) debug: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc)) debug: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4)) debug: SPF: message was delivered entirely via trusted relays, not required debug: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc)) debug: all '*To' addrs: [EMAIL PROTECTED] debug: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4)) debug: SPF: message was delivered entirely via trusted relays, not required debug: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4)) debug: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4)) debug: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4)) debug: registering glue method for check_for_spf_helo_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4)) debug: running body-text per-line regexp tests; score so far=4.129 debug: running uri tests; score so far=4.129 debug: bayes corpus size: nspam = 13077, nham = 2556 debug: tokenize: header tokens for To = "U*BLOCK D*jline.com D*com" debug: tokenize: header tokens for *F = "U*vylcs60teqrr D*frontier.net D*net" debug: tokenize: header tokens for *R = "U*vylcs60teqrr D*frontier.net D*net" debug: tokenize: header tokens for *M = " 9l41c1igw74f6xpymv3s73vylcs60teqrr frontier net " debug: tokenize: header tokens for MIME-Version = " " debug: tokenize: header tokens for X-MimeOLE = " Produced By Microsoft MimeOLE V6.00.6488.4426" debug: tokenize: header tokens for *c = " multipart/alternative; -- HHHHHHHHHHHHHHHH" debug: tokenize: header tokens for *RT = " [ ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident= envfrom= intl=0 id=1CDRsz-0001DQ-LQ ]" debug: tokenize: header tokens for *RU = " " debug: tokenize: header tokens for *r = " chello080110248122.118.11.vie.surfer.at ([80.110.248 ip*80.110.248.122 ]) by dbox.jline.com smtp (Exim 4.34) id 1CDRsz-0001DQ-LQ [EMAIL PROTECTED]; " debug: bayes token 'mins' => 0.998560747663551 debug: bayes token 'softwares' => 0.998514469453376 debug: bayes token 'SystemWorks' => 0.99841237113402 debug: bayes token 'Autodesk' => 0.998295202952029 debug: bayes token 'Softwares' => 0.998082987551867 debug: bayes token 'PowerQuest' => 0.998082987551867 debug: bayes token 'corel' => 0.997909502262443 debug: bayes token 'L0W' => 0.997909502262443 debug: bayes token 'Dreamweaver' => 0.997810426540284 debug: bayes token 'Multilanguage' => 0.997701492537313 debug: bayes token 'Cakewalk' => 0.997581151832461 debug: bayes token 'Wind0ws' => 0.997581151832461 debug: bayes token '299.00' => 0.997447513812155 debug: bayes token '0EM' => 0.997447513812155 debug: bayes token 'AutoCAD' => 0.997298245614035 debug: bayes token 'ware' => 0.997298245614035 debug: bayes token '7.01' => 0.997130434782609 debug: bayes token 'priice' => 0.997130434782609 debug: bayes token '50.00' => 0.996940397350993 debug: bayes token 'priicce' => 0.996473282442748 debug: bayes token 'Ulead' => 0.996181818181818 debug: bayes token 'ProCoder' => 0.996181818181818 debug: bayes token 'Winfax' => 0.996181818181818 debug: bayes token 'Sonar' => 0.996181818181818 debug: bayes token 'OmniPage' => 0.996181818181818 debug: bayes token 'Canopus' => 0.996181818181818 debug: bayes token 'PTC' => 0.996181818181818 debug: bayes token 'Impression' => 0.996181818181818 debug: bayes token 'Datecode' => 0.996181818181818 debug: bayes token 'Wavefront' => 0.996181818181818 debug: bayes token 'ce!' => 0.995837837837838 debug: bayes token 'WIND0WS' => 0.995425742574258 debug: bayes token 'Superfast' => 0.995425742574258 debug: bayes token '20.00' => 0.995425742574258 debug: bayes token '100mbits' => 0.995425742574258 debug: bayes token '25.00' => 0.995425742574258 debug: bayes token 'cosst' => 0.994923076923077 debug: bayes token 'Plz' => 0.994923076923077 debug: bayes token 'wares' => 0.994923076923077 debug: bayes token 'bcos' => 0.994923076923077 debug: bayes token 'Visio' => 0.994923076923077 debug: bayes token 'W1ND0WS' => 0.994923076923077 debug: bayes token 'so0ftware' => 0.994296296296296 debug: bayes token 'Micros0ft' => 0.994296296296296 debug: bayes token '30.00' => 0.994296296296296 debug: bayes token 'Priice' => 0.994296296296296 debug: bayes token 'prricee' => 0.993492957746479 debug: bayes token '93.00' => 0.993492957746479 debug: bayes token 'nort0n' => 0.993492957746479 debug: bayes token '254.00' => 0.993492957746479 debug: bayes token 'Priicce' => 0.993492957746479 debug: bayes token '10.03' => 0.993492957746479 debug: bayes token 'prri' => 0.993492957746479 debug: bayes token 'savviing' => 0.993492957746479 debug: bayes token 'sofftwaree' => 0.993492957746479 debug: bayes token 'soffttwares' => 0.993492957746479 debug: bayes token 'PhotooShop' => 0.993492957746479 debug: bayes token 'adobbe' => 0.993492957746479 debug: bayes token 'Adobbe' => 0.993492957746479 debug: bayes token '32.00' => 0.993492957746479 debug: bayes token '36.00' => 0.993492957746479 debug: bayes token 'Nort0n' => 0.993492957746479 debug: bayes token 'buuyy' => 0.993492957746479 debug: bayes token 'sofftwaares' => 0.993492957746479 debug: bayes token '55.00' => 0.993492957746479 debug: bayes token '2003451' => 0.993492957746479 debug: bayes token 'H*RT:rdns' => 0.00754196168004105 debug: bayes token 'H*RT:intl' => 0.00754196168004105 debug: bayes token 'H*RT:ident' => 0.00754196168004105 debug: bayes token 'H*RT:envfrom' => 0.00754196168004105 debug: bayes token 'H*RT:helo' => 0.00754196168004105 debug: bayes token 'H*RT:dbox.jline.com' => 0.00754196168004105 debug: bayes token 'dragon' => 0.992426229508197 debug: bayes token '6.0' => 0.992426229508197 debug: bayes token 'deluxe' => 0.990941176470588 debug: bayes token 'off' => 0.990941176470588 debug: bayes token 'H*Ad:D*net' => 0.00907615784446917 debug: bayes token 'scissors' => 0.988731707317073 debug: bayes token '2500' => 0.988731707317073 debug: bayes token '60' => 0.988731707317073 debug: bayes token 'l0w' => 0.985096774193548 debug: bayes token '3200' => 0.020524722791767 debug: bayes token '2.2' => 0.978 debug: bayes token 'dreamweaver' => 0.978 debug: bayes token 'Interface' => 0.978 debug: bayes token 'Graphic' => 0.978 debug: bayes token 'pinnacle' => 0.978 debug: bayes token 'autodesk' => 0.978 debug: bayes token 'producer' => 0.978 debug: bayes token 'maya' => 0.978 debug: bayes token '5000' => 0.978 debug: bayes token 'naturally' => 0.978 debug: bayes token '4000' => 0.978 debug: bayes token 'Provide' => 0.978 debug: bayes token '22' => 0.978 debug: bayes token 'UD:zinkuq.com' => 0.978 debug: bayes token '25400' => 0.978 debug: bayes token 'autocad' => 0.978 debug: bayes token 'systemworks' => 0.958 debug: bayes token 'micros0ft' => 0.958 debug: bayes token 'UD:co.nz.zinkuq.com' => 0.958 debug: bayes token 'ptc' => 0.958 debug: bayes token '1003' => 0.958 debug: bayes token 'ulead' => 0.958 debug: bayes token '850' => 0.958 debug: bayes token '9300' => 0.958 debug: bayes token 'wind0ws' => 0.958 debug: bayes token 'canopus' => 0.958 debug: bayes token 'plz' => 0.958 debug: bayes token 'visio' => 0.958 debug: bayes token 'powerquest' => 0.958 debug: bayes token 'v70' => 0.958 debug: bayes token 'Architectural' => 0.958 debug: bayes token 'Engineer' => 0.958 debug: bayes token 'Multilingual' => 0.958 debug: bayes token 'UD:nz.zinkuq.com' => 0.958 debug: bayes token 'sp1' => 0.958 debug: bayes token 'ce' => 0.958 debug: bayes token 'photooshop' => 0.958 debug: bayes token 'w1nd0ws' => 0.958 debug: bayes token 'wavefront' => 0.958 debug: bayes token 'chtml' => 0.958 debug: bayes token 'omnipage' => 0.958 debug: bayes token '0em' => 0.958 debug: bayes token 'winfax' => 0.958 debug: bayes token '29900' => 0.958 debug: bayes token 'datecode' => 0.958 debug: bayes token 'superfast' => 0.958 debug: bayes token 'Pinnacle' => 0.958 debug: bayes token 'Naturally' => 0.958 debug: bayes token 'expired' => 0.958 debug: bayes token '701' => 0.958 debug: bayes token '3600' => 0.958 debug: bayes token 'Architects' => 0.958 debug: bayes token 'Genuine' => 0.958 debug: bayes token 'cakewalk' => 0.958 debug: bayes token 'UD:c.html' => 0.958 debug: bayes token 'So0ftware' => 0.958 debug: bayes token 'procoder' => 0.958 debug: bayes token '70' => 0.958 debug: bayes token 'antivirus' => 0.958 debug: bayes token 'Dragon' => 0.958 debug: bayes token 'Corel' => 0.953146548200845 debug: bayes token 'Draw' => 0.95228037031145 debug: bayes token 'Original' => 0.051052271385826 debug: bayes token 'multilanguage' => 0.0562234573619474 debug: bayes token '2.0' => 0.0592724126378686 debug: bayes token 'multilingual' => 0.0727974133628909 debug: bayes token 'seize' => 0.0727974133628909 debug: bayes token '5.0' => 0.0739317899952465 debug: bayes token 'Antivirus' => 0.92538090034033 debug: bayes: score = 1 debug: bayes: 24567 untie-ing debug: bayes: 24567 untie-ing db_toks debug: bayes: 24567 untie-ing db_seen debug: madiff: left: 242, orig: 242, max-difference: 100.00% debug: Razor2 is not available debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) implements 'check_tick' debug: URIDNSBL: query for nz.zinkuq.com took 0 seconds to look up (multi.surbl.org.:nz.zinkuq.com) debug: URIDNSBL: queries completed: 2 started: 0 debug: URIDNSBL: queries active: at Fri Oct 15 09:05:09 2004 debug: running raw-body-text per-line regexp tests; score so far=6.254 debug: running full-text regexp tests; score so far=6.254 debug: Razor2 is not available debug: Current PATH is: /home/BLOCK/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games debug: Pyzor is not available: pyzor not found debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: Running tests for priority: 500 debug: RBL: success for 6 of 6 queries debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648) implements 'check_post_dnsbl' debug: running meta tests; score so far=15.21 debug: running header regexp tests; score so far=15.21 debug: running body-text per-line regexp tests; score so far=15.21 debug: running uri tests; score so far=15.21 debug: running raw-body-text per-line regexp tests; score so far=15.21 debug: running full-text regexp tests; score so far=15.21 debug: Running tests for priority: 1000 debug: running meta tests; score so far=15.21 debug: running header regexp tests; score so far=15.21 debug: using "/home/BLOCK/.spamassassin" for user state dir debug: lock: 24567 created /home/BLOCK/.spamassassin/auto-whitelist.lock.dbox.jline.com.24567 debug: lock: 24567 trying to get lock on /home/BLOCK/.spamassassin/auto-whitelist with 0 retries debug: lock: 24567 link to /home/BLOCK/.spamassassin/auto-whitelist.lock: link ok debug: Tie-ing to DB file R/W in /home/BLOCK/.spamassassin/auto-whitelist debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=80.110 scores 1/12.108 debug: AWL active, pre-score: 15.21, autolearn score: 15.21, mean: 12.108, IP: 80.110.248.122 debug: add_score: New count: 2, new totscore: 27.318 debug: DB addr list: untie-ing and unlocking. debug: DB addr list: file locked, breaking lock. debug: unlock: 24567 unlink /home/BLOCK/.spamassassin/auto-whitelist.lock debug: Post AWL score: 13.659 debug: running body-text per-line regexp tests; score so far=13.659 debug: running uri tests; score so far=13.659 debug: running raw-body-text per-line regexp tests; score so far=13.659 debug: running full-text regexp tests; score so far=13.659 debug: auto-learn: currently using scoreset 3, recomputing score based on scoreset 1. debug: auto-learn: message score: 13.659, computed score for autolearn: 13.036 debug: auto-learn? ham=0.1, spam=12, body-points=8.816, head-points=11.288, learned-points=1.886 debug: auto-learn? yes, spam (13.036 > 12) debug: Learning Spam debug: all '*From' addrs: [EMAIL PROTECTED] debug: all '*To' addrs: [EMAIL PROTECTED] debug: uri found: http://www.accountrepetition.co.nz.zinkuq.com/0/p/ debug: uri found: http://www.hungrybeen.co.nz.zinkuq.com/0/c.html debug: lock: 24567 created /home/BLOCK/.spamassassin/bayes.lock.dbox.jline.com.24567 debug: lock: 24567 trying to get lock on /home/BLOCK/.spamassassin/bayes with 0 retries debug: lock: 24567 link to /home/BLOCK/.spamassassin/bayes.lock: link ok debug: bayes: 24567 tie-ing to DB file R/W /home/BLOCK/.spamassassin/bayes_toks debug: bayes: 24567 tie-ing to DB file R/W /home/BLOCK/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: tokenize: header tokens for To = "U*BLOCK D*jline.com D*com" debug: tokenize: header tokens for *F = "U*vylcs60teqrr D*frontier.net D*net" debug: tokenize: header tokens for *R = "U*vylcs60teqrr D*frontier.net D*net" debug: tokenize: header tokens for *M = " 9l41c1igw74f6xpymv3s73vylcs60teqrr frontier net " debug: tokenize: header tokens for MIME-Version = " " debug: tokenize: header tokens for X-MimeOLE = " Produced By Microsoft MimeOLE V6.00.6488.4426" debug: tokenize: header tokens for *c = " multipart/alternative; -- HHHHHHHHHHHHHHHH" debug: tokenize: header tokens for *RT = " [ ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident= envfrom= intl=0 id=1CDRsz-0001DQ-LQ ]" debug: tokenize: header tokens for *RU = " " debug: tokenize: header tokens for *r = " chello080110248122.118.11.vie.surfer.at ([80.110.248 ip*80.110.248.122 ]) by dbox.jline.com smtp (Exim 4.34) id 1CDRsz-0001DQ-LQ [EMAIL PROTECTED]; " debug: bayes: Learned '[EMAIL PROTECTED]', atime: 1096654329 debug: bayes: 24567 untie-ing debug: bayes: 24567 untie-ing db_toks debug: bayes: 24567 untie-ing db_seen debug: bayes: files locked, now unlocking lock debug: unlock: 24567 unlink /home/BLOCK/.spamassassin/bayes.lock debug: is spam? score=13.659 required=5 debug: tests=ALL_TRUSTED,AWL,BAYES_99,HTML_30_40,HTML_FONT_BIG,HTML_MESSAGE,HTM L_NONELEMENT_00_10,HTML_SHOUTING3,MIME_BOUND_DD_DIGITS,MPART_ALT_DIFF,RC VD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL debug: subtests=__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ALT,__HAS_MIMEOLE,_ _HAS_MSGID,__HAS_SUBJECT,__MIME_HTML,__MIME_VERSION,__MSGID_OK_HOST,__SA NE_MSGID,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_E XISTS_HTML,__TAG_EXISTS_META >>From [EMAIL PROTECTED] Fri Oct 01 11:12:32 2004 Received: from localhost by dbox.jline.com with SpamAssassin (version 3.0.0); Fri, 15 Oct 2004 09:05:10 -0700 From: "Risa Ignacia" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: *SPAM(13.7)* We Provide 96% Off Retail Priice For Softwares years Date: Fri, 01 Oct 2004 14:13:38 -0500 Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on dbox.jline.com X-Spam-Level: ************* X-Spam-Status: Yes, score=13.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_99, HTML_30_40,HTML_FONT_BIG,HTML_MESSAGE,HTML_NONELEMENT_00_10, HTML_SHOUTING3,MIME_BOUND_DD_DIGITS,MPART_ALT_DIFF,RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL autolearn=spam version=3.0.