On Mon, 2009-03-09 at 12:06 -0500, Chris Barnes wrote: > I read through a BUNCH of the previous posts that seemed similar, but > never really saw how to go about fixing this sort of problem. > > I am getting a BUNCH of spam messages which are coming in with header > information similar to this: > > X-Spam-Status: No, score=-4.0 required=5.0 tests=AWL, BAYES_00, > HTML_MESSAGE, MIME_HTML_ONLY, RCVD_IN_DNSWL_MED, SPF_SOFTFAIL, > URIBL_GREY autolearn=ham version=3.2.5
The AWL score for this message is minimal (one can tell by calculating the stock rules' scores without it). Your problem here is BAYES_00 and RCVD_IN_DNSWL_MED. BAYES_00 means your Bayes DB is pretty skewed. You should train sa-learn on these messages. RCVD_IN_DNSWEL_MED is a -4 alone. So either (a) your trusted_networks should be expanded, or (b) the IP in question needs to be removed from DNSWL.org. Can't tell without seeing the full headers. (We've recently had such an example with Debian mailing-list servers and (unmoderated) list-post spam. Since the trusted_networks didn't include the "trusted" mailing-list servers, that server was tested rather than the actual offending senders IP. Hence a negative score for servers that do not *originate* spam...) > Q1: how did these addresses (which are all pretty obviously spam and > none of which are in our own domain) get into the AWL to begin with? As John said, AWL is a pure score averager, based on the sender's address and IP. I guess in such a case as outlined as example above, they appear to come from the list server (thus sharing a /24 netblock), instead of all using their actual originating network... Also see these for reference: http://wiki.apache.org/spamassassin/AutoWhitelist http://wiki.apache.org/spamassassin/AwlWrongWay -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
