On 10-01-13 19:55, Ben Johnson wrote: > > > On 1/10/2013 1:06 PM, RW wrote: >> On Thu, 10 Jan 2013 12:48:07 -0500 >> Ben Johnson wrote: >>> pon further consideration, this behavior makes perfect sense if the >>> mailbox user has moved the message from Inbox to Junk between scans; >>> Dovecot's Antispam filter is in use on this server. This action would >>> cause the message tokens to be added to the Bayes database, which >>> explains why the SA score is higher on subsequent scans, even with >>> network tests disabled. >> >> Also by turning-off network tests you switch to a different score set so >> the score for RDNS_NONE rose. >> > > Ahh; I didn't realize that disabling network tests changes the score set > entirely. Thanks for the clarification there. > > So, at this point, I'm struggling to understand how the following happened. > > Over the course of 15 minutes, I received the same exact message four > times. Each time, the message was sent to the same recipient mailbox. > The "From" and "Return-Path" headers changed slightly each time, but the > message bodies appear to be identical. > > Here are the X-Spam-Status headers for each message: > > 1:28 PM > > Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, > HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, > RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, > T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, > URIBL_WS_SURBL=1.608] autolearn=disabled > > 1:35 PM > > No, score=-0.374 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, > HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RDNS_NONE=0.793, > SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01] autolearn=disabled > > 1:36 PM > > Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, > HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, > RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, > T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, > URIBL_WS_SURBL=1.608] autolearn=disabled > > 1:41 PM > > Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9, > HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, > RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001, > T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25, > URIBL_WS_SURBL=1.608] autolearn=disabled > > Questions: > > 1.) I have a fairly well-trained Bayes DB; why on earth does a message > with the subject "Cash Quick? Get up to 1500 Now", and an equally > nefarious body, trigger BAYES_00?
This will solely depend on the contents of your bayes db. Is this shared between users, etc etc. No good answer ready without looking at it. > 2.) Why weren't network tests performed on message 2 of 4? This seems to > be evidence of the fact that network tests are not being performed some > percentage of the time, which could very well be at the root of this > whole problem. The fact that not a single network test was triggered, is indeed suspicious. The DNSBL tests are of course sender sender dependent, but if the body is the same the URIBL stuff should fire. Maybe you DNS queries timed because your DNS setup is borked? Maybe you should temporarily enable debug logging for dns lookups in spamassassin? -- Tom
