| View previous topic :: View next topic |
| Author |
Message |
ashak
n00b
Joined: 19 Mar 2003
Posts: 11
|
 Posted: Mon Jun 14, 2004 10:03 am Post subject: Spamassassin says everything is spam |
 |
|
Hi,
I've been playing with spam assassin, but i'm having a problem.
I tried the two sample emails and I get the following:
Spam email:
| Code: |
webserver spamassassin # spamassassin -P -t < /usr/share/doc/spamassassin-2.63/sample-spam.txt
The -P option has been removed.
Received: from localhost by webserver.******.co.uk
with SpamAssassin (2.63 2004-01-11);
Mon, 14 Jun 2004 09:14:02 +0100
From: Sender <sender@example.net>
To: Recipient <recipient@example.net>
Subject: *****SPAM***** Test spam mail (GTUBE)
Date: Wed, 23 Jul 2003 23:30:00 +0200
Message-Id: <GTUBE1.1010101@example.net>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
webserver.******.co.uk
X-Spam-Level: **************************************************
X-Spam-Status: Yes, hits=1004.2 required=5.0 tests=DNS_FROM_RFCI_DSN,GTUBE,
PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=no
version=2.63
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_40CD5E4A.AA6FEBF7"
This is a multi-part message in MIME format.
------------=_40CD5E4A.AA6FEBF7
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "webserver.******.co.uk", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
root@localhost for details.
Content preview: This is the GTUBE, the Generic Test for Unsolicited
Bulk Email If your spam filter supports it, the GTUBE provides a test
by which you can verify that the filter is installed correctly and is
detecting incoming spam. You can send yourself a test mail containing
the following string of characters (in upper case and with no white
spaces and line breaks): [...]
Content analysis details: (1004.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
[cf: 100]
0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.3 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
1.4 DNS_FROM_RFCI_DSN RBL: From: sender listed in dsn.rfc-ignorant.org
------------=_40CD5E4A.AA6FEBF7
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Subject: Test spam mail (GTUBE)
Message-ID: <GTUBE1.1010101@example.net>
Date: Wed, 23 Jul 2003 23:30:00 +0200
From: Sender <sender@example.net>
To: Recipient <recipient@example.net>
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This is the GTUBE, the
Generic
Test for
Unsolicited
Bulk
Email
If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incoming
spam. You can send yourself a test mail containing the following string of
characters (in upper case and with no white spaces and line breaks):
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
You should send this test mail from an account outside of your network.
------------=_40CD5E4A.AA6FEBF7--
Spam detection software, running on the system "webserver.******.co.uk", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
root@localhost for details.
Content preview: This is the GTUBE, the Generic Test for Unsolicited
Bulk Email If your spam filter supports it, the GTUBE provides a test
by which you can verify that the filter is installed correctly and is
detecting incoming spam. You can send yourself a test mail containing
the following string of characters (in upper case and with no white
spaces and line breaks): [...]
Content analysis details: (1004.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
[cf: 100]
0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.3 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
1.4 DNS_FROM_RFCI_DSN RBL: From: sender listed in dsn.rfc-ignorant.org
|
Which seems to be fairly sensible, whereas if I use the nonspam sample, I get....
| Code: |
webserver spamassassin # spamassassin -P -t < /usr/share/doc/spamassassin-2.63/sample-nonspam.txt
The -P option has been removed.
