Re: SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low?

[Justin Mason]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Ray writes:
> There are bugtrack entries for the ALL_TRUSTED problem that you are
> describing.  On my own network we were seeing all spam hit with -3.3 on
> ALL_TRUSTED.  We are using SA on Postfix as a "man in the middle" relay from
> our AV to our main mail server.
> 
> MAIL <--> Postfix+SA <--> AV <--> Inernet
> 
> The current theory is that the headers coming from the AV server are
> triggering the ALL_TRUSTED rule to fire.  This may or may not be related to
> other bagtrack entries for ALL_TRUSTED.  Maybe one of the developers could
> address this better.

More correctly, if the external relay doesn't record the Received header
in a parseable format, or if a relay between the internet and the
SpamAssassin-scanning host removes those relays, then it'll fire.

- --j.

> In the mean time it is easy to just leave the ALL_TRUSTED 0 in your local.cf
> 
> Ray Dzek
> Network Operations Supervisor
> Specialized Bicycle Components
> 
> -----Original Message-----
> From: Potato Chip [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 15, 2004 9:31 AM
> To: users@spamassassin.apache.org
> Subject: SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low?
> 
> Thank you everyone for your input and for directing me to the real problem
> -- SPF. For now, I have had to score ALL_TRUSTED -0.01 but would still like
> to get to the bottom of this SPF, TRUSTED issue.
> 
> I have a spam which hits ALL_TRUSTED. I've attached the "spamassassin -D <
> spam" output below. I've excerpted some of the relevant SPF output:
>       debug: metadata: X-Spam-Relays-Trusted: [ ip=80.110.248.122
> rdns=chello080110248122.118.11.vie.surfer.at
> helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident=
> envfrom= intl=0 id=1CDRsz-0001DQ-LQ ]
>       debug: metadata: X-Spam-Relays-Untrusted: 
>       debug: all '*From' addrs: [EMAIL PROTECTED]
>       debug: SPF: message was delivered entirely via trusted relays, not
> required
> 
> >>>From my limited understanding of SPF, the relay should be an UNTRUSTED
> server.
> # dig frontier.net txt
> ==> 
> ;; ANSWER SECTION:
> frontier.net.         26222   IN      TXT     "v=spf1
> ip4:66.118.220.14 ip4:66.118.220.16 ip4:66.118.193.229 -all"
> 
> However, the sending MTA is ip=80.110.248.122
> rdns=chello080110248122.118.11.vie.surfer.at which is not listed in the SPF
> txt block. "-all" should make the SPF test fail.
> 
> Does anyone with a better eye than I, see the problem?
> 
> Jae
> 
> # spamassassin -D < myspam
> debug: SpamAssassin version 3.0.0
> debug: Score set 0 chosen.
> debug: running in taint mode? yes
> debug: Running in taint mode, removing unsafe env vars, and resetting PATH
> debug: PATH included '/home/BLOCK/bin', keeping.
> debug: PATH included '/usr/local/bin', keeping.
> debug: PATH included '/usr/bin', keeping.
> debug: PATH included '/bin', keeping.
> debug: PATH included '/usr/bin/X11', keeping.
> debug: PATH included '/usr/games', keeping.
> debug: Final PATH set to:
> /home/BLOCK/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
> debug: using "/etc/spamassassin/init.pre" for site rules init.pre
> debug: config: read file /etc/spamassassin/init.pre
> debug: using "/usr/share/spamassassin" for default rules dir
> debug: config: read file /usr/share/spamassassin/10_misc.cf
> debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_body_tests.cf
> debug: config: read file /usr/share/spamassassin/20_compensate.cf
> debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
> debug: config: read file /usr/share/spamassassin/20_drugs.cf
> debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
> debug: config: read file /usr/share/spamassassin/20_head_tests.cf
> debug: config: read file /usr/share/spamassassin/20_html_tests.cf
> debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
> debug: config: read file /usr/share/spamassassin/20_phrases.cf
> debug: config: read file /usr/share/spamassassin/20_porn.cf
> debug: config: read file /usr/share/spamassassin/20_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
> debug: config: read file /usr/share/spamassassin/23_bayes.cf
> debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
