On 11/4/2014 11:33 AM, btb wrote:
hello-
i've noticed lately a trend in which two messages which appear to be
identical arrive a few minutes apart, and one is marked as spam while
the other is not. aside from time stamps, queue ids, etc, i believe
the headers and content of the two messages to be identical. i can
see obvious differences in the X-Spam-Status: headers, but i'm not
sure how to figure out why one of the messages seems to match so many
more rules. here are the X-Spam-Status: headers from one such set of
examples:
X-Spam-Status: No, score=-0.597 required=5 tests=[BAYES_20=-0.001,
RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
X-Spam-Status: Yes, score=6.9 required=5 tests=[AWL=-7.497, BAYES_50=0.8,
DIGEST_MULTIPLE=0.293, KAM_VERY_BLACK_DBL=5, PYZOR_CHECK=1.392,
RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
RAZOR2_CHECK=0.922, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5]
autolearn=spam autolearn_force=no
here are the full message sources. i hope it's ok i've anonymized them.
http://dpaste.com/0V2W8KW - not spam
http://dpaste.com/1SWPF1J - spam
The first message does not hit any network tests and is marked as ham.
The second matches Razor2, Pyzor, and URIBL and is marked as spam. This
could be caused by two things that I can think of offhand:
1) When the first message arrived, the IPs and URIs were not listed on
the blacklists, so it was marked as ham. By the time the second message
came in, the blacklists had caught up and were now listing them.
2) When the first message came through, your system failed to query the
network tests (dns problem, networking issue, etc). When the second
message came in, the problem had resolved itself and you get the extra
hits from the network tests.
Since you say this has been happening regularly, #2 is unlikely. The
most likely answer is that you are getting hit with a brand new spam run
that is taking a few minutes to get caught by the blacklists.
--
Bowie