Return-Path: <tbtf-approval@world.std.com>
Delivered-To: foo@foo.com
Received: from europe.std.com (europe.std.com [199.172.62.20])
by mail.netnoteinc.com (Postfix) with ESMTP id 392E1114061
for <foo@foo.com>; Fri, 20 Apr 2001 21:34:46 +0000 (Eire)
Received: (from daemon@localhost)
by europe.std.com (8.9.3/8.9.3) id RAA09630
for tbtf-outgoing; Fri, 20 Apr 2001 17:31:18 -0400 (EDT)
Received: from sgi04-e.std.com (sgi04-e.std.com [199.172.62.134])
by europe.std.com (8.9.3/8.9.3) with ESMTP id RAA08749
for <tbtf@facteur.std.com>; Fri, 20 Apr 2001 17:24:31 -0400 (EDT)
Received: from world.std.com (world-f.std.com [199.172.62.5])
by sgi04-e.std.com (8.9.3/8.9.3) with ESMTP id RAA8278330
for <tbtf@facteur.std.com>; Fri, 20 Apr 2001 17:24:31 -0400 (EDT)
Received: (from dawson@localhost)
by world.std.com (8.9.3/8.9.3) id RAA26781
for tbtf@world.std.com; Fri, 20 Apr 2001 17:24:31 -0400 (EDT)
Received: from sgi04-e.std.com (sgi04-e.std.com [199.172.62.134])
by europe.std.com (8.9.3/8.9.3) with ESMTP id RAA07541
for <tbtf@facteur.std.com>; Fri, 20 Apr 2001 17:12:06 -0400 (EDT)
Received: from world.std.com (world-f.std.com [199.172.62.5])
by sgi04-e.std.com (8.9.3/8.9.3) with ESMTP id RAA8416421
for <tbtf@facteur.std.com>; Fri, 20 Apr 2001 17:12:06 -0400 (EDT)
Received: from [208.192.102.193] (ppp0c199.std.com [208.192.102.199])
by world.std.com (8.9.3/8.9.3) with ESMTP id RAA14226
for <tbtf@world.std.com>; Fri, 20 Apr 2001 17:12:04 -0400 (EDT)
Mime-Version: 1.0
Message-Id: <v0421010eb70653b14e06@[208.192.102.193]>
Date: Fri, 20 Apr 2001 16:59:58 -0400
To: tbtf@world.std.com
From: Keith Dawson <dawson@world.std.com>
Subject: TBTF ping for 2001-04-20: Reviving
Content-Type: text/plain; charset="us-ascii"
Sender: tbtf-approval@world.std.com
Precedence: list
Reply-To: tbtf-approval@europe.std.com
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
webserver.******.co.uk
X-Spam-Level:
X-Spam-Status: No, hits=0.1 required=5.0 tests=LINES_OF_YELLING,RCVD_IN_SORBS
autolearn=no version=2.63
-----BEGIN PGP SIGNED MESSAGE-----
TBTF ping for 2001-04-20: Reviving
T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t
Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994
Your Host: Keith Dawson
ISSN: 1524-9948
This issue: < http://tbtf.com/archive/2001-04-20.html >
To comment on this issue, please use this forum at Quick Topic:
< http://www.quicktopic.com/tbtf/H/kQGJR2TXL6H >
________________________________________________________________________
Q u o t e O f T h e M o m e n t
Even organizations that promise "privacy for their customers" rarely
if ever promise "continued privacy for their former customers..."
Once you cancel your account with any business, their promises of
keeping the information about their customers private no longer
apply... you're not a customer any longer.
This is in the large category of business behaviors that individuals
would consider immoral and deceptive -- and businesses know are not
illegal.
-- "_ankh," writing on the XNStalk mailing list
________________________________________________________________________
..TBTF's long hiatus is drawing to a close
Hail subscribers to the TBTF mailing list. Some 2,000 [1] of you
have signed up since the last issue [2] was mailed on 2000-07-20.
This brief note is the first of several I will send to this list to
excise the dead addresses prior to resuming regular publication.
While you time the contractions of the newsletter's rebirth, I in-
vite you to read the TBTF Log [3] and sign up for its separate free
subscription. Send "subscribe" (no quotes) with any subject to
tbtf-log-request@tbtf.com . I mail out collected Log items on Sun-
days.
If you need to stay more immediately on top of breaking stories,
pick up the TBTF Log's syndication file [4] or read an aggregator
that does. Examples are Slashdot's Cheesy Portal [5], Userland [6],
and Sitescooper [7]. If your news obsession runs even deeper and you
own an SMS-capable cell phone or PDA, sign up on TBTF's WebWire-
lessNow portal [8]. A free call will bring you the latest TBTF Log
headline, Jargon Scout [9] find, or Siliconium [10].
Two new columnists have bloomed on TBTF since last summer: Ted By-
field's roving_reporter [11] and Gary Stock's UnBlinking [12]. Late-
ly Byfield has been writing in unmatched depth about ICANN, but the
roving_reporter nym's roots are in commentary at the intersection of
technology and culture. Stock's UnBlinking latches onto topical sub-
jects and pursues them to the ends of the Net. These writers' voices
are compelling and utterly distinctive.
[1] http://tbtf.com/growth.html
[2] http://tbtf.com/archive/2000-07-20.html
[3] http://tbtf.com/blog/
[4] http://tbtf.com/tbtf.rdf
[5] http://www.slashdot.org/cheesyportal.shtml
[6] http://my.userland.com/
[7] http://www.sitescooper.org/
[8] http://tbtf.com/pull-wwn/
[9] http://tbtf.com/jargon-scout.html
[10] http://tbtf.com/siliconia.html
[11] http://tbtf.com/roving_reporter/
[12] http://tbtf.com/unblinking/
________________________________________________________________________
S o u r c e s
> For a complete list of TBTF's email and Web sources, see
http://tbtf.com/sources.html .
