Ranking spam twice?

el_pinjo

New member
Joined
Jun 5, 2017
Messages
1
Hi all,

I'm a bit new to all this. I am currently administrating a server for which the owner is away for a while. At certain moments we seem to be getting quite some spam though.
I tried optimizing the spamassissin configuraturation, but it does not seem to work. When I ran spamassassin manually on a message in the inbox I got the following output. What I noticed in the output is the spam score appears twice. The first scoring is 26.4 and the second score (inside the message?) is 1.5.
In the end the message ends up in the mailbox and not in the spam folder like configured.

Code:
Jun  5 20:56:17.098 [2264] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x2bd48f8) implements 'check_post_learn', priority 0
Jun  5 20:56:17.098 [2264] dbg: dcc: DCC learning not enabled by dcc_learn_score
Jun  5 20:56:17.099 [2264] dbg: check: is spam? score=26.393 required=5
Jun  5 20:56:17.099 [2264] dbg: check: tests=BAYES_99,BAYES_999,DCC_CHECK,DIGEST_MULTIPLE,HTML_MESSAGE,LOTS_OF_MONEY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PSBL,RCVD_IN_SBL_CSS,RDNS_NONE,T_REMOTE_IMAGE,T_SPF_HELO_PERMERROR,T_SPF_PERMERROR,URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM
Jun  5 20:56:17.099 [2264] dbg: check: subtests=__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_TEXT_LINE,__BODY_TEXT_LINE,__BODY_TEXT_LINE,__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ALT,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DOS_DIRECT_TO_MX,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_SINGLE_EXT_RELAY,__FB_TOUR,__FRAUD_DBI,__HAS_ANY_URI,__HAS_DATE,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_CASE_REVERSED,__HTML_LINK_IMAGE,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LOCAL_PP_NONPPURL,__LONGLINE,__LOTSA_MONEY_03,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_HOST,__NONEMPTY_BODY,__RCVD_IN_ZEN,__RDNS_NONE,__REMOTE_IMAGE,__SANE_MSGID,__SINGLE_WORD_LINE,__SINGLE_WORD_LINE,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS,__TVD_MIME_ATT_TP,__YOU_WON,__YOU_WON_01,__hk_bigmoney
Jun  5 20:56:17.100 [2264] dbg: timing: total 8001 ms - init: 1008 (12.6%), parse: 1.21 (0.0%), extract_message_metadata: 45 (0.6%), get_uri_detail_list: 6 (0.1%), tests_pri_-1000: 22 (0.3%), compile_gen: 141 (1.8%), compile_eval: 21 (0.3%), tests_pri_-950: 6 (0.1%), tests_pri_-900: 6 (0.1%), tests_pri_-400: 131 (1.6%), check_bayes: 112 (1.4%), b_tokenize: 9 (0.1%), b_tok_get_all: 78 (1.0%), b_comp_prob: 4.2 (0.1%), b_tok_touch_all: 0.28 (0.0%), b_finish: 1.44 (0.0%), tests_pri_0: 6700 (83.7%), dkim_load_modules: 20 (0.3%), check_dkim_signature: 0.66 (0.0%), check_dkim_adsp: 8 (0.1%), check_spf: 82 (1.0%), poll_dns_idle: 0.32 (0.0%), check_dcc: 4482 (56.0%), check_razor2: 1370 (17.1%), check_pyzor: 331 (4.1%), tests_pri_500: 54 (0.7%)
Received: from localhost by ***********************
	with SpamAssassin (version 3.4.1);
	Mon, 05 Jun 2017 20:56:17 +0200
From: " Gerard Woods" <pilgrimatical@zooita.info>
To: <misja@****************>
Subject: You'll never need another pedicure, ever again!
Date: Mon, 05 Jun 2017 13:12:14 -0500
Message-Id: <DSi9BcShsMpIXws22UXerk6UBfaQeLwjsDXg53WC-JA.a5WawogcKTDH-IIxIxJ98cSVk1glBkhe06_yi0pIpko@zooita.info>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	*************************
X-Spam-Flag: YES
X-Spam-Level: **************************
X-Spam-Status: Yes, score=26.4 required=5.0 tests=BAYES_99,BAYES_999,DCC_CHECK,
	DIGEST_MULTIPLE,HTML_MESSAGE,LOTS_OF_MONEY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,
	RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PSBL,RCVD_IN_SBL_CSS,RDNS_NONE,
	T_REMOTE_IMAGE,T_SPF_HELO_PERMERROR,T_SPF_PERMERROR,URIBL_ABUSE_SURBL,
	URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.1
X-Spam-DCC: wuwien: ***************** 1290; Body=1 Fuz1=many Fuz2=2368
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5935A951.882C286D"

