On 1/10/2013 12:18 PM, Ben Johnson wrote: > > > On 1/10/2013 11:49 AM, RW wrote: >> On Thu, 10 Jan 2013 11:43:44 -0500 >> Ben Johnson wrote: >> >> >>> This observation begs the question: why are network tests being >>> performed for some messages but not others? To my knowledge, no >>> white/gray/black listing has been done on this box. >> >> As has already been said, the score from network tests is commonly a >> lot higher on retesting because of all the reporting that happened >> in-between. >> > > RW, > > I understand that, but that doesn't explain why if I retest a given > message by calling SpamAssassin directly, and I *disable network tests*, > the score is sometimes *higher* than when the message was scanned > initially with AMaViS. > > When this message came through initially, the X-Spam-Status header was: > > No, score=1.593 tagged_above=-999 required=2 tests=[BAYES_50=0.8, > HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=disabled > > About an hour later, I fed the same message to the spamassassin > executable, while disabling network tests: > > # spamassassin -L -t -D < /tmp/msg.txt > > Content analysis details: (5.0 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 3.8 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.0000] > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.2 RDNS_NONE Delivered to internal network by a host with > no rDNS > > To restate the question, if network tests are not outright disabled in > Amavis, why is Amavis returning lower scores than the SA binary does > when called directly with network tests disabled? Shouldn't the SA score > with network tests disabled *always* be lower than or equal to the > Amavis score with network tests enabled (provided that all else is equal)? > > Or am I way off-base here? > > Thanks again, > > -Ben >
Upon further consideration, this behavior makes perfect sense if the mailbox user has moved the message from Inbox to Junk between scans; Dovecot's Antispam filter is in use on this server. This action would cause the message tokens to be added to the Bayes database, which explains why the SA score is higher on subsequent scans, even with network tests disabled. Sorry... I'm still trying to wrap my head around all of this. Lots of moving parts. -Ben
