William Taylor wrote:
I recently started recieving complaints from some users about spam getting
through.
Upon looking at these messages they are scorring 0.0 from spamassassin.
Not sure if something is jacked with my setup but running manually I see:
[20309] dbg: check: tests=
[20309] dbg: check:
subtests=__CT,__CTE,__CTYPE_CHARSET_QUOTED,__CT_TEXT_PLAIN,__DOS_HAS_ANY_URI,__DOS_RCVD_WED,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__FROM_HOTMAIL_COM,__HAS_ANY_URI,__HAS_MSGID,__HAS_RC
VD,__HAS_SUBJECT,__HOST_HOTMAIL,__JM_REACTOR_DATE,__LAST_UNTRUSTED_RELAY_NO_AUTH,__MIME_VERSION,__MISSING_REF,__MSGID_OK_HOST,__NONEMPTY_BODY,__RATWARE_0_TZ_DATE,__RCVD_IN_DNSWL,__RCVD_IN_SORBS,__RCVD_IN_ZEN,
__SANE_MSGID,__TOCC_EXISTS,__TVD_BODY,__TVD_MIME_ATT_TP
So it isn't scoring anything for actual tests?
Correct. No actual tests matched the message.
What exactly are the subtests ?
Sub tests are, well, sub tests. They're rules, but in themselves they
aren't useful in detecting spam. These subtests later get combined
together with other subtests to form a real rule using the meta command.
The meta command lets you create a rule based on simple boolean or
arithmetic expressions like:
A and (B or not C).
or
A + B + C + D > 1 (fires if 2 or more of the subtests fire)
Sometimes you need to create a rule that's very complex and would be
very inefficient as a single regex, but is fairly simple if you break it
down into two or more pieces. That's where subtests and meta rules come
in. Sometimes a good spam rule results from combining the results one
test in one header, another in a different header, and a third in the
body.. This kind of thing is only practical with meta rules.
Are those showing positive/negative hits ?
Neither. The subtests by themselves indicate nothing. ie: __HAS_SUBJECT
means just that.. there is a subject header present.. Nothing else.
I have verified manually that the ip being scanned is listed in zen.spamhaus:
122.156.133.252
Interesting.. do your RCVD_IN_* tests normally fire off? (ie: you might
want to look at if SA things DNS is available and functioning in your
debug output..)
I can attach a copy of the message if needed.
