dbfunk at engineering
Jul 1, 2012, 9:34 PM
Post #4 of 9
(443 views)
Permalink
|
On Sun, 1 Jul 2012, server wrote:
> On 7/1/2012 7:29 PM, John Hardin wrote:
>> On Sun, 1 Jul 2012, server wrote:
>>
>>> I am getting this
>>>
>>> -39.4 points, 5.2 required
>>>
>>> and it is tagging as spam.
>>>
>>> Why?
>>
>> We can't possibly do more than guess without seeing the actual headers on
>> such a message, as well as having some information about what your MTA is
>> and how you have SA glued onto it.
>>
> Sorry I thought it was something simple that I have over looked.
>
> Exim 4.77
> spamd_address = 127.0.0.1 783
> # put headers in all messages (no matter if spam or not)
> warn message = X-Spam-Score: $spam_score ($spam_bar)
> spam = BOGUS:true
>
> warn message = X-Spam-Report: $spam_report
> spam = BOGUS:true
>
> # add second subject line with *SPAM* marker when message
> # is over threshold
> warn message = Subject: *THIS IS SPAM* $h_Subject:
> spam = BOGUS
>
> # reject spam at high scores (> 5.2)
> deny message = This message scored $spam_score spam points.
> spam = BOGUS:true
> condition = ${if >{$spam_score_int}{52}{1}{0}}
>
> What part of the header should I post?
>
>
> This is a C/P from my log (exact with a couple of edits where you see blah
> blah blah and my tld info)
> ****************************
>
> X-HELO-Warning: Remote host xx.xx.xx.xx incorrectly presented itself as
> [192.168.1.100]
> X-Spam-Score: -39.4 (---------------------------------------)
> X-Spam-Report: Spam detection software, running on the system "my tld", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> postmaster for details.
> Content preview: -------- Original Message -------- Subject: Maxine's
> Memorial
> Date: Sat, 30 Jun 2012 16:49:59 -0400 (EDT) From: blah blah blah
> Content analysis details: (-39.4 points, 5.2 required)
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -48 ALL_TRUSTED Passed through trusted hosts only via SMTP
> -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
> domain
> 1.8 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
> 0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.4309]
> 2.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
> 2.5 LOTS_OF_MONEY Huge... sums of money
> X-Spam-Score: 8.7 (++++++++)
> X-Spam-Report: Spam detection software, running on the system
> "server.edschooler.com", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> postmaster for details.
> Content preview: -------- Original Message -------- Subject: Maxine's
> Memorial
> Date: Sat, 30 Jun 2012 16:49:59 -0400 (EDT) From: same blah blah blah
>
>
> Content analysis details: (8.7 points, 5.2 required)
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
> domain
> 1.8 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
> 0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.5000]
> 2.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily valid
> 2.5 LOTS_OF_MONEY Huge... sums of money
> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> Subject: *THIS IS SPAM* Fwd: Maxine's Memorial
>
> *****************************************************
There are at least a couple of things wrong here.
1) where did that -48 points score for ALL_TRUSTED come from? That's not a
standard SA score for that rule.
2) it appears that this message has been passed thru SA at least twice.
That's tricky to do correctly and get valid scores, even with the best of
configurations. Given this message has two different spam-score headers
with wildly differing values, your setup is broken.
3) a proper SA installation should always add a Checker-Version header,
regardless of whether the message is spam or ham. In what you've posted
it's missing, so either you've left out that part or your kit is broken
in a way that it doesn't get added.
As I've never used Exim, I cannot comment on your mail server config.
Can you capture a copy of a message as it enters your system -before-
you feed it to SA to see what headers the message already has?
There may be some up-stream system that is doing SA processing on your
mail. If so, you either need to get them to not do that, not run your own
SA & be willing to accept their scoring, or find some other way to get
unfiltered mail service.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
|