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_416FF536.26643AE7" This is a multi-part message in MIME format. ------------=_416FF536.26643AE7 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "dbox.jline.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: committee concentrate seize scissors national every according away maam wrong parallel hat means favorite however share Your needed soffttwares at Rock Bottom prri ce! - What you bought previously was go to shop & buuyy a WIND0WS XP Pro that comes with a BOX & serial number & the manual cosst 299.00 [...] Content analysis details: (13.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary -0.0 ALL_TRUSTED Did not pass through any untrusted hosts 0.0 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different 0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup 0.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are non-standard 1.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [80.110.248.122 listed in dnsbl.sorbs.net] 3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [<http://dsbl.org/listing?80.110.248.122>] 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [80.110.248.122 listed in sbl-xbl.spamhaus.org] 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [80.110.248.122 listed in combined.njabl.org] -1.6 AWL AWL: From: address is in the auto white-list The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ------------=_416FF536.26643AE7 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from chello080110248122.118.11.vie.surfer.at ([80.110.248.122]) by dbox.jline.com with smtp (Exim 4.34) id 1CDRsz-0001DQ-LQ for [EMAIL PROTECTED]; Fri, 01 Oct 2004 11:12:09 -0700 To: [EMAIL PROTECTED] From: "Risa Ignacia" <[EMAIL PROTECTED]> Reply-To: "Risa Ignacia" <[EMAIL PROTECTED]> Date: Fri, 01 Oct 2004 14:13:38 -0500 Subject: We Provide 96% Off Retail Priice For Softwares years Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.6488.4426 Content-Type: multipart/alternative; boundary="--4671406479602045" ----4671406479602045 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit committee concentrate seize scissors national every according away maam wrong parallel hat means favorite however share ----4671406479602045 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit <html> <head> <meta http-equiv="Content-Type" content="text; charset=us-ascii"> </head> <body> <center> <table border=0 cellspacing=0 cellpadding=10 width=640><swimming respect goodbye delight led ninety key > <tr><td> <font color=D90000 size=5 face=arial><b>Your needed soffttwares at Rock Bottom prri ce! </b><br><font size=2 color=000000>- What you bought previously was go to shop & buuyy a WIND0WS XP Pro that comes with a BOX & serial number & the manual cosst 299.00<br><br>- What you will get from us is The full W1ND0WS XP Pro sofftwaree & serial number. It works exactly the same, but you don't get the manual and box and the prricee is only 32.00 . That is a savviing of 254.00</font></font><br><br> <table border=1 cellspacing=1 cellpadding=2 width=550 bordercolor=8080C0> <tr><td width=400> <font size=2 face=arial color=FF80C0><b> So0ftware title </b></font> </td><td width=150> <font size=2 face=arial color=FF80C0><b> Our L0W Priicce </td></tr> </b></font> <tr><td width=400> <font size=2 face=arial> Adobbe Creative Suite (5 cds)<br> Adobbe PhotooShop CS 8.0 (1 cd)<br> 3D Studio Max 6.0 (3 cds)<br> Adobbe Premiere Pro 7.0 (1 cd)<br> Alias Wavefront Maya 5.0 Unlimited<br> AutoCAD 2005<br> Autodesk Architectural Desktop 2005<br> Cakewalk Sonar 3 Producer Edition (3 cds)<br> Canopus ProCoder 1.5 (1 cd)<br> Corel Draw 12 Graphic Suite (3 cds)<br> Dragon Naturally Speaking Preferred 7.0<br> Macromedia