On Thu, 10 Jan 2013, Ben Johnson wrote:

So, at this point, I'm struggling to understand how the following happened.

Over the course of 15 minutes, I received the same exact message four
times. Each time, the message was sent to the same recipient mailbox.
The "From" and "Return-Path" headers changed slightly each time, but the
message bodies appear to be identical.

Here are the X-Spam-Status headers for each message:

1:28 PM

Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001,
T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25,
URIBL_WS_SURBL=1.608] autolearn=disabled

1:35 PM

No, score=-0.374 tagged_above=-999 required=2 tests=[BAYES_00=-1.9,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RDNS_NONE=0.793,
SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01] autolearn=disabled

1:36 PM

Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001,
T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25,
URIBL_WS_SURBL=1.608] autolearn=disabled

1:41 PM

Yes, score=7.008 tagged_above=-999 required=2 tests=[BAYES_00=-1.9,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_CSS=1, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_PASS=-0.001,
T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25,
URIBL_WS_SURBL=1.608] autolearn=disabled

Questions:

1.) I have a fairly well-trained Bayes DB; why on earth does a message
with the subject "Cash Quick? Get up to 1500 Now", and an equally
nefarious body, trigger BAYES_00?

2.) Why weren't network tests performed on message 2 of 4? This seems to
be evidence of the fact that network tests are not being performed some
percentage of the time, which could very well be at the root of this
whole problem.

How many MTAs do you have? Is it possible the low-scoring one went via a different MTA?

Have you sotpped amavisd, killed all of the amavis processes, and restarted it?


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Maxim I: Pillage, _then_ burn.
-----------------------------------------------------------------------
 7 days until Benjamin Franklin's 307th Birthday

Reply via email to