I've been using SA for years. I'm running 3.1.6 on a Red Hat box, and 99%
of the time, all is well.
Last week I added a rule to tag those annoying .gif pump-and-dump emails.
Nothing fancy:
rawbody IMG_SRC_CID /src\=(\"c|c)id\:/i
score IMG_SRC_CID 2.0
Most of the time it works fine. However, occasionally, I'll get an email
that ONLY sees that rule. I'm using MimeDefang to rewrite the headers, and
all it shows is
X-Spam-Score: 2 (**) IMG_SRC_CID
But when I do a spamassassin --debug<test with the message, it finds all
kinds of fun things:
Content analysis details: ( 6.6 points, 9.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
-0.3 BAYES_40 BODY: Bayesian spam probability is 20 to 40%
[score: 0.2631]
1.9 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
1.4 HTML_10_20 BODY: Message is 10% to 20% HTML
0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.0 IMG_SRC_CID RAW: cid in body
The very next message is the same kind of scam, but sees everything:
X-Spam-Score: 7.967 (*******)
BAYES_00,DNS_FROM_RFC_ABUSE,FORGED_RCVD_HELO,HTML_
00_10,HTML_MESSAGE,IMG_SRC_CID,MIME_HTML_ONLY,RCVD_NUMERIC_HELO
So what obvious mistake am I making? Thanks for any help...
--
tim boyer
[EMAIL PROTECTED]
