On 2013/01/14 10:24, Ben Johnson wrote:
On 1/11/2013 4:27 PM, Ben Johnson wrote:
I enabled Amavis's SA debugging mode on the server in question and was
able to extract the debug output for two messages that seem like they
should definitely be classified as spam.
Message #1: http://pastebin.com/xLMikNJH
Message #2: http://pastebin.com/Ug78tPrt
A couple points of note and a couple of questions:
a.) There seems to be plenty of network activity, but I don't any
"results" (for lack of a better term) for those queries. The final
X-Spam-Status header that is generated looks like this:
No, score=1.592 tagged_above=-999 required=2 tests=[BAYES_50=0.8,
RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=disabled
Does the absence of network tests in the resultant header simply mean
that none of the network tests contributed to the score? If so, why
might that be? Are these messages simply "too new" to appear in any
blacklists?
b.) The scores for both messages are identical, which, I suppose, is not
surprising, given that the same exact tests were performed and produced
the same exact results. Is this normal?
c.) 45 minutes after receiving Message #2 from above, I received a very
similar message. The subjects varied only in dollar amount advertised,
and the bodies varies only in the hyperlink URLs and the footer/signature.
Here's the debug output: http://pastebin.com/sLMgXrf5
The second message was scored at 14.75, which seems much better. Of
course, the second score was so much higher because the
network/blacklist tests contributed significantly.
Is the conclusion to be drawn the same as in a) (these messages are "too
new" to appear in blacklists)?
One final point of concern on this item: the Bayes score for the first
of the two emails was BAYES_50=0.8, and I fed the message through
sa-learn as spam shortly after it arrived. Yet, the Bayes score for the
second message was BAYES_40=-0.001 -- *lower* than the first. How could
this be? Is there some rational explanation?
Thanks for all the help here, guys!
-Ben
Nobody?
A clear pattern has emerged: the X-Spam-Status headers for very
obviously spammy messages never contain evidence that network tests
contributed to their SA scores.
Ultimately, I need to know whether:
a.) Network tests are not being run at all for these messages
b.) Network tests are being run, but are failing in some way
c.) Network tests are being run, and are succeeding, but return
responses that do not contribute to the messages' scores
I've had a look at the log entries to which I link in my previous
message and I just need a little help interpreting the "dns" and "async"
messages.
Ben, do be aware that sometimes you draw the short straw and sit at the
very start of the spam distribution cycle. In those cases the BLs will
generally not have been alerted yet so they may not trigger. For those
situations the rules should be your friends. (I still use my treasured
set of SARE rules and personally hand crafted rules my partner and I
have created that fit OUR needs but may not be good general purpose
rules.)
{^_^}