This is a multi-part message in MIME format.

------------=_5935A951.882C286D
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "*****************",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  FREEHOLD BOROUGH, N.J. At an elementary glaze school in Freehold,
   over 500 students share dictator a vast, open space where bookshelves, whiteboards,
   tacoma storage cubbies and other pieces of furniture unexpectedly are the
   only boundaries between classrooms. There enabling are no walls because the
   building was goth originally designed in the 1970s to be pullover a smaller
   Montessori school, Rocco Tomazic, the imported superintendent of the Freehold
   Borough School District, funny explained during a recent tour. But now adhere
   it is noisy and crowded, and the mohawk district does not have the money
  to consensus move students into traditional closed classrooms wind the kind
   with walls and fewer distractions. shredder The issue for Freehold Borough
   and apparently about two-thirds of New Jerseys 586 school sorority districts
   is the states nine-year-old formula stun for paying for public schools. Adopted
   by animal the State Legislature in 2008, it calculates lined how much each
   district needs to ensure phone that students receive a thorough and efficient
   soulful , regardless of income, as New Jersey familial law requires. The
  formula directs extra dollars united to districts with children who are learning
   crocus English, students with disabilities and those living welding in poverty.
   But hundreds of towns, including blistering Freehold Borough, where 75 percent
   of the autonomous schoolchildren are Latino, have not gotten their gripe
  full share of funding under the formula techie since 2010. This year, for
  instance, the cosmetic district was due $23 million, Mr. Tomazic luther said.
   It got million. State aid mood has been flat-funded since at least 2010,
  manipulate with no adjustments for [...] 

Content analysis details:   (26.4 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
 2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                            [URIs: zooita.info]
 3.3 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
                            [104.237.202.80 listed in zen.spamhaus.org]
 1.2 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                            [URIs: zooita.info]
 0.1 T_SPF_HELO_PERMERROR   SPF: test of HELO record failed (permerror)
 0.0 T_SPF_PERMERROR        SPF: test of record failed (permerror)
 3.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: zooita.info]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                            [score: 1.0000]
 1.4 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 4.0 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
 2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                            [104.237.202.80 listed in psbl.surriel.com]
 0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
 0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.0 LOTS_OF_MONEY          Huge... sums of money
 0.0 T_REMOTE_IMAGE         Message contains an external image

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


------------=_5935A951.882C286D
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Return-Path: <pilgrimatical@zooita.info>
Delivered-To: misja@******************
Received: from *****************
	by ******************** (Dovecot) with LMTP id lFpYBfCjNVmEeQAATmVXog
	for <misja@*****************>; Mon, 05 Jun 2017 20:33:20 +0200
Return-path: <pilgrimatical@zooita.info>
Received: from [104.237.202.80] (helo=zooita.info)
	by ***************** with esmtp (Exim 4.86.2)
	(envelope-from <pilgrimatical@zooita.info>)
	id 1dHwoT-0000Hi-Nt
	for misja@**************; Mon, 05 Jun 2017 20:33:20 +0200
From: " Gerard Woods" <pilgrimatical@zooita.info>
Date: Mon, 05 Jun 2017 13:12:14 -0500
MIME-Version: 1.0
Subject: You'll never need another pedicure, ever again!
To: <misja@*****************>
Message-ID: <DSi9BcShsMpIXws22UXerk6UBfaQeLwjsDXg53WC-JA.a5WawogcKTDH-IIxIxJ98cSVk1glBkhe06_yi0pIpko@zooita.info>
Content-Type: multipart/alternative;
 boundary="------------876410803547432665809643"
X-Spam-Score: 1.5 (+)
X-Spam-Report: Spam detection software, running on the system "******************",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  FREEHOLD BOROUGH, N.J. At an elementary glaze school in Freehold,
    over 500 students share dictator a vast, open space where bookshelves, whiteboards,
    tacoma storage cubbies and other pieces of furniture unexpectedly are the
    only boundaries between classrooms. There enabling are no walls because the
    building was goth originally designed in the 1970s to be pullover a smaller
    Montessori school, Rocco Tomazic, the imported superintendent of the Freehold
    Borough School District, funny explained during a recent tour. But now adhere
    it is noisy and crowded, and the mohawk district does not have the money
   to consensus move students into traditional closed classrooms wind the kind
    with walls and fewer distractions. shredder The issue for Freehold Borough
    and apparently about two-thirds of New Jerseys 586 school sorority districts
    is the states nine-year-old formula stun for paying for public schools. Adopted
    by animal the State Legislature in 2008, it calculates lined how much each
    district needs to ensure phone that students receive a thorough and efficient
    soulful , regardless of income, as New Jersey familial law requires. The
   formula directs extra dollars united to districts with children who are learning
    crocus English, students with disabilities and those living welding in poverty.
    But hundreds of towns, including blistering Freehold Borough, where 75 percent
    of the autonomous schoolchildren are Latino, have not gotten their gripe
   full share of funding under the formula techie since 2010. This year, for
   instance, the cosmetic district was due $23 million, Mr. Tomazic luther said.
    It got million. State aid mood has been flat-funded since at least 2010,
   manipulate with no adjustments for [...] 
 
 Content analysis details:   (1.5 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: zooita.info]
  0.0 RCVD_IN_DNSWL_BLOCKED  RBL: ADMINISTRATOR NOTICE: The query to DNSWL
                             was blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [104.237.202.80 listed in list.dnswl.org]
  0.2 T_SPF_HELO_PERMERROR   SPF: test of HELO record failed (permerror)
  0.0 T_SPF_PERMERROR        SPF: test of record failed (permerror)
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 LOTS_OF_MONEY          Huge... sums of money
  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
  0.0 T_REMOTE_IMAGE         Message contains an external image
SpamTally: Final spam score: 15
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

This is a multi-part message in MIME format.
--------------876410803547432665809643
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

FREEHOLD BOROUGH, N.J. At an elementary glaze school in Freehold, over 500 students share dictator a vast, open space where bookshelves, whiteboards, tacoma storage cubbies and other pieces of furniture unexpectedly are the only boundaries between classrooms. There enabling are no walls because the building was goth originally designed in the 1970s to be pullover a smaller Montessori school, Rocco Tomazic, the imported superintendent of the Freehold Borough School District, funny explained during a recent tour. But now adhere it is noisy and crowded, and the mohawk district does not have the money to consensus move students into traditional closed classrooms wind the kind with walls and fewer distractions. shredder The issue for Freehold Borough and apparently about two-thirds of New Jerseys 586 school sorority districts is the states nine-year-old formula stun for paying for public schools. Adopted by animal the State Legislature in 2008, it calculates lined how much each district needs to ensure phone that students receive a thorough and efficient soulful , regardless of income, as New Jersey familial law requires. The formula directs extra dollars united to districts with children who are learning crocus English, students with disabilities and those living welding in poverty. But hundreds of towns, including blistering Freehold Borough, where 75 percent of the autonomous schoolchildren are Latino, have not gotten their gripe full share of funding under the formula techie since 2010. This year, for instance, the cosmetic district was due $23 million, Mr. Tomazic luther said. It got million. State aid mood has been flat-funded since at least 2010, manipulate with no adjustments for
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,102
Location
GMT +7.00
Hello,

Isn't it an email with an attachment? Hence you see the check results twice.

Code:
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
 
Top