> debug: config: read file /usr/share/spamassassin/25_hashcash.cf
> debug: config: read file /usr/share/spamassassin/25_spf.cf
> debug: config: read file /usr/share/spamassassin/25_uribl.cf
> debug: config: read file /usr/share/spamassassin/30_text_de.cf
> debug: config: read file /usr/share/spamassassin/30_text_fr.cf
> debug: config: read file /usr/share/spamassassin/30_text_nl.cf
> debug: config: read file /usr/share/spamassassin/30_text_pl.cf
> debug: config: read file /usr/share/spamassassin/50_scores.cf
> debug: config: read file /usr/share/spamassassin/60_whitelist.cf
> debug: config: read file /usr/share/spamassassin/65_debian.cf
> debug: using "/etc/spamassassin" for site rules dir
> debug: config: read file /etc/spamassassin/local.cf
> debug: using "/home/BLOCK/.spamassassin" for user state dir
> debug: using "/home/BLOCK/.spamassassin/user_prefs" for user prefs file
> debug: config: read file /home/BLOCK/.spamassassin/user_prefs
> debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
> debug: plugin: registered
> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
> debug: plugin: registered
> Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc)
> debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
> debug: plugin: registered
> Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4)
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> implements 'parse_config'
> debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc)
> implements 'parse_config'
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> inhibited further callbacks
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> inhibited further callbacks
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> inhibited further callbacks
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> inhibited further callbacks
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> inhibited further callbacks
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> inhibited further callbacks
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> inhibited further callbacks
> debug: using "/home/BLOCK/.spamassassin" for user state dir
> debug: bayes: 24567 tie-ing to DB file R/O
> /home/BLOCK/.spamassassin/bayes_toks
> debug: bayes: 24567 tie-ing to DB file R/O
> /home/BLOCK/.spamassassin/bayes_seen
> debug: bayes: found bayes db version 3
> debug: using "/home/BLOCK/.spamassassin" for user state dir
> debug: Score set 3 chosen.
> debug: received-header: parsed as [ ip=80.110.248.122
> rdns=chello080110248122.118.11.vie.surfer.at
> helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident=
> envfrom= intl=0 id=1CDRsz-0001DQ-LQ ]
> debug: is Net::DNS::Resolver available? yes
> debug: Net::DNS version: 0.48
> debug: trying (3) doubleclick.com...
> debug: looking up NS for 'doubleclick.com'
> debug: NS lookup of doubleclick.com succeeded => Dns available (set
> dns_available to hardcode)
> debug: is DNS available? 1
> debug: looking up A records for 'dbox.jline.com'
> debug: A records for 'dbox.jline.com': 192.168.9.4
> debug: looking up A records for 'dbox.jline.com'
> debug: A records for 'dbox.jline.com': 192.168.9.4
> debug: received-header: 'by' dbox.jline.com has reserved IP 192.168.9.4
> debug: received-header: 'by' dbox.jline.com has no public IPs
> debug: received-header: relay 80.110.248.122 trusted? yes internal? no
> debug: metadata: X-Spam-Relays-Trusted: [ ip=80.110.248.122
> rdns=chello080110248122.118.11.vie.surfer.at
> helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident=
> envfrom= intl=0 id=1CDRsz-0001DQ-LQ ]
> debug: metadata: X-Spam-Relays-Untrusted: 
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> implements 'parsed_metadata'
> debug: ---- MIME PARSER START ----
> debug: main message type: multipart/alternative
> debug: parsing multipart, got boundary: --4671406479602045
> debug: found part of type text/plain, boundary: --4671406479602045
> debug: parsing normal part
> debug: added part, type: text/plain
> debug: found part of type text/html, boundary: --4671406479602045
> debug: parsing normal part
> debug: added part, type: text/html
> debug: ---- MIME PARSER END ----
> debug: decoding: other encoding type (8bit), ignoring
> debug: decoding: other encoding type (8bit), ignoring
> debug: uri found: http://www.accountrepetition.co.nz.zinkuq.com/0/p/
> debug: uri found: http://www.hungrybeen.co.nz.zinkuq.com/0/c.html
> debug: URIDNSBL: domains to query: nz.zinkuq.com
> debug: is Net::DNS::Resolver available? yes
> debug: Net::DNS version: 0.48
> debug: all '*From' addrs: [EMAIL PROTECTED]
> debug: Running tests for priority: 0
> debug: running header regexp tests; score so far=0
> debug: registering glue method for check_uridnsbl
> (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648))
> debug: registering glue method for check_hashcash_double_spend
> (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc))
> debug: registering glue method for check_for_spf_helo_pass
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4))
> debug: SPF: message was delivered entirely via trusted relays, not required
> debug: registering glue method for check_hashcash_value
> (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c121bc))
> debug: all '*To' addrs: [EMAIL PROTECTED]
> debug: registering glue method for check_for_spf_softfail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4))
> debug: SPF: message was delivered entirely via trusted relays, not required
> debug: registering glue method for check_for_spf_pass
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4))
> debug: registering glue method for check_for_spf_helo_softfail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4))
> debug: registering glue method for check_for_spf_fail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4))
> debug: registering glue method for check_for_spf_helo_fail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x8bf0fc4))
> debug: running body-text per-line regexp tests; score so far=4.129
> debug: running uri tests; score so far=4.129
> debug: bayes corpus size: nspam = 13077, nham = 2556
> debug: tokenize: header tokens for To = "U*BLOCK D*jline.com D*com"
> debug: tokenize: header tokens for *F = "U*vylcs60teqrr D*frontier.net
> D*net"
> debug: tokenize: header tokens for *R = "U*vylcs60teqrr D*frontier.net
> D*net"
> debug: tokenize: header tokens for *M = " 9l41c1igw74f6xpymv3s73vylcs60teqrr
> frontier net "
> debug: tokenize: header tokens for MIME-Version = " "
> debug: tokenize: header tokens for X-MimeOLE = " Produced By Microsoft
> MimeOLE V6.00.6488.4426"
> debug: tokenize: header tokens for *c = " multipart/alternative;   --
> HHHHHHHHHHHHHHHH"
> debug: tokenize: header tokens for *RT = " [ ip=80.110.248.122
> rdns=chello080110248122.118.11.vie.surfer.at
> helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident=
> envfrom= intl=0 id=1CDRsz-0001DQ-LQ ]"
> debug: tokenize: header tokens for *RU = " "
> debug: tokenize: header tokens for *r = "
> chello080110248122.118.11.vie.surfer.at ([80.110.248 ip*80.110.248.122
> ]) by dbox.jline.com   smtp (Exim 4.34) id 1CDRsz-0001DQ-LQ
> [EMAIL PROTECTED]; "
> debug: bayes token 'mins' => 0.998560747663551
> debug: bayes token 'softwares' => 0.998514469453376
> debug: bayes token 'SystemWorks' => 0.99841237113402
> debug: bayes token 'Autodesk' => 0.998295202952029
> debug: bayes token 'Softwares' => 0.998082987551867
> debug: bayes token 'PowerQuest' => 0.998082987551867
> debug: bayes token 'corel' => 0.997909502262443
> debug: bayes token 'L0W' => 0.997909502262443
> debug: bayes token 'Dreamweaver' => 0.997810426540284
> debug: bayes token 'Multilanguage' => 0.997701492537313
> debug: bayes token 'Cakewalk' => 0.997581151832461
> debug: bayes token 'Wind0ws' => 0.997581151832461
> debug: bayes token '299.00' => 0.997447513812155
> debug: bayes token '0EM' => 0.997447513812155
> debug: bayes token 'AutoCAD' => 0.997298245614035
> debug: bayes token 'ware' => 0.997298245614035
> debug: bayes token '7.01' => 0.997130434782609
> debug: bayes token 'priice' => 0.997130434782609
> debug: bayes token '50.00' => 0.996940397350993
> debug: bayes token 'priicce' => 0.996473282442748
> debug: bayes token 'Ulead' => 0.996181818181818
> debug: bayes token 'ProCoder' => 0.996181818181818
> debug: bayes token 'Winfax' => 0.996181818181818
> debug: bayes token 'Sonar' => 0.996181818181818
> debug: bayes token 'OmniPage' => 0.996181818181818
> debug: bayes token 'Canopus' => 0.996181818181818
> debug: bayes token 'PTC' => 0.996181818181818
> debug: bayes token 'Impression' => 0.996181818181818
> debug: bayes token 'Datecode' => 0.996181818181818
> debug: bayes token 'Wavefront' => 0.996181818181818
> debug: bayes token 'ce!' => 0.995837837837838
> debug: bayes token 'WIND0WS' => 0.995425742574258
> debug: bayes token 'Superfast' => 0.995425742574258
> debug: bayes token '20.00' => 0.995425742574258
> debug: bayes token '100mbits' => 0.995425742574258
> debug: bayes token '25.00' => 0.995425742574258
> debug: bayes token 'cosst' => 0.994923076923077
> debug: bayes token 'Plz' => 0.994923076923077
> debug: bayes token 'wares' => 0.994923076923077
> debug: bayes token 'bcos' => 0.994923076923077
> debug: bayes token 'Visio' => 0.994923076923077
> debug: bayes token 'W1ND0WS' => 0.994923076923077
> debug: bayes token 'so0ftware' => 0.994296296296296
> debug: bayes token 'Micros0ft' => 0.994296296296296
> debug: bayes token '30.00' => 0.994296296296296
> debug: bayes token 'Priice' => 0.994296296296296
> debug: bayes token 'prricee' => 0.993492957746479
> debug: bayes token '93.00' => 0.993492957746479
> debug: bayes token 'nort0n' => 0.993492957746479
> debug: bayes token '254.00' => 0.993492957746479
> debug: bayes token 'Priicce' => 0.993492957746479
> debug: bayes token '10.03' => 0.993492957746479
> debug: bayes token 'prri' => 0.993492957746479
> debug: bayes token 'savviing' => 0.993492957746479
> debug: bayes token 'sofftwaree' => 0.993492957746479
> debug: bayes token 'soffttwares' => 0.993492957746479
> debug: bayes token 'PhotooShop' => 0.993492957746479
> debug: bayes token 'adobbe' => 0.993492957746479
> debug: bayes token 'Adobbe' => 0.993492957746479
> debug: bayes token '32.00' => 0.993492957746479
> debug: bayes token '36.00' => 0.993492957746479
> debug: bayes token 'Nort0n' => 0.993492957746479
> debug: bayes token 'buuyy' => 0.993492957746479
> debug: bayes token 'sofftwaares' => 0.993492957746479
> debug: bayes token '55.00' => 0.993492957746479
> debug: bayes token '2003451' => 0.993492957746479
> debug: bayes token 'H*RT:rdns' => 0.00754196168004105
> debug: bayes token 'H*RT:intl' => 0.00754196168004105
> debug: bayes token 'H*RT:ident' => 0.00754196168004105
> debug: bayes token 'H*RT:envfrom' => 0.00754196168004105
> debug: bayes token 'H*RT:helo' => 0.00754196168004105
> debug: bayes token 'H*RT:dbox.jline.com' => 0.00754196168004105
> debug: bayes token 'dragon' => 0.992426229508197
> debug: bayes token '6.0' => 0.992426229508197
> debug: bayes token 'deluxe' => 0.990941176470588
> debug: bayes token 'off' => 0.990941176470588
> debug: bayes token 'H*Ad:D*net' => 0.00907615784446917
> debug: bayes token 'scissors' => 0.988731707317073
> debug: bayes token '2500' => 0.988731707317073
> debug: bayes token '60' => 0.988731707317073
> debug: bayes token 'l0w' => 0.985096774193548
> debug: bayes token '3200' => 0.020524722791767
> debug: bayes token '2.2' => 0.978
> debug: bayes token 'dreamweaver' => 0.978
> debug: bayes token 'Interface' => 0.978
> debug: bayes token 'Graphic' => 0.978
> debug: bayes token 'pinnacle' => 0.978
> debug: bayes token 'autodesk' => 0.978
> debug: bayes token 'producer' => 0.978
> debug: bayes token 'maya' => 0.978
> debug: bayes token '5000' => 0.978
> debug: bayes token 'naturally' => 0.978
> debug: bayes token '4000' => 0.978
> debug: bayes token 'Provide' => 0.978
> debug: bayes token '22' => 0.978
> debug: bayes token 'UD:zinkuq.com' => 0.978
> debug: bayes token '25400' => 0.978
> debug: bayes token 'autocad' => 0.978
> debug: bayes token 'systemworks' => 0.958
> debug: bayes token 'micros0ft' => 0.958
> debug: bayes token 'UD:co.nz.zinkuq.com' => 0.958
> debug: bayes token 'ptc' => 0.958
> debug: bayes token '1003' => 0.958
> debug: bayes token 'ulead' => 0.958
> debug: bayes token '850' => 0.958
> debug: bayes token '9300' => 0.958
> debug: bayes token 'wind0ws' => 0.958
> debug: bayes token 'canopus' => 0.958
> debug: bayes token 'plz' => 0.958
> debug: bayes token 'visio' => 0.958
> debug: bayes token 'powerquest' => 0.958
> debug: bayes token 'v70' => 0.958
> debug: bayes token 'Architectural' => 0.958
> debug: bayes token 'Engineer' => 0.958
> debug: bayes token 'Multilingual' => 0.958
> debug: bayes token 'UD:nz.zinkuq.com' => 0.958
> debug: bayes token 'sp1' => 0.958
> debug: bayes token 'ce' => 0.958
