Results 1 to 2 of 2

Thread: Ranking spam twice?

  1. #1
    Join Date
    Jun 2017
    Posts
    1

    Ranking spam twice?

    Hi all,

    I'm a bit new to all this. I am currently administrating a server for which the owner is away for a while. At certain moments we seem to be getting quite some spam though.
    I tried optimizing the spamassissin configuraturation, but it does not seem to work. When I ran spamassassin manually on a message in the inbox I got the following output. What I noticed in the output is the spam score appears twice. The first scoring is 26.4 and the second score (inside the message?) is 1.5.
    In the end the message ends up in the mailbox and not in the spam folder like configured.

    Code:
    Jun  5 20:56:17.098 [2264] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x2bd48f8) implements 'check_post_learn', priority 0
    Jun  5 20:56:17.098 [2264] dbg: dcc: DCC learning not enabled by dcc_learn_score
    Jun  5 20:56:17.099 [2264] dbg: check: is spam? score=26.393 required=5
    Jun  5 20:56:17.099 [2264] dbg: check: tests=BAYES_99,BAYES_999,DCC_CHECK,DIGEST_MULTIPLE,HTML_MESSAGE,LOTS_OF_MONEY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PSBL,RCVD_IN_SBL_CSS,RDNS_NONE,T_REMOTE_IMAGE,T_SPF_HELO_PERMERROR,T_SPF_PERMERROR,URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM
    Jun  5 20:56:17.099 [2264] dbg: check: subtests=__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_TEXT_LINE,__BODY_TEXT_LINE,__BODY_TEXT_LINE,__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ALT,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DOS_DIRECT_TO_MX,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_SINGLE_EXT_RELAY,__FB_TOUR,__FRAUD_DBI,__HAS_ANY_URI,__HAS_DATE,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_CASE_REVERSED,__HTML_LINK_IMAGE,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LOCAL_PP_NONPPURL,__LONGLINE,__LOTSA_MONEY_03,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_HOST,__NONEMPTY_BODY,__RCVD_IN_ZEN,__RDNS_NONE,__REMOTE_IMAGE,__SANE_MSGID,__SINGLE_WORD_LINE,__SINGLE_WORD_LINE,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS,__TVD_MIME_ATT_TP,__YOU_WON,__YOU_WON_01,__hk_bigmoney
    Jun  5 20:56:17.100 [2264] dbg: timing: total 8001 ms - init: 1008 (12.6%), parse: 1.21 (0.0%), extract_message_metadata: 45 (0.6%), get_uri_detail_list: 6 (0.1%), tests_pri_-1000: 22 (0.3%), compile_gen: 141 (1.8%), compile_eval: 21 (0.3%), tests_pri_-950: 6 (0.1%), tests_pri_-900: 6 (0.1%), tests_pri_-400: 131 (1.6%), check_bayes: 112 (1.4%), b_tokenize: 9 (0.1%), b_tok_get_all: 78 (1.0%), b_comp_prob: 4.2 (0.1%), b_tok_touch_all: 0.28 (0.0%), b_finish: 1.44 (0.0%), tests_pri_0: 6700 (83.7%), dkim_load_modules: 20 (0.3%), check_dkim_signature: 0.66 (0.0%), check_dkim_adsp: 8 (0.1%), check_spf: 82 (1.0%), poll_dns_idle: 0.32 (0.0%), check_dcc: 4482 (56.0%), check_razor2: 1370 (17.1%), check_pyzor: 331 (4.1%), tests_pri_500: 54 (0.7%)
    Received: from localhost by ***********************
    	with SpamAssassin (version 3.4.1);
    	Mon, 05 Jun 2017 20:56:17 +0200
    From: " Gerard Woods" <pilgrimatical@zooita.info>
    To: <misja@****************>
    Subject: You'll never need another pedicure, ever again!
    Date: Mon, 05 Jun 2017 13:12:14 -0500
    Message-Id: <DSi9BcShsMpIXws22UXerk6UBfaQeLwjsDXg53WC-JA.a5WawogcKTDH-IIxIxJ98cSVk1glBkhe06_yi0pIpko@zooita.info>
    X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
    	*************************
    X-Spam-Flag: YES
    X-Spam-Level: **************************
    X-Spam-Status: Yes, score=26.4 required=5.0 tests=BAYES_99,BAYES_999,DCC_CHECK,
    	DIGEST_MULTIPLE,HTML_MESSAGE,LOTS_OF_MONEY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,
    	RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PSBL,RCVD_IN_SBL_CSS,RDNS_NONE,
    	T_REMOTE_IMAGE,T_SPF_HELO_PERMERROR,T_SPF_PERMERROR,URIBL_ABUSE_SURBL,
    	URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.1
    X-Spam-DCC: wuwien: ***************** 1290; Body=1 Fuz1=many Fuz2=2368
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----------=_5935A951.882C286D"
    
    This is a multi-part message in MIME format.
    
