Results 1 to 2 of 2

Thread: spamassassin some spam getting through

  1. #1
    Join Date
    May 2012

    spamassassin some spam getting through

    Hello all, i have issue with spam getting through. I am using the latest build of exim, exim config and SpamAssassin.
    SpamAssassin is working in general because mail is being marked spam and sent to user spam folder but issue is that few of them are not marked spam.

    My spam thresh hold is set to 5

    Return-Path: <>
    Received: from
    by with LMTP id ONBwNm9RjllZCAAAGPd+5w
    for <>; Fri, 11 Aug 2017 18:53:03 -0600
    Return-path: <>
    Delivery-date: Fri, 11 Aug 2017 18:53:03 -0600
    Received: from [] (
    by with esmtp (Exim 4.89)
    (envelope-from <>)
    id 1dgKfk-0000oS-AY
    for; Fri, 11 Aug 2017 18:53:03 -0600
    From: "Mildred" <>
    Date: Fri, 11 Aug 2017 19:41:39 -0500
    MIME-Version: 1.0
    Subject: Date Easy with English Speaking Russian and Ukrainian Women
    To: <>
    Message-ID: <>
    Content-Type: multipart/alternative;
    X-Spam-Score: 0.6 (/)
    X-Spam-Report: Spam detection software, running on the system "",
    has NOT identified this incoming email as spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    the administrator of that system for details.

    Content preview: breadandbutter I out Sheriff you me over by first Miss wall
    on of hanged very the travelling friend innocence dead to trousers my seemed
    was the idea use glass took broke Pip on blue hair was OpE my powerfully
    I parlour and easing Judging her even for it way and consider all than been
    When following the on my paper his In R OPE at you had up divorced tell wouldnt
    myself aint pretended or OpE washing all mouth night [...]

    Content analysis details: (0.6 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
    0.0 T_SPF_HELO_PERMERROR SPF: test of HELO record failed (permerror)
    0.0 T_SPF_PERMERROR SPF: test of record failed (permerror)
    -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
    [score: 0.0000]
    0.0 HTML_MESSAGE BODY: HTML included in message
    0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
    SpamTally: Final spam score: 6
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    X-Spam-Score: 0.6 // This is clearly not correct, should be higher, similar messages have score of 5.8 but in this case very low.

    SpamTally: Final spam score: 6 // Final score is above 5 so this mail should be marked as spam but not.

    Points for failing few tests is 0, i think points should be added in those cases.

    Any idea how to fix this.
    Thanks for your time.

  2. #2
    Join Date
    Nov 2012
    There are always going to be spam samples which do not directly get flagged, even if you the lowest thresholds. Its all down to characteristics and scoring.

    First of all SpamTally and the defined threshold are not the same thing. The mail wasn't flagged as spam because it scored 0.6 out of 5.0 overall.

    In this email sample, notice:

    -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
    [score: 0.0000]
    Basically the Bayes learning system didn't pick it up as spam. You can do a couple of things to teach SpamAssassin about this email.

    Setup a regular cron job to feed SpamAssassin ham (safe) and spam emails, that way SpamAssassin can better profile future mail items.

    In addition to bayes, you can enable DCC and Pyzor for more spam scoring/detection



    I've found often when Bayes hasn't profiled the email as spam before DCC usually picks up bulk spam and adds about a 3.0/4.0 scoring, which would of caught the sample attached. You can of course customise the scoring metrics to be lower if needed.

    There are also specific posts on this forum about enabling DCC/Pyzor if you need help. You'll need to open certain TCP/UDP ports in your firewall to connect to these services.

    Also if a specific mail item keeps getting through, you can throw in a few keywords present to make sure it goes to the spam folder. Just be careful about false positives when writing keyword phrases.

    Hope this helps!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts