Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

Wed, 29 Nov 2006 06:00:48 -0800 

Hi,

I've got a bit of an odd situation whereby some obvious spam seems to
be slipping through the net of our setup. A prime example would be a
"Re: hi" spam which has just come through, an obvious looking spam
containing the text Hi and a drugs gif. Looking at the headers after
qmail scanner has pushed it through spamc, it gives the following key things:

------
Received: (qmail 17122 invoked by uid 1387); 29 Nov 2006 13:16:32 -0000
Received: from 88.229.73.122 by servername (envelope-from
<[EMAIL PROTECTED]>, uid 33001) with qmail-scanner-2.01
(sweep: 2.39.2/4.11.0. spamassassin: 3.1.3.
Clear:RC:0(88.229.73.122):SA:0(2.6/5.0):. Processed in 11.629468 secs);
29 Nov 2006 13:16:32 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.3
(2006-06-01) on servername X-Spam-Level: **
X-Spam-Status: No, score=2.6 required=5.0 tests=BAYES_50,HTML_MESSAGE,
        RCVD_IN_DSBL,SARE_GIF_ATTACH autolearn=no version=3.1.3
X-Envelope-From: [EMAIL PROTECTED]
Received: from unknown (HELO balboacompany.com) (88.229.73.122)
------

As you can see, its only been given a score of 2.6. If I then log into the 
mailserver and run spamassassin on the message in my inbox, spamassassin 
scores it higher than that and marks it up as spam:

-------
Content preview:  Hi Hi [...] 

Content analysis details:   (6.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.1 HTML_90_100            BODY: Message is 90% to 100% HTML
 0.0 HTML_MESSAGE           BODY: HTML included in message
 3.0 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
                            [score: 0.9830]
 0.8 SARE_GIF_ATTACH        FULL: Email has a inline gif
 2.6 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
                            [<http://dsbl.org/listing?88.229.73.122>]
-------

One of the key things for me is that this time the bayes probability is 
much higher, but this seems to happen with any spam that arrives in my 
inbox - it will come through with a lower score, but if I manually invoke SA 
on the message manually it will report back with a higher score thats picked 
up by more rules.

Has anyone got any suggestions as to what I might need to look into to 
rectify this behaviour? I was running 3.1.0 until yesterday when I upgraded 
to 3.1.3 to take advantage of sa-update, so my rulesets should not be the 
problem.

Many thanks in advance for any help provided.


Wilb.

Reply via email to