    ------------=_5935A951.882C286D
    Content-Type: text/plain; charset=iso-8859-1
    Content-Disposition: inline
    Content-Transfer-Encoding: 8bit
    
    Spam detection software, running on the system "*****************",
    has identified this incoming email as possible spam.  The original
    message has been attached to this so you can view it or label
    similar future email.  If you have any questions, see
    the administrator of that system for details.
    
    Content preview:  FREEHOLD BOROUGH, N.J. At an elementary glaze school in Freehold,
       over 500 students share dictator a vast, open space where bookshelves, whiteboards,
       tacoma storage cubbies and other pieces of furniture unexpectedly are the
       only boundaries between classrooms. There enabling are no walls because the
       building was goth originally designed in the 1970s to be pullover a smaller
       Montessori school, Rocco Tomazic, the imported superintendent of the Freehold
       Borough School District, funny explained during a recent tour. But now adhere
       it is noisy and crowded, and the mohawk district does not have the money
      to consensus move students into traditional closed classrooms wind the kind
       with walls and fewer distractions. shredder The issue for Freehold Borough
       and apparently about two-thirds of New Jerseys 586 school sorority districts
       is the states nine-year-old formula stun for paying for public schools. Adopted
       by animal the State Legislature in 2008, it calculates lined how much each
       district needs to ensure phone that students receive a thorough and efficient
       soulful , regardless of income, as New Jersey familial law requires. The
      formula directs extra dollars united to districts with children who are learning
       crocus English, students with disabilities and those living welding in poverty.
       But hundreds of towns, including blistering Freehold Borough, where 75 percent
       of the autonomous schoolchildren are Latino, have not gotten their gripe
      full share of funding under the formula techie since 2010. This year, for
      instance, the cosmetic district was due $23 million, Mr. Tomazic luther said.
       It got million. State aid mood has been flat-funded since at least 2010,
      manipulate with no adjustments for [...] 
    
    Content analysis details:   (26.4 points, 5.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                                [score: 1.0000]
     2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                                [URIs: zooita.info]
     3.3 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
                                [104.237.202.80 listed in zen.spamhaus.org]
     1.2 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                                [URIs: zooita.info]
     0.1 T_SPF_HELO_PERMERROR   SPF: test of HELO record failed (permerror)
     0.0 T_SPF_PERMERROR        SPF: test of record failed (permerror)
     3.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                                [URIs: zooita.info]
     0.0 HTML_MESSAGE           BODY: HTML included in message
     0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                                [score: 1.0000]
     1.4 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
     0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
     1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                                above 50%
                                [cf: 100]
     0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                                [cf: 100]
     4.0 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
     2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                                [104.237.202.80 listed in psbl.surriel.com]
     0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
     0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
     0.0 LOTS_OF_MONEY          Huge... sums of money
     0.0 T_REMOTE_IMAGE         Message contains an external image
    
    The original message was not completely plain text, and may be unsafe to
    open with some email clients; in particular, it may contain a virus,
    or confirm that your address can receive spam.  If you wish to view
    it, it may be safer to save it to a file and open it with an editor.
    
    
    ------------=_5935A951.882C286D
    Content-Type: message/rfc822; x-spam-type=original
    Content-Description: original message before SpamAssassin
    Content-Disposition: attachment
    Content-Transfer-Encoding: 8bit
    
    Return-Path: <pilgrimatical@zooita.info>
    Delivered-To: misja@******************
    Received: from *****************
    	by ******************** (Dovecot) with LMTP id lFpYBfCjNVmEeQAATmVXog
    	for <misja@*****************>; Mon, 05 Jun 2017 20:33:20 +0200
    Return-path: <pilgrimatical@zooita.info>
    Received: from [104.237.202.80] (helo=zooita.info)
    	by ***************** with esmtp (Exim 4.86.2)
    	(envelope-from <pilgrimatical@zooita.info>)
    	id 1dHwoT-0000Hi-Nt
    	for misja@**************; Mon, 05 Jun 2017 20:33:20 +0200
    From: " Gerard Woods" <pilgrimatical@zooita.info>
    Date: Mon, 05 Jun 2017 13:12:14 -0500
    MIME-Version: 1.0
    Subject: You'll never need another pedicure, ever again!
    To: <misja@*****************>
    Message-ID: <DSi9BcShsMpIXws22UXerk6UBfaQeLwjsDXg53WC-JA.a5WawogcKTDH-IIxIxJ98cSVk1glBkhe06_yi0pIpko@zooita.info>
    Content-Type: multipart/alternative;
     boundary="------------876410803547432665809643"
    X-Spam-Score: 1.5 (+)
    X-Spam-Report: Spam detection software, running on the system "******************",
     has NOT identified this incoming email as spam.  The original
     message has been attached to this so you can view it or label
     similar future email.  If you have any questions, see
     the administrator of that system for details.
     