> debug: bayes token 'photooshop' => 0.958
> debug: bayes token 'w1nd0ws' => 0.958
> debug: bayes token 'wavefront' => 0.958
> debug: bayes token 'chtml' => 0.958
> debug: bayes token 'omnipage' => 0.958
> debug: bayes token '0em' => 0.958
> debug: bayes token 'winfax' => 0.958
> debug: bayes token '29900' => 0.958
> debug: bayes token 'datecode' => 0.958
> debug: bayes token 'superfast' => 0.958
> debug: bayes token 'Pinnacle' => 0.958
> debug: bayes token 'Naturally' => 0.958
> debug: bayes token 'expired' => 0.958
> debug: bayes token '701' => 0.958
> debug: bayes token '3600' => 0.958
> debug: bayes token 'Architects' => 0.958
> debug: bayes token 'Genuine' => 0.958
> debug: bayes token 'cakewalk' => 0.958
> debug: bayes token 'UD:c.html' => 0.958
> debug: bayes token 'So0ftware' => 0.958
> debug: bayes token 'procoder' => 0.958
> debug: bayes token '70' => 0.958
> debug: bayes token 'antivirus' => 0.958
> debug: bayes token 'Dragon' => 0.958
> debug: bayes token 'Corel' => 0.953146548200845
> debug: bayes token 'Draw' => 0.95228037031145
> debug: bayes token 'Original' => 0.051052271385826
> debug: bayes token 'multilanguage' => 0.0562234573619474
> debug: bayes token '2.0' => 0.0592724126378686
> debug: bayes token 'multilingual' => 0.0727974133628909
> debug: bayes token 'seize' => 0.0727974133628909
> debug: bayes token '5.0' => 0.0739317899952465
> debug: bayes token 'Antivirus' => 0.92538090034033
> debug: bayes: score = 1
> debug: bayes: 24567 untie-ing
> debug: bayes: 24567 untie-ing db_toks
> debug: bayes: 24567 untie-ing db_seen
> debug: madiff: left: 242, orig: 242, max-difference: 100.00%
> debug: Razor2 is not available
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> implements 'check_tick'
> debug: URIDNSBL: query for nz.zinkuq.com took 0 seconds to look up
> (multi.surbl.org.:nz.zinkuq.com)
> debug: URIDNSBL: queries completed: 2 started: 0
> debug: URIDNSBL: queries active:  at Fri Oct 15 09:05:09 2004
> debug: running raw-body-text per-line regexp tests; score so far=6.254
> debug: running full-text regexp tests; score so far=6.254
> debug: Razor2 is not available
> debug: Current PATH is:
> /home/BLOCK/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
> debug: Pyzor is not available: pyzor not found
> debug: DCCifd is not available: no r/w dccifd socket found.
> debug: DCC is not available: no executable dccproc found.
> debug: Running tests for priority: 500
> debug: RBL: success for 6 of 6 queries
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8575648)
> implements 'check_post_dnsbl'
> debug: running meta tests; score so far=15.21
> debug: running header regexp tests; score so far=15.21
> debug: running body-text per-line regexp tests; score so far=15.21
> debug: running uri tests; score so far=15.21
> debug: running raw-body-text per-line regexp tests; score so far=15.21
> debug: running full-text regexp tests; score so far=15.21
> debug: Running tests for priority: 1000
> debug: running meta tests; score so far=15.21
> debug: running header regexp tests; score so far=15.21
> debug: using "/home/BLOCK/.spamassassin" for user state dir
> debug: lock: 24567 created
> /home/BLOCK/.spamassassin/auto-whitelist.lock.dbox.jline.com.24567
> debug: lock: 24567 trying to get lock on
> /home/BLOCK/.spamassassin/auto-whitelist with 0 retries
> debug: lock: 24567 link to
> /home/BLOCK/.spamassassin/auto-whitelist.lock: link ok
> debug: Tie-ing to DB file R/W in /home/BLOCK/.spamassassin/auto-whitelist
> debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=80.110
> scores 1/12.108
> debug: AWL active, pre-score: 15.21, autolearn score: 15.21, mean: 12.108,
> IP: 80.110.248.122
> debug: add_score: New count: 2, new totscore: 27.318
> debug: DB addr list: untie-ing and unlocking.
> debug: DB addr list: file locked, breaking lock.
> debug: unlock: 24567 unlink /home/BLOCK/.spamassassin/auto-whitelist.lock
> debug: Post AWL score: 13.659
> debug: running body-text per-line regexp tests; score so far=13.659
> debug: running uri tests; score so far=13.659
> debug: running raw-body-text per-line regexp tests; score so far=13.659
> debug: running full-text regexp tests; score so far=13.659
> debug: auto-learn: currently using scoreset 3, recomputing score based on
> scoreset 1.