Dreamweaver MX 2004 v7.0<br> Macromedia Fireworks MX 2004 v7.0<br> Macromedia Flash MX 2004 v7.0 Professional<br> Macromedia Studio MX 2004 (1 cd)<br> Micros0ft Money 2004 Deluxe (1 cd)<br> Micros0ft Office 2003 System Professional (5 cds)<br> Micros0ft Office 2003 Multilingual User Interface Pack (2 cds)<br> Micros0ft Project 2002 Pro<br> Micros0ft Publisher XP 2002<br> Micros0ft Visio for Enterprise Architects 2003<br> Micros0ft Wind0ws XP Corporate Edition with SP1<br> Micros0ft Wind0ws XP Professional<br> Nort0n Antivirus 2004 Pro<br> Nort0n SystemWorks Pro 2004 (1 cd)<br> OmniPage 14 Office (1 cd)<br> Pinnacle Impression DVD Pro 2.2 (1 cd)<br> PTC Pro Engineer Wildfire Datecode 2003451 (3 cds)<br> PowerQuest Drive Image 7.01 Multilanguage (1 cd)<br> Ulead DVD Workshop 2.0<br> Micros0ft Visual Studio .NET 2003 Enterprise Architect (8 cds)<br> Winfax PRO 10.03<br> <font color=BF0000>and MORE soft wares - have <b>850 soft ware titles</b> on our site for u</font> </b></font> </td><td width=150 align=center valign=top> <font size=2 face=arial><b> 55.00<br> 32.00<br> 50.00<br> 32.00<br> 40.00<br> 32.00<br> 32.00<br> 36.00<br> 25.00<br> 32.00<br> 25.00<br> 25.00<br> 32.00<br> 30.00<br> 50.00<br> 20.00<br> 40.00<br> 25.00<br> 32.00<br> 20.00<br> 25.00<br> 40.00<br> 32.00<br> 20.00<br> 20.00<br> 25.00<br> 25.00<br> 40.00<br> 20.00<br> 20.00<br> 93.00<br> 20.00<br> </td></tr> </b></font> </td></tr></table> <font color=000000 size=2 face=arial> Download your sofftwaares from our Superfast (100mbits connection) site & you will be given your own exclusive registration key to register the sofftwaares you bought from us, and now you have your own registered copy of sofftwaares (will never expired again)<br><br> It's <b>0EM version</b> of sofftwaares which is an <b>Original/Genuine sofftwaares</b>, strictly no piracy sofftwaares </font> <center> <b><a href=http://www.accountrepetition.co.nz.zinkuq.com/0/p/ target=_blank><font color=0000FF size=5 face=arial><u>Over 850 popular titles for you to choose from<br><br>Act quick now before all sold<br><br>Start using your needed sofftwaares now<br>== C L I C K - H E R E ==</b><br><font size=2>(Plz give 2-3 mins to complete the page loading bcos the page has 850 titles on it)</font><br><br></u></a> <a href=http://www.hungrybeen.co.nz.zinkuq.com/0/c.html target=_blank><font size=1>take me down</font></a> </font> </center> </td></tr></table> </center> </body> </html> ----4671406479602045-- ------------=_416FF536.26643AE7-- -----Original Message----- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 8:45 AM To: users@spamassassin.apache.org Subject: Re: Default SURBL scores low? On Thu, Oct 14, 2004 at 08:27:02AM -0700, Potato Chip wrote: > -3.3 ALL_TRUSTED Most of these unmarked spams hit ALL_TRUSTED with a > default score of -3.3. It almost completely discounts the SURBL score > hits. If you're getting ALL_TRUSTED hits on messages that came from the outside through a non-trusted server, then something it up there. The reports I've seen about it so far are related to something like an anti-virus gateway not adding in proper Received headers, passing the mail to SpamAssassin. > Have most people changed the default SURBL scores to something more > meaningful, higher? It seems worthy of a higher score given the great > reviews that SURBL has been getting? SURBL is great, but it does get FPs. If you don't mind that (and the possibility of having SA FP the mail into the "spam" category), go ahead and up the score. :) -- Randomly Generated Tagline: Q. Why is this so clumsy? A. The trick is to use Perl's strengths rather than its weaknesses. -- Larry Wall in <[EMAIL PROTECTED]>
