Hello,Here is a complete sample without a link (because apache.org bounced the message due the "spam" content) with logs relevant to the message. I have tar.gz/tgz the message to hopefully pass the spam filter.
Here is the message:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=? required=?
Message-ID: [EMAIL PROTECTED]
From: "Rita Gore" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>
Subject: Size Genetics Warning
Date: Fri, 15 Feb 2008 17:39:26 -0100
Content-Type: text/plain;
format=flowed;
reply-type=original
Content-Transfer-Encoding: 7bit
Gain 3.5+ Inches In Length.... 100% Safe To Take, With NO Side Effects.
Here is the qmail-queue.log:
Fri, 15 Feb 2008 08:39:54 PST:21158: SA: finished
scan in 50.013946 secs - hits=?/?
Fri, 15 Feb 2008 08:39:54 PST:21158: p_s: finished scan in 0.007968 secsFri, 15 Feb 2008 08:39:54 PST:21158: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309354376421158"... Fri, 15 Feb 2008 08:39:54 PST:21158: ------ Process 21158 finished. Total of 50.174236 secs Fri, 15 Feb 2008 08:39:55 PST:21298: +++ starting debugging for process 21298 (ppid=21271) by uid=509 Fri, 15 Feb 2008 08:39:55 PST:21298: c_a_g: found URL in message - maybe phishy - better scan it Fri, 15 Feb 2008 08:39:55 PST:21298: w_c: Total time between DATA command and "." was 0.000196 secs
Fri, 15 Feb 2008 08:39:55 PST:21298: w_c: elapsed time from start 0.000177 secsFri, 15 Feb 2008 08:39:55 PST:21298: g_e_h: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' Fri, 15 Feb 2008 08:39:55 PST:21298: from='"Rita Gore" <[EMAIL PROTECTED]>', subj='Size Genetics Warning', via SMTP from 79.26.135.208
Fri, 15 Feb 2008 08:39:55 PST:21298: clamdscan: finished scan in 0.014551 secsFri, 15 Feb 2008 08:40:45 PST:21298: SA: finished scan in 50.020665 secs - hits=?/? Fri, 15 Feb 2008 08:40:46 PST:21298: p_s: finished scan in 0.00844500000000004 secs Fri, 15 Feb 2008 08:40:46 PST:21298: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309359576421298"... Fri, 15 Feb 2008 08:40:46 PST:21298: ------ Process 21298 finished. Total of 50.133095 secs
But notices these also at right after this message:Fri, 15 Feb 2008 08:40:45 PST:21298: SA: finished scan in 50.020665 secs - hits=?/? Fri, 15 Feb 2008 08:40:46 PST:21298: p_s: finished scan in 0.00844500000000004 secs Fri, 15 Feb 2008 08:40:46 PST:21298: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309359576421298"... Fri, 15 Feb 2008 08:40:46 PST:21298: ------ Process 21298 finished. Total of 50.133095 secs Fri, 15 Feb 2008 08:40:46 PST:21299: SA: finished scan in 50.01334 secs - hits=?/?
Fri, 15 Feb 2008 08:40:46 PST:21299: p_s: finished scan in 0.009365 secsFri, 15 Feb 2008 08:40:46 PST:21299: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309359676421299"... Fri, 15 Feb 2008 08:40:46 PST:21299: ------ Process 21299 finished. Total of 50.215451 secs Fri, 15 Feb 2008 08:41:01 PST:21376: SA: finished scan in 50.061759 secs - hits=?/?
Fri, 15 Feb 2008 08:41:01 PST:21376: p_s: finished scan in 0.102243 secsFri, 15 Feb 2008 08:41:01 PST:21376: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309361076421376"... Fri, 15 Feb 2008 08:41:02 PST:21376: ------ Process 21376 finished. Total of 50.796067 secs Fri, 15 Feb 2008 08:41:02 PST:21395: SA: finished scan in 50.014535 secs - hits=?/?
Fri, 15 Feb 2008 08:41:02 PST:21395: p_s: finished scan in 0.008081 secsFri, 15 Feb 2008 08:41:02 PST:21395: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309361276421395"... Fri, 15 Feb 2008 08:41:02 PST:21391: SA: finished scan in 50.102585 secs - hits=?/?
Fri, 15 Feb 2008 08:41:02 PST:21391: p_s: finished scan in 0.012847 secsFri, 15 Feb 2008 08:41:03 PST:21391: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309361276421391"... Fri, 15 Feb 2008 08:41:03 PST:21395: ------ Process 21395 finished. Total of 50.430792 secs Fri, 15 Feb 2008 08:41:03 PST:21391: ------ Process 21391 finished. Total of 50.258332 secs Fri, 15 Feb 2008 08:41:03 PST:21538: +++ starting debugging for process 21538 (ppid=21529) by uid=509 Fri, 15 Feb 2008 08:41:06 PST:21406: SA: finished scan in 50.016036 secs - hits=?/?