________________________________________________________________________
B e n e f a c t o r s
TBTF is free. If you get value from this publication, please visit
the TBTF Benefactors page < http://tbtf.com/the-benefactors.html >
and consider contributing to its upkeep.
________________________________________________________________________
TBTF home and archive at http://tbtf.com/ . To unsubscribe send
the message "unsubscribe" to tbtf-request@tbtf.com. TBTF is Copy-
right 1994-2000 by Keith Dawson, <dawson@world.std.com>. Commercial
use prohibited. For non-commercial purposes please forward, post,
and link as you see fit.
_______________________________________________
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQCVAwUBOuCi3WAMawgf2iXRAQHeAQQA3YSePSQ0XzdHZUVskFDkTfpE9XS4fHQs
WaT6a8qLZK9PdNcoz3zggM/Jnjdx6CJqNzxPEtxk9B2DoGll/C/60HWNPN+VujDu
Xav65S0P+Px4knaQcCIeCamQJ7uGcsw+CqMpNbxWYaTYmjAfkbKH1EuLC2VRwdmD
wQmwrDp70v8=
=8hLB
-----END PGP SIGNATURE-----
Spam detection software, running on the system "webserver.******.co.uk", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
root@localhost for details.
Content preview: -----BEGIN PGP SIGNED MESSAGE----- TBTF ping for
2001-04-20: Reviving T a s t y B i t s f r o m t h e T e c h n o l o g
y F r o n t [...]
Content analysis details: (0.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[208.192.102.199 listed in dnsbl.sorbs.net]
|
Ok... so here, we have a score of 0.1, 5.0 is required, yet spam assassin is saying that it's identifying this email as spam. Anyone have any ideas why it's doing this? I'm really stuck for ideas, i've searched these forums as best I can and i've looked through the spam assassin FAQ, but not been able to find anything even relating to it so far.
I just checked a server running at home, this machine is setup with exim running all of its email through spam assassin, just looking at a randomly selected email from my inbox, the headers say:
| Code: |
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software, running on the system "gateway.******.co.uk", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see root@localhost for details. Content preview:
<....SNIPPED....>
[...]
Content analysis details: (0.0 points, 5.0 required)
pts rule name description
---- ---------------------- -------------------------------------------------- 0.0 AWL AWL: Auto-whitelist adjustment
|
So this is marking absolutly every incoming mail as spam, even ones which have a score of 0.0. Both the serevr i'm working on here and the server at home are using spamassassin-2.63. Obviously it can't be related to exim as I haven't even emerged exim on the machine i'm working on here at work at the moment.
If it's any help, my local.cf file looks like this:
| Code: |
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_subject 0
# report_safe 1
# trusted_networks 212.17.35.
# SpamAssassin config file for version 2.5x
# generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)
# How many hits before a message is considered spam.
required_hits 5.0
# Whether to change the subject of suspected spam
rewrite_subject 1
# Text to prepend to subject if rewrite_subject is used
subject_tag *****SPAM*****
# Encapsulate spam in an attachment
report_safe 1
# Use terse version of the spam report
use_terse_report 0
# Enable the Bayes system
use_bayes 1
# Enable Bayes auto-learning
auto_learn 1
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 1
use_dcc 0
use_pyzor 1
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_languages all
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales all
razor_config /etc/razor/razor-agent.conf
|
So, if anyone has any ideas... |
|
| Back to top |
|
 |
andyjeffries
Apprentice
Joined: 14 Apr 2004
Posts: 196
Location: Stevenage, Herts, UK
|
| Posted: Mon Jun 14, 2004 2:15 pm Post subject: |
|
|
Sorry, I can't be much more help but it actually says it's not spam. Look at the X-Spam-Status header for the nonspam sample.
It says:
| Quote: | X-Spam-Status: No, hits=0.1 required=5.0 tests=LINES_OF_YELLING,RCVD_IN_SORBS
autolearn=no version=2.63 |
That means it's not spam (Status: No).
However, I've no idea why it's still including the report in the body. I run SpamAssassin as a daemon from with Exim (Exiscan) and don't get that.
_________________
Developer of gPHPEdit
A8N-SLI/AMD X2 4800+/2GB Dual Channel/GF 7900GT OC |
|
| Back to top |
|
|
vadimk
Retired Dev
Joined: 24 Jun 2003
Posts: 11
|
| Posted: Wed Jan 19, 2005 5:28 pm Post subject: |
|
|
| andyjeffries wrote: | Sorry, I can't be much more help but it actually says
However, I've no idea why it's still including the report in the body. I run SpamAssassin as a daemon from with Exim (Exiscan) and don't get that. |
It include report because it's a test (-t) run. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
