FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 10-03-2008, 07:39 AM
Benedict Verheyen
 
Default problem with spam scoring not counted correctly

Hi,

i'm using Debian stable and recently i noticed a few spam mails getting
through although the combined scores are high enough. It's flagged as
not being spam, the score is set to 3.9 but is actually way higher.
I also encountered something similar when the result of a test was
"nan", anyway, the score was a string instead of a number and that also
resulted in a spam message getting flagged as no spam.

Here is the header report:

X-Spam-Flag: NO
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on loki.x.y
X-Spam-Level:
X-Spam-Status: "No, score=3.9 required=4.0 tests=FORGED_MUA_OUTLOOK,

FROM_ILLEGAL_CHARS,MIME_BOUND_DD_DIGITS,MIME_QP_LO NG_LINE,MISSING_MIMEOLE,
RCVD_HELO_IP_MISMATCH,RCVD_IN_BL_SPAMCOP_NET,RCVD_ IN_NJABL_PROXY,
RCVD_IN_SORBS_SOCKS,RCVD_IN_SORBS_WEB,RCVD_NUMERIC _HELO,

SUBJECT_NEEDS_ENCODING,SUBJ_ILLEGAL_CHARS,TVD_SPAC E_RATIO,UNPARSEABLE_RELAY
autolearn=no version=3.2.3
X-Spam-Report:
* 4.2 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
* 4.0 FROM_ILLEGAL_CHARS Van: bevat te veel 'raw' tekens
* 1.5 SUBJ_ILLEGAL_CHARS Onderwerp: bevat te veel 'raw' tekens
* 2.3 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should
* 2.6 RCVD_NUMERIC_HELO Received: bevat een numerieke HELO
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
* 2.9 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
* 1.8 MIME_QP_LONG_LINE RAW: Quoted-printable regel langer dan 76
* karakters
* 1.7 RCVD_IN_NJABL_PROXY RBL: NJABL: verzender is een open proxy
* [218.206.94.132 listed in combined.njabl.org]
* 4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Ontvangen via een relay die gevonden is
* in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?218.206.94.132>]
* 2.0 RCVD_IN_SORBS_WEB RBL: SORBS: verzender is een misbruikbare web
* server
* [218.206.94.132 listed in dnsbl.sorbs.net]
* 0.2 RCVD_IN_SORBS_SOCKS RBL: SORBS: verzender is een open SOCKS proxy
* server
* 1.3 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
* 0.0 MISSING_MIMEOLE Bericht heeft een X-MSMail-Priority, maar geen
* X-MimeOLE
* 4.2 FORGED_MUA_OUTLOOK Vals mailtje, pretendeert afkomstig te zijn van
* MS Outlook

I ran the message through spamassassin again with the -D flag and this
is what i got. Notice the nan score now. Maybe it's that score again
that is the reason why counting the scores didn't work?

* 1.5 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
* nan FROM_ILLEGAL_CHARS Van: bevat te veel 'raw' tekens
* 1.6 SUBJ_ILLEGAL_CHARS Onderwerp: bevat te veel 'raw' tekens
* 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should
* 2.1 RCVD_NUMERIC_HELO Received: bevat een numerieke HELO
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
* 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
* 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable regel langer dan 76
* karakters
* 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: verzender is een open proxy
* [218.206.94.132 listed in combined.njabl.org]
* 4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Ontvangen via een relay die gevonden is
* in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?218.206.94.132>]
* 2.0 RCVD_IN_SORBS_WEB RBL: SORBS: verzender is een misbruikbare web
* server
* [218.206.94.132 listed in dnsbl.sorbs.net]
* 0.8 RCVD_IN_SORBS_SOCKS RBL: SORBS: verzender is een open SOCKS proxy
* server
* 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
* 0.0 MISSING_MIMEOLE Bericht heeft een X-MSMail-Priority, maar geen
* X-MimeOLE
* 3.1 FORGED_MUA_OUTLOOK Vals mailtje, pretendeert afkomstig te zijn van
* MS Outlook


Why is the score only at 3.9 and thus not flagged as spam?

Thanks,
Benedict


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-09-2008, 09:21 AM
Benedict Verheyen
 
Default problem with spam scoring not counted correctly

Benedict Verheyen wrote:
<snip>

> I ran the message through spamassassin again with the -D flag and this
> is what i got. Notice the nan score now. Maybe it's that score again
> that is the reason why counting the scores didn't work?
>
> * 1.5 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
> * nan FROM_ILLEGAL_CHARS Van: bevat te veel 'raw' tekens
> * 1.6 SUBJ_ILLEGAL_CHARS Onderwerp: bevat te veel 'raw' tekens
> * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should
> * 2.1 RCVD_NUMERIC_HELO Received: bevat een numerieke HELO
> * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
> * 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
> * 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable regel langer dan 76
> * karakters
> * 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: verzender is een open proxy
> * [218.206.94.132 listed in combined.njabl.org]
> * 4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Ontvangen via een relay die gevonden is
> * in bl.spamcop.net
> * [Blocked - see <http://www.spamcop.net/bl.shtml?218.206.94.132>]
> * 2.0 RCVD_IN_SORBS_WEB RBL: SORBS: verzender is een misbruikbare web
> * server
> * [218.206.94.132 listed in dnsbl.sorbs.net]
> * 0.8 RCVD_IN_SORBS_SOCKS RBL: SORBS: verzender is een open SOCKS proxy
> * server
> * 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
> * 0.0 MISSING_MIMEOLE Bericht heeft een X-MSMail-Priority, maar geen
> * X-MimeOLE
> * 3.1 FORGED_MUA_OUTLOOK Vals mailtje, pretendeert afkomstig te zijn van
> * MS Outlook

According to this bugreport, this is a bug than occurs only on the
Debian. It can't be reproduced on other systems.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3364

It might be a perl issue as NaN (not a number) is something from perl.
I'm really surprised this error isn't occuring more (maybe people don't
notice the "NaN")

I reinstalled spamassassin and tried spamassassin -D again, with another
spam message but the result is the same. Again a "nan" score and a clear
spam message not being marked as spam.

X-Spam-Flag: NO
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on loki.x.y
X-Spam-Level:
X-Spam-Status: "No, score=3.9 required=4.0 tests=AWL,DNS_FROM_SECURITYSAGE,
FB_GET_MEDS,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SU RBL,URIBL_WS_SURBL
autolearn=no version=3.2.3
X-Spam-Report:
* 1.1 FB_GET_MEDS BODY: Looks like trying to sell meds
* nan URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: susync.cn]
* 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: susync.cn]
* 2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: susync.cn]
* 2.1 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
* [URIs: susync.cn]
* 0.1 DNS_FROM_SECURITYSAGE RBL: Envelope sender in
* blackholes.securitysage.com
* 0.4 AWL AWL: From: address is in the auto white-list

My local.cf:
report_safe 0
lock_method flock
required_score 4.0
use_bayes 1
bayes_auto_learn 1
clear_headers
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on
_HOSTNAME_
add_header all Flag _YESNOCAPS_
add_header all Level _STARS(*)_
add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Report _REPORT_

Any ideas?

Regards,
Benedict


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 12:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org