Fri, 15 Feb 2008 08:41:06 PST:21406: p_s: finished scan in 0.008182 secsFri, 15 Feb 2008 08:41:06 PST:21406: ini_sc: finished scan of "/var/spool/qmailscan/tmp/s1.molsci.org120309361376421406"... Fri, 15 Feb 2008 08:41:07 PST:21406: ------ Process 21406 finished. Total of 50.81682 secs
Here is the maillog for that period of time:Feb 15 08:38:39 s1 spamd[19278]: spamd: checking message <[EMAIL PROTECTED]> for qscand:510 Feb 15 08:40:47 s1 spamd[19278]: spamd: identified spam (44.9/8.5) for qscand:510 in 127.6 seconds, 2091 bytes. Feb 15 08:40:47 s1 spamd[19278]: spamd: result: Y 44 - BAYES_99,BOTNET,DOS_OE_TO_MX,DRUGS_ERECTILE,DRUGS_ERECTILE_OBFU,FB_CIALIS_LEO3,FB_P1LL,FH_HELO_EQ_D_D_D_D,FUZZY_CPILL,FUZZY_PRICES,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_DYNAMIC,SUBJECT_DRUG_GAP_C,TVD_RCVD_IP,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=127.6,size=2091,user=qscand,uid=510,required_score=8.5,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54630,mid=<[EMAIL PROTECTED]>,bayes=1.000000,autolearn=spam
Feb 15 08:40:47 s1 spamd[30645]: prefork: child states: BBFeb 15 08:40:47 s1 spamd[30645]: spamd: server successfully spawned child process, pid 21505 Feb 15 08:40:47 s1 spamd[19278]: spamd: connection from localhost.localdomain [127.0.0.1] at port 54631 Feb 15 08:40:47 s1 spamd[21505]: spamd: connection from localhost.localdomain [127.0.0.1] at port 54632 Feb 15 08:40:47 s1 spamd[19278]: spamd: checking message <[EMAIL PROTECTED]> for qscand:510
Feb 15 08:40:47 s1 spamd[30645]: prefork: child states: BBBFeb 15 08:40:47 s1 spamd[30645]: spamd: server successfully spawned child process, pid 21506 Feb 15 08:40:47 s1 spamd[21505]: spamd: checking message <[EMAIL PROTECTED]> for qscand:510 Feb 15 08:40:47 s1 spamd[21506]: spamd: connection from localhost.localdomain [127.0.0.1] at port 54633
Feb 15 08:40:47 s1 spamd[30645]: prefork: child states: BBBBFeb 15 08:40:47 s1 spamd[30645]: spamd: server successfully spawned child process, pid 21507 Feb 15 08:40:47 s1 spamd[21506]: spamd: checking message <[EMAIL PROTECTED]> for qscand:510
Feb 15 08:40:47 s1 spamd[30645]: prefork: child states: BBBBBFeb 15 08:40:47 s1 spamd[30645]: prefork: server reached --max-children setting, consider raising it Feb 15 08:40:47 s1 spamd[21507]: spamd: connection from localhost.localdomain [127.0.0.1] at port 54634 Feb 15 08:40:48 s1 spamd[21507]: spamd: checking message <[EMAIL PROTECTED]> for qscand:510 Feb 15 08:40:50 s1 spamd[19278]: spamd: identified spam (32.7/8.5) for qscand:510 in 3.2 seconds, 828 bytes. Feb 15 08:40:50 s1 spamd[19278]: spamd: result: Y 32 - BAYES_99,BOTNET,DOS_OE_TO_MX,FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR2,NO_DNS_FOR_FROM,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_RCVD_IP,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_WS_SURBL scantime=3.2,size=828,user=qscand,uid=510,required_score=8.5,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54631,mid=<[EMAIL PROTECTED]>,bayes=1.000000,autolearn=spam
Feb 15 08:40:50 s1 spamd[30645]: prefork: child states: BBBBBFeb 15 08:40:50 s1 spamd[30645]: prefork: server reached --max-children setting, consider raising it Feb 15 08:40:50 s1 spamd[19278]: spamd: connection from localhost.localdomain [127.0.0.1] at port 54635 Feb 15 08:40:50 s1 spamd[19278]: spamd: checking message <[EMAIL PROTECTED]> for qscand:510Feb 15 08:40:51 s1 spamd[21505]: spamd: identified spam (26.2/8.5) for qscand:510 in 4.3 seconds, 863 bytes. Feb 15 08:40:51 s1 spamd[21505]: spamd: result: Y 26 - BAYES_99,BOTNET,DOS_OE_TO_MX,FH_HELO_ALMOST_IP,HELO_DYNAMIC_DHCP,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,SPF_FAIL,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_WS_SURBL scantime=4.3,size=863,user=qscand,uid=510,required_score=8.5,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54632,mid=<[EMAIL PROTECTED]>,bayes=1.000000,autolearn=spam
Feb 15 08:40:52 s1 spamd[30645]: prefork: child states: BBBBBFeb 15 08:40:52 s1 spamd[30645]: prefork: server reached --max-children setting, consider raising itFeb 15 08:40:52 s1 spamd[21505]: spamd: connection from localhost.localdomain [127.0.0.1] at port 54636Feb 15 08:40:52 s1 spamd[21505]: spamd: checking message <[EMAIL PROTECTED]> for qscand:510Feb 15 08:40:53 s1 spamd[21506]: spamd: identified spam (35.1/8.5) for qscand:510 in 6.0 seconds, 772 bytes. Feb 15 08:40:53 s1 spamd[21506]: spamd: result: Y 35 - BAYES_99,BOTNET,DIGEST_MULTIPLE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,RDNS_NONE,SUBJ_PILL,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=6.0,size=772,user=qscand,uid=510,required_score=8.5,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54633,mid=<[EMAIL PROTECTED]>,bayes=1.000000,autolearn=spam
Feb 15 08:40:53 s1 spamd[30645]: prefork: child states: BBBBBI noticed that --max-childern setting has been reached. This is my spamd option setting:
# Set default spamd configuration. SPAMDOPTIONS="-d -c --max-children=20 -H" SPAMD_PID=/var/run/spamd.pidWhat --max-childern setting should I set it at. My sever is fairly powerful (Two 3GHz 4GB RAM) running RedHat Linux 5. Is there more information you need since I'm keeping this message until I solve this strange and annoying issue. This occurs to about 20-50 out of the 8000-10000 messages I get each day.
Thank you, Frank
Hello,This sample message that I got had no link in the message but I got the same ? for the spam score also. It appears some message with links or without links I get that ? score. However it appears after investigating the most of them have links.Thank you, FrankReturn-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Status: No, hits=-104.0 required=8.5 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm list-help: <mailto:[EMAIL PROTECTED]> list-unsubscribe: <mailto:[EMAIL PROTECTED]> List-Post: <mailto:users@spamassassin.apache.org> List-Id: <users.spamassassin.apache.org> Delivered-To: mailing list users@spamassassin.apache.org X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Subject: Re: Getting ? in spam scores. From: Karsten BrÉckelmann <[EMAIL PROTECTED]> To: users@spamassassin.apache.org Content-Type: text/plain Date: Sat, 09 Feb 2008 04:14:40 +0100 Message-Id: <[EMAIL PROTECTED]> Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Please, resist the urge to top post and including unnecessary full quotes. This also makes answering questions much easier... On Fri, 2008-02-08 at 16:45 -0800, fchan wrote:Thank you. I have check my DNS and it appears to resolve the link correctly.What link? The spample does not show any. Also, the DNS queries relevant for SA are those to the various blacklists. By default including URI as well as IP blacklists. Anyway, you can't prove the non-existence of a DNS issue, by one successful query. So we now know that it works at least sometimes. Good, we pretty much knew that before. ;)It is just annoying, I think less than 1% of all messages, are getting this and I'm checking if there is something I can do to solve this. Here is a sample message that is causing this:The sample is incomplete...Received: (qmail 7689 invoked by uid 501); 8 Feb 2008 01:58:00 -0800 Received: from 87.18.202.233 by s1.molsci.org (envelope-from <[EMAIL PROTECTED]>, uid 509) with qmail-scanner-2.01st (clamdscan: 0.92/5545. spamassassin: 3.2.4. perlscan: 2.01st. Clear:RC:0(87.18.202.233):SA:0(?/?):. Processed in 50.059824 secs); 08 Feb 2008 09:58:00 -0000 X-Spam-Status: No, hits=? required=?Did you try asking qmail-scanner folks already? That is not the default SA header. [ snip ]Another thing is when I do a sa-learn --spam of this message I get this message "Learned tokens from 0 message(s) (1 message(s) examined)". Why I cannot get sa-learn to learn from this message also.Because it has been (auto?) learned before?> > Wed, 06 Feb 2008 09:16:41 PST:18972: clamdscan: finished scan in 0.011407 secs> > Wed, 06 Feb 2008 09:17:26 PST:18972: SA: finished scan in 45.026522 > > secs - hits=?/? > >Does that mean qmail-scanner forced further processing due to the >timeout, without actually waiting for SA to finish? (Despite the success >suggesting phrase...)So? Hey, I'm not a qmail-scanner guy, that was not meant as a rhetorical question. ;)>> Wed, 06 Feb 2008 09:17:26 PST:18972: p_s: finished scan in 0.020737 secs>> Wed, 06 Feb 2008 09:17:26 PST:18972: ini_sc: finished scan of >> "/var/spool/qmailscan/tmp/s1.molsci.org120231820076418972" >> >> I have set timeout on qmailscanner for spamc to 45 seconds. Why are, >> what I guess, links causing this. > >Are you positive this is related to links? SA queries URI blacklists. >Is it possible you have a DNS issue by any chance?Now, are you really positive about that, or not? guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
%Size Genetics Warning.tgz
Description: application/applefile
Size Genetics Warning.tgz
Description: Binary data