     Content preview:  FREEHOLD BOROUGH, N.J. At an elementary glaze school in Freehold,
        over 500 students share dictator a vast, open space where bookshelves, whiteboards,
        tacoma storage cubbies and other pieces of furniture unexpectedly are the
        only boundaries between classrooms. There enabling are no walls because the
        building was goth originally designed in the 1970s to be pullover a smaller
        Montessori school, Rocco Tomazic, the imported superintendent of the Freehold
        Borough School District, funny explained during a recent tour. But now adhere
        it is noisy and crowded, and the mohawk district does not have the money
       to consensus move students into traditional closed classrooms wind the kind
        with walls and fewer distractions. shredder The issue for Freehold Borough
        and apparently about two-thirds of New Jerseys 586 school sorority districts
        is the states nine-year-old formula stun for paying for public schools. Adopted
        by animal the State Legislature in 2008, it calculates lined how much each
        district needs to ensure phone that students receive a thorough and efficient
        soulful , regardless of income, as New Jersey familial law requires. The
       formula directs extra dollars united to districts with children who are learning
        crocus English, students with disabilities and those living welding in poverty.
        But hundreds of towns, including blistering Freehold Borough, where 75 percent
        of the autonomous schoolchildren are Latino, have not gotten their gripe
       full share of funding under the formula techie since 2010. This year, for
       instance, the cosmetic district was due $23 million, Mr. Tomazic luther said.
        It got million. State aid mood has been flat-funded since at least 2010,
       manipulate with no adjustments for [...] 
     
     Content analysis details:   (1.5 points, 5.0 required)
     
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
      0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                                 See
                                 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                                  for more information.
                                 [URIs: zooita.info]
      0.0 RCVD_IN_DNSWL_BLOCKED  RBL: ADMINISTRATOR NOTICE: The query to DNSWL
                                 was blocked.  See
                                 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                                  for more information.
                                 [104.237.202.80 listed in list.dnswl.org]
      0.2 T_SPF_HELO_PERMERROR   SPF: test of HELO record failed (permerror)
      0.0 T_SPF_PERMERROR        SPF: test of record failed (permerror)
      0.0 HTML_MESSAGE           BODY: HTML included in message
      0.0 LOTS_OF_MONEY          Huge... sums of money
      1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
      0.0 T_REMOTE_IMAGE         Message contains an external image
    SpamTally: Final spam score: 15
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    
    This is a multi-part message in MIME format.
    --------------876410803547432665809643
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: 7bit
    
    FREEHOLD BOROUGH, N.J. At an elementary glaze school in Freehold, over 500 students share dictator a vast, open space where bookshelves, whiteboards, tacoma storage cubbies and other pieces of furniture unexpectedly are the only boundaries between classrooms. There enabling are no walls because the building was goth originally designed in the 1970s to be pullover a smaller Montessori school, Rocco Tomazic, the imported superintendent of the Freehold Borough School District, funny explained during a recent tour. But now adhere it is noisy and crowded, and the mohawk district does not have the money to consensus move students into traditional closed classrooms wind the kind with walls and fewer distractions. shredder The issue for Freehold Borough and apparently about two-thirds of New Jerseys 586 school sorority districts is the states nine-year-old formula stun for paying for public schools. Adopted by animal the State Legislature in 2008, it calculates lined how much each district needs to ensure phone that students receive a thorough and efficient soulful , regardless of income, as New Jersey familial law requires. The formula directs extra dollars united to districts with children who are learning crocus English, students with disabilities and those living welding in poverty. But hundreds of towns, including blistering Freehold Borough, where 75 percent of the autonomous schoolchildren are Latino, have not gotten their gripe full share of funding under the formula techie since 2010. This year, for instance, the cosmetic district was due $23 million, Mr. Tomazic luther said. It got million. State aid mood has been flat-funded since at least 2010, manipulate with no adjustments for

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,750
    Hello,

    Isn't it an email with an attachment? Hence you see the check results twice.

    Code:
    Content-Type: message/rfc822; x-spam-type=original
    Content-Description: original message before SpamAssassin
    Content-Disposition: attachment
    Content-Transfer-Encoding: 8bit
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •