Why do I get different scores from "spamd" than manually?

Wed, 22 Jun 2005 11:24:48 -0700

I keep getting these Via*/Cial*/Val* "and many other" SPAMs (you know the ones, they start with "Hello, Welcome to <link to their shop>" and have all those 
obfuscating "DISPLAY:" "none"s embedded in them).
(I'm still using 2.63 on my production mail server, btw. Please don't shoot 
me.)

What I don't understand is why I get this behavior: in the message as I
received it, it scored as

X-Spam-Status:  No, hits=2.8 required=5.0 tests=BAYES_10,HTML_50_60,
                HTML_FONT_BIG,HTML_MESSAGE,PRIORITY_NO_NAME,SPAMCOP_URI_RBL_JP
                autolearn=no version=2.63

However, if I take the message and extract it into a file and feed it
to "spamassassin -D < spam", I get

X-Spam-Status: Yes, hits=14.8 required=5.0 tests=BAYES_30,HTML_50_60,
HTML_FONT_BIG,HTML_MESSAGE,MSGID_FROM_MTA_SHORT,PRIORITY_NO_NAME, 
        RCVD_IN_BL_SPAMCOP_NET,SPAMCOP_URI_RBL_AB,SPAMCOP_URI_RBL_JP,
        SPAMCOP_URI_RBL_OB,SPAMCOP_URI_RBL_SC,SPAMCOP_URI_RBL_WS
        autolearn=spam version=2.63

Why do I only get one SPAMCOP_URI_RBL_* hit when it's fed to "spamd"
as it comes in, yet I get 5 of them when I run it manually?  Why is
"autolearn=no" set when "spamd" gets it, but "autolearn=spam" is set
when "spamassassin" gets it?

"spamd" is running (on NetBSD 1.6.1) as

/usr/pkg/bin/spamd -H -c -a -d -r /var/run/spamd.pid

And, last but not least, these things all contain those obfuscating
lines with

        <DIV><FONT face=3DArial>Have a nice d<SPAN style=3D"DISPLAY: none"> =
        pestilential </SPAN>ay!</FONT></DIV></DIV></BODY></HTML>

embedded in them.  I've tried every rule I can think of to catch the
"DISPLAY: none" stuff, yet it never matches.  I took a rule someone
posted here and pared it down to nothing more than

body    SENET_DISPNONE  /DISPLAY: none/
describe        SENET_DISPNONE  Hidden text via CSS attributes
score   SENET_DISPNONE  7.5

and it *still* doesn't match it.  Why not?  Do "body" matches not work
on HTML in 2.63?

(Edit: my own server rejected my sending this as-is; it matched the
"SENET_DISPNONE" rule on the above text!  Thus proving that it finds
 "Display:" and "none" just fine when it's in the body as Plain Text ...
 so why doesn't it find them when they're inside HTML?)

Thanks,

        - Greg

Reply via email to