On 1/11/2013 4:27 PM, Ben Johnson wrote: > I enabled Amavis's SA debugging mode on the server in question and was > able to extract the debug output for two messages that seem like they > should definitely be classified as spam. > > Message #1: http://pastebin.com/xLMikNJH > > Message #2: http://pastebin.com/Ug78tPrt > > A couple points of note and a couple of questions: > > a.) There seems to be plenty of network activity, but I don't any > "results" (for lack of a better term) for those queries. The final > X-Spam-Status header that is generated looks like this: > > No, score=1.592 tagged_above=-999 required=2 tests=[BAYES_50=0.8, > RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=disabled > > Does the absence of network tests in the resultant header simply mean > that none of the network tests contributed to the score? If so, why > might that be? Are these messages simply "too new" to appear in any > blacklists? > > b.) The scores for both messages are identical, which, I suppose, is not > surprising, given that the same exact tests were performed and produced > the same exact results. Is this normal? > > c.) 45 minutes after receiving Message #2 from above, I received a very > similar message. The subjects varied only in dollar amount advertised, > and the bodies varies only in the hyperlink URLs and the footer/signature. > > Here's the debug output: http://pastebin.com/sLMgXrf5 > > The second message was scored at 14.75, which seems much better. Of > course, the second score was so much higher because the > network/blacklist tests contributed significantly. > > Is the conclusion to be drawn the same as in a) (these messages are "too > new" to appear in blacklists)? > > One final point of concern on this item: the Bayes score for the first > of the two emails was BAYES_50=0.8, and I fed the message through > sa-learn as spam shortly after it arrived. Yet, the Bayes score for the > second message was BAYES_40=-0.001 -- *lower* than the first. How could > this be? Is there some rational explanation? > > Thanks for all the help here, guys! > > -Ben
Nobody? A clear pattern has emerged: the X-Spam-Status headers for very obviously spammy messages never contain evidence that network tests contributed to their SA scores. Ultimately, I need to know whether: a.) Network tests are not being run at all for these messages b.) Network tests are being run, but are failing in some way c.) Network tests are being run, and are succeeding, but return responses that do not contribute to the messages' scores I've had a look at the log entries to which I link in my previous message and I just need a little help interpreting the "dns" and "async" messages. Thanks for any insight, -Ben