> debug: auto-learn: message score: 13.659, computed score for autolearn:
> 13.036
> debug: auto-learn? ham=0.1, spam=12, body-points=8.816, head-points=11.288,
> learned-points=1.886
> debug: auto-learn? yes, spam (13.036 > 12)
> debug: Learning Spam
> debug: all '*From' addrs: [EMAIL PROTECTED]
> debug: all '*To' addrs: [EMAIL PROTECTED]
> debug: uri found: http://www.accountrepetition.co.nz.zinkuq.com/0/p/
> debug: uri found: http://www.hungrybeen.co.nz.zinkuq.com/0/c.html
> debug: lock: 24567 created
> /home/BLOCK/.spamassassin/bayes.lock.dbox.jline.com.24567
> debug: lock: 24567 trying to get lock on /home/BLOCK/.spamassassin/bayes
> with 0 retries
> debug: lock: 24567 link to /home/BLOCK/.spamassassin/bayes.lock: link ok
> debug: bayes: 24567 tie-ing to DB file R/W
> /home/BLOCK/.spamassassin/bayes_toks
> debug: bayes: 24567 tie-ing to DB file R/W
> /home/BLOCK/.spamassassin/bayes_seen
> debug: bayes: found bayes db version 3
> debug: tokenize: header tokens for To = "U*BLOCK D*jline.com D*com"
> debug: tokenize: header tokens for *F = "U*vylcs60teqrr D*frontier.net
> D*net"
> debug: tokenize: header tokens for *R = "U*vylcs60teqrr D*frontier.net
> D*net"
> debug: tokenize: header tokens for *M = " 9l41c1igw74f6xpymv3s73vylcs60teqrr
> frontier net "
> debug: tokenize: header tokens for MIME-Version = " "
> debug: tokenize: header tokens for X-MimeOLE = " Produced By Microsoft
> MimeOLE V6.00.6488.4426"
> debug: tokenize: header tokens for *c = " multipart/alternative;   --
> HHHHHHHHHHHHHHHH"
> debug: tokenize: header tokens for *RT = " [ ip=80.110.248.122
> rdns=chello080110248122.118.11.vie.surfer.at
> helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident=
> envfrom= intl=0 id=1CDRsz-0001DQ-LQ ]"
> debug: tokenize: header tokens for *RU = " "
> debug: tokenize: header tokens for *r = "
> chello080110248122.118.11.vie.surfer.at ([80.110.248 ip*80.110.248.122
> ]) by dbox.jline.com   smtp (Exim 4.34) id 1CDRsz-0001DQ-LQ
> [EMAIL PROTECTED]; "
> debug: bayes: Learned
> '[EMAIL PROTECTED]', atime: 1096654329
> debug: bayes: 24567 untie-ing
> debug: bayes: 24567 untie-ing db_toks
> debug: bayes: 24567 untie-ing db_seen
> debug: bayes: files locked, now unlocking lock
> debug: unlock: 24567 unlink /home/BLOCK/.spamassassin/bayes.lock
> debug: is spam? score=13.659 required=5
> debug:
> tests=ALL_TRUSTED,AWL,BAYES_99,HTML_30_40,HTML_FONT_BIG,HTML_MESSAGE,HTM
> L_NONELEMENT_00_10,HTML_SHOUTING3,MIME_BOUND_DD_DIGITS,MPART_ALT_DIFF,RC
> VD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL
> debug:
> subtests=__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ALT,__HAS_MIMEOLE,_
> _HAS_MSGID,__HAS_SUBJECT,__MIME_HTML,__MIME_VERSION,__MSGID_OK_HOST,__SA
> NE_MSGID,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_E
> XISTS_HTML,__TAG_EXISTS_META
> >>>From [EMAIL PROTECTED] Fri Oct 01 11:12:32 2004
> Received: from localhost by dbox.jline.com
>       with SpamAssassin (version 3.0.0);
>       Fri, 15 Oct 2004 09:05:10 -0700
> From: "Risa Ignacia" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: *SPAM(13.7)* We Provide 96% Off Retail Priice For Softwares years 
> Date: Fri, 01 Oct 2004 14:13:38 -0500
> Message-Id: <[EMAIL PROTECTED]>
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on dbox.jline.com
> X-Spam-Level: *************
> X-Spam-Status: Yes, score=13.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_99,
>       HTML_30_40,HTML_FONT_BIG,HTML_MESSAGE,HTML_NONELEMENT_00_10,
>       HTML_SHOUTING3,MIME_BOUND_DD_DIGITS,MPART_ALT_DIFF,RCVD_IN_DSBL,
>       RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL autolearn=spam 
>       version=3.0.0
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_416FF536.26643AE7"
> 
> This is a multi-part message in MIME format.
> 
> ------------=_416FF536.26643AE7
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
> 
> Spam detection software, running on the system "dbox.jline.com", has
> identified this incoming email as possible spam.  The original message has
> been attached to this so you can view it (if it isn't spam) or label similar
> future email.  If you have any questions, see the administrator of that
> system for details.
> 
> Content preview:  committee concentrate seize scissors national every
>   according away maam wrong parallel hat means favorite however share
>   Your needed soffttwares at Rock Bottom prri ce! - What you bought
>   previously was go to shop & buuyy a WIND0WS XP Pro that comes with a
>   BOX & serial number & the manual cosst 299.00 [...] 
> 
> Content analysis details:   (13.7 points, 5.0 required)
> 
>  pts rule name              description
> ---- ----------------------
> --------------------------------------------------
>  4.1 MIME_BOUND_DD_DIGITS   Spam tool pattern in MIME boundary
> -0.0 ALL_TRUSTED            Did not pass through any untrusted hosts
>  0.0 HTML_30_40             BODY: Message is 30% to 40% HTML
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.1 HTML_FONT_BIG          BODY: HTML tag for a big font size
>  0.1 MPART_ALT_DIFF         BODY: HTML and text parts are different
>  0.0 HTML_SHOUTING3         BODY: HTML has very strong "shouting" markup
>  0.0 HTML_NONELEMENT_00_10  BODY: 0% to 10% of HTML elements are
> non-standard
>  1.9 BAYES_99               BODY: Bayesian spam probability is 99 to
> 100%
>                             [score: 1.0000]
>  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
> address
>                             [80.110.248.122 listed in dnsbl.sorbs.net]
>  3.8 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
>                             [<http://dsbl.org/listing?80.110.248.122>]
>  3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
>                             [80.110.248.122 listed in sbl-xbl.spamhaus.org]
>  0.1 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
>                             [80.110.248.122 listed in combined.njabl.org]
> -1.6 AWL                    AWL: From: address is in the auto white-list
> 
> The original message was not completely plain text, and may be unsafe to
> open with some email clients; in particular, it may contain a virus, or
> confirm that your address can receive spam.  If you wish to view it, it may
> be safer to save it to a file and open it with an editor.
> 
> ------------=_416FF536.26643AE7
> Content-Type: message/rfc822; x-spam-type=original
> Content-Description: original message before SpamAssassin
> Content-Disposition: attachment
> Content-Transfer-Encoding: 8bit
> 
> Received: from chello080110248122.118.11.vie.surfer.at
> ([80.110.248.122])
>       by dbox.jline.com with smtp (Exim 4.34)
>       id 1CDRsz-0001DQ-LQ
>       for [EMAIL PROTECTED]; Fri, 01 Oct 2004 11:12:09 -0700
> To: [EMAIL PROTECTED]
> From: "Risa Ignacia" <[EMAIL PROTECTED]>
> Reply-To: "Risa Ignacia" <[EMAIL PROTECTED]>
> Date: Fri, 01 Oct 2004 14:13:38 -0500
> Subject: We Provide 96% Off Retail Priice For Softwares years 
> Message-ID: <[EMAIL PROTECTED]>
> MIME-Version: 1.0
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.6488.4426
> Content-Type: multipart/alternative;
>       boundary="--4671406479602045"
> 
> ----4671406479602045
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 8bit
> 
> committee concentrate seize scissors 
> national every according away maam wrong 
> parallel hat means favorite however share 
> 
> ----4671406479602045
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 8bit
> 
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text; charset=us-ascii"> </head>
> <body> <center> <table border=0 cellspacing=0 cellpadding=10
> width=640><swimming respect goodbye delight led ninety key > <tr><td> <font
> color=D90000 size=5 face=arial><b>Your needed soffttwares at Rock Bottom
> prri ce! </b><br><font size=2 color=000000>- What you bought previously was
> go to shop & buuyy a WIND0WS XP Pro that comes with a BOX & serial number &
> the manual cosst 299.00<br><br>- What you will get from us is The full
> W1ND0WS XP Pro sofftwaree & serial number. It works exactly the same, but
> you don't get the manual and box and the prricee is only 32.00 . That is a
> savviing of 254.00</font></font><br><br> <table border=1 cellspacing=1
> cellpadding=2 width=550 bordercolor=8080C0> <tr><td width=400> <font size=2
> face=arial color=FF80C0><b> So0ftware title </b></font> </td><td width=150>
> <font size=2 face=arial color=FF80C0><b> Our L0W Priicce </td></tr>
> </b></font> <tr><td width=400> <font size=2 face=arial> Adobbe Creative
> Suite (5 cds)<br> Adobbe PhotooShop CS 8.0 (1 cd)<br> 3D Studio Max 6.0 (3
> cds)<br> Adobbe Premiere Pro 7.0 (1 cd)<br> Alias Wavefront Maya 5.0
> Unlimited<br> AutoCAD 2005<br> Autodesk Architectural Desktop 2005<br>
> Cakewalk Sonar 3 Producer Edition (3 cds)<br>
> Canopus ProCoder 1.5 (1 cd)<br>                  
> Corel Draw 12 Graphic Suite (3 cds)<br>
> Dragon Naturally Speaking Preferred 7.0<br>
> Macromedia Dreamweaver MX 2004 v7.0<br>
> Macromedia Fireworks MX 2004 v7.0<br>
> 
> Macromedia Flash MX 2004 v7.0 Professional<br>
> Macromedia Studio MX 2004 (1 cd)<br>
> Micros0ft Money 2004 Deluxe (1 cd)<br>
> Micros0ft Office 2003 System Professional (5 cds)<br>
> Micros0ft Office 2003 Multilingual User Interface Pack (2 cds)<br> Micros0ft
> Project 2002 Pro<br> Micros0ft Publisher XP 2002<br> Micros0ft Visio for
> Enterprise Architects 2003<br> Micros0ft Wind0ws XP Corporate Edition with
> SP1<br>
> Micros0ft Wind0ws XP Professional<br>                            
> Nort0n Antivirus 2004 Pro<br>
> Nort0n SystemWorks Pro 2004 (1 cd)<br>
> OmniPage 14 Office (1 cd)<br>
> Pinnacle Impression DVD Pro 2.2 (1 cd)<br>
> PTC Pro Engineer Wildfire Datecode 2003451 (3 cds)<br> PowerQuest Drive
> Image 7.01 Multilanguage (1 cd)<br> Ulead DVD Workshop 2.0<br> Micros0ft
> Visual Studio .NET 2003 Enterprise Architect (8 cds)<br> Winfax PRO
> 10.03<br> <font color=BF0000>and MORE soft wares - have <b>850 soft ware
> titles</b> on our site for u</font> </b></font> </td><td width=150
> align=center valign=top> <font size=2 face=arial><b> 55.00<br> 32.00<br>
> 50.00<br> 32.00<br> 40.00<br> 32.00<br> 32.00<br> 36.00<br> 25.00<br>
> 32.00<br> 25.00<br> 25.00<br> 32.00<br> 30.00<br> 50.00<br> 20.00<br>
> 40.00<br> 25.00<br> 32.00<br> 20.00<br> 25.00<br> 40.00<br> 32.00<br>
> 20.00<br> 20.00<br> 25.00<br> 25.00<br> 40.00<br> 20.00<br> 20.00<br>
> 93.00<br> 20.00<br> </td></tr> </b></font> </td></tr></table> <font
> color=000000 size=2 face=arial> Download your sofftwaares from our Superfast
> (100mbits connection) site & you will be given your own exclusive
> registration key to register the sofftwaares you bought from us, and now you
> have your own registered copy of sofftwaares (will never expired
> again)<br><br> It's <b>0EM version</b> of sofftwaares which is an
> <b>Original/Genuine sofftwaares</b>, strictly no piracy sofftwaares 
> </font>
> <center>
> <b><a href=http://www.accountrepetition.co.nz.zinkuq.com/0/p/
> target=_blank><font color=0000FF size=5 face=arial><u>Over 850 popular
> titles for you to choose from<br><br>Act quick now before all
> sold<br><br>Start using your needed sofftwaares now<br>== C  L I C K - H E
> R E ==</b><br><font size=2>(Plz give 2-3 mins to complete the page loading
> bcos the page has 850 titles on it)</font><br><br></u></a> <a
> href=http://www.hungrybeen.co.nz.zinkuq.com/0/c.html
> target=_blank><font size=1>take me down</font></a>
> </font>
> </center>
> </td></tr></table>
> </center>
> </body>
> </html>
> 
> ----4671406479602045--
> 
> ------------=_416FF536.26643AE7--
> 
> -----Original Message-----
> From: Theo Van Dinter [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, October 14, 2004 8:45 AM
> To: users@spamassassin.apache.org
> Subject: Re: Default SURBL scores low?
> 
> On Thu, Oct 14, 2004 at 08:27:02AM -0700, Potato Chip wrote:
> > -3.3 ALL_TRUSTED Most of these unmarked spams hit ALL_TRUSTED with a
> > default score of -3.3. It almost completely discounts the SURBL score 
> > hits.
> 
> If you're getting ALL_TRUSTED hits on messages that came from the outside
> through a non-trusted server, then something it up there.  The reports I've
> seen about it so far are related to something like an anti-virus gateway not
> adding in proper Received headers, passing the mail to SpamAssassin.
> 
> > Have most people changed the default SURBL scores to something more
> > meaningful, higher? It seems worthy of a higher score given the great 
> > reviews that SURBL has been getting?
> 
> SURBL is great, but it does get FPs.  If you don't mind that (and the
> possibility of having SA FP the mail into the "spam" category), go ahead and
> up the score. :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBcBqAMJF5cimLx9ARAuQzAKCWd4CG2+hXfadlTab0OMVh3jKCfgCfccXB
PuHSXQrMkHB7vKpvkM9+CqM=
=XgYw
-----END PGP SIGNATURE-----