I have all email hitting the production 2.6x spamd and at the same time logging it against the 3.x spamd. I diff the output from the original email for both spamd’s. Anyways, I keep noticing that ALL_TRUSTED is hit for each and every 3.x email.
Obviously from the header it started from an external source which isn’t trusted. In local.cf I have clear_trusted_networks and do not add any additional trusted networks listed.
Why? Each email that is passing through the system seems to be automatically starting off with a -3.3. BTW, the 3.0 server we are testing against is on the private network.
Here is the test call. 10.27.0.10 is the address for the server that is spooling the mail coming in from the net (NAT’d).
daemon spamd -D -i -A 10.27.0.10,127.0.0.1 -d -r /var/run/spamd.pid -m 20
Return-Path: <[EMAIL PROTECTED]>
Received: from atr.dedicated-marketing1.com (atr.dedicated-marketing1.com [206.71.53.105])
by server.xxxx.com (Postfix) with SMTP id 8EFA516A02C
for <[EMAIL PROTECTED]>; Mon, 8 Nov 2004 20:14:34 -0800 (PST)
From: Rapid Cash Provider <[EMAIL PROTECTED]>
Subject: Get 5OO USD by tomorrow. Only takes 2 minutes
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Date: Mon, 8 Nov 2004 23:21:58 EST
Message-ID: <[EMAIL PROTECTED]@atr.dedicated-marketing1.com>
X-Mailer: 3.2.1-1 [Oct 8 2004, 19:42:14]
Content-Type: text/html; charset=us-ascii; class-id=1:1KmbbFzHY0JozDuFF7LYDL4Zru:318084
Content-Transfer-Encoding: 7bit
6c6
< Subject: Get 5OO USD by tomorrow. Only takes 2 minutes
---
> Subject: [Suspected SPAM] Get 5OO USD by tomorrow. Only takes 2 minutes
13a14,34
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
> xxxx.xxxx.com
> X-Spam-Level: **************
> X-Spam-Status: Yes, hits=14.4 required=5.0 tests=BAYES_99,HTML_90_100,
> HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_02,HTML_MESSAGE,
> HTTP_WITH_EMAIL_IN_URL,MIME_HTML_ONLY,SARE_MSGID_DBL_AT,WS_URI_RBL
> autolearn=no version=2.63
> X-Spam-Report:
> * 1.0 SARE_MSGID_DBL_AT Message ID has two at signs
> * 0.1 HTML_MESSAGE BODY: HTML included in message
> * 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> * [score: 1.0000]
> * 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> * 0.6 HTML_FONT_INVISIBLE BODY: HTML font color is same as background
> * 1.2 HTML_90_100 BODY: Message is 90% to 100% HTML
> * 1.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words
> * 4.4 WS_URI_RBL URI's domain appears in sa-blacklist
> * [dedicated-marketing1.com is blacklisted in URI]
> [RBL at ws.surbl.org]
> * 0.2 HTTP_WITH_EMAIL_IN_URL URI: 'remove' URL contains an email address
**********************************************************************
6c6
< Subject: Get 5OO USD by tomorrow. Only takes 2 minutes
---
> Subject: [Suspected SPAM] Get 5OO USD by tomorrow. Only takes 2 minutes
13a14,46
> X-Spam-Prev-Subject: Get 5OO USD by tomorrow. Only takes 2 minutes
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on
> xxxx.xxxx.com
> X-Spam-Level: ***********************
> X-Spam-Status: Yes, score=24.0 required=5.0 tests=ALL_TRUSTED,BAYES_99,
> DOMAIN_RATIO,HTML_90_100,HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_20,
> HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHOUTING3,MIME_HTML_ONLY,
> SARE_MSGID_DBL_AT,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,
> URIBL_SBL,URIBL_WS_SURBL autolearn=no version=3.0.1
> X-Spam-Report:
> * 1.0 SARE_MSGID_DBL_AT Message ID has two at signs
> * -3.3 ALL_TRUSTED Did not pass through any untrusted hosts
> * 3.2 DOMAIN_RATIO BODY: Message body mentions many internet domains
> * 0.4 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
> * 0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup
> * 0.0 HTML_FONT_INVISIBLE BODY: HTML font color is same as background
> * 0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
> * 0.0 HTML_90_100 BODY: Message is 90% to 100% HTML
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> * [score: 1.0000]
> * 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> * 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
> * [URIs: imgehost.com dedicated-marketing1.com]
> * 4.0 URIBL_AB_SURBL Has URI in AB at http://www.surbl.org/lists.html
> * [URIs: imgehost.com]
> * 4.0 URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
> * [URIs: imgehost.com dedicated-marketing1.com]
> * 4.0 URIBL_WS_SURBL Has URI in WS at http://www.surbl.org/lists.html
> * [URIs: dedicated-marketing1.com]
> * 4.0 URIBL_OB_SURBL Has URI in OB at http://www.surbl.org/lists.html
> * [URIs: imagesbyaz.com]
