SA tags both spam and non-spam messages with the rules that hit. A typical
non-spam report look like
X-Spam-Status: No, score=3.3 required=4.6 tests=BAYES_20,DK_POLICY_SIGNSOME,
FORGED_RCVD_HELO,HELO_MISMATCH_COM,HOST_MISMATCH_NET,JD_LO_BAYES,
JD_VLO_BAYES,LW_PRINTERS,MAILTO_TO_SPAM_ADDR autolearn=disabled
version=3.1.4
You should be seeing this on non-spam mails, IF you are running thru spamd or
the like. If you are using amvis-new and some of the other things, they throw
the SA markup away on non-spam messages by default. There are usually ways to
get it back, depending on the tool you are using. Not being sure what you are
using (and not using any of them myself) I can't help much on what you might
have to fiddle to get non-spam report info. But someone here will know, just
tell us what you are running.
The idea is you want to see what rules hit when it wasn't marked as spam, and
compare it to what you get manually. If the difference is the network tests,
then probably you were just a lucky early winner on a new spam run. OTOH, if
there are NO network tests (and never are) then you have a config problem,
since you see them when you run the spam manually. Likewise if you see bayes
in debug and not in normal mail you have a config problem. Etc.
Loren
----- Original Message -----
From: Craig
To: users@spamassassin.apache.org
Sent: Friday, December 01, 2006 9:34 AM
Subject: Re: How does some spam pass through?
Thanks for your quick reply
Ok, I am new to this-and I am sure its a "no brainer" but "non-spam tagging"
-I do not understand. If you could explain-or if its documented feel free to
scold me-I would appreciate it.
Craig
>>> "Loren Wilton" <[EMAIL PROTECTED]> 12/1/2006 11:05 AM >>>
Typical case is that you were one of the lucky early recipients before the
spam made it into all the blocklists, so it got a low score.
You should have got a pretty hefty score from the local tests, but there is
another 10+ points in net tests there too.
It looks like bayes should have caught it with your 4.0 limit. This makes me
suspect bayes didn't run. Look at the original mail tagging and see, if you
have a setup where you have non-spam tagging. (and if not, fix things so you
do, it makes this easier to debug.)
Loren
----- Original Message -----
From: Craig
To: users@spamassassin.apache.org
Sent: Friday, December 01, 2006 8:47 AM
Subject: How does some spam pass through?
Below are the results from a Spamassassin -D test of a message that was
previously delivered this morning. How does something like this pass through-
when I run the checks on the email after it is delivered the system clearly
knows its spam.
Thanks
Craig
X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report:
* 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
* 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
* 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
* [80.171.36.179 listed in dnsbl.sorbs.net]
* 3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL
* [80.171.36.179 listed in sbl-xbl.spamhaus.org]
* 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
* [80.171.36.179 listed in combined.njabl.org]
* 1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
* 0.0 BOTNET_CLIENT Hostname looks like a client hostname
* 5.0 BOTNET Any Botnet rule hit
