spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Administrator <ad...@cobatco.com>
Subject Re: not scoring correctly
Date Wed, 18 Jul 2007 14:57:54 GMT
A rough guess and probably wrong as usual, but could the message size be
larger than what you have set in amavisd-new?  If so then SA would be
bypassed but not when you manually test the message.



Robert Fitzpatrick wrote:
> We use SA 3.1.7 with Postfix and amavisd-new 2.4.4 and clamav. I
> received several PDF's this morning even though we have updated
> protection. They all came from one server, so I did a lookup in the mail
> logs to find 'Hits: -', that's it. After some more searching on
> different servers, I see this frequently, what does it mean as far as
> score?
>
> Logged in as the amavisd user 'vscan' and running sa test, it clearly
> scores well above the 5.0 threshold. Any ideas why these type of
> messages would have gotten through SA?
>
> esmtp# bzcat /var/log/maillog.0.bz2 | grep "ysHkeL+S2PmL"
> Jul 17 19:03:43 esmtp amavis[51729]: (51729-14) Passed CLEAN, [89.214.60.100] [108.83.93.165]
<anup_pettigrew@goldyplace.com> -> <webmaster@webtent.com>, quarantine: clean-ysHkeL+S2PmL.gz,
Message-ID: <14550229.5393314@goldyplace.com>, mail_id: ysHkeL+S2PmL, Hits: -, queued_as:
0787037B4FA, 821 ms
> esmtp# su vscan
> $ spamassassin -t < /var/virusmails/clean-ysHkeL+S2PmL
> <snip>
> Content analysis details:   (11.7 points, 5.0 required)
>
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  2.4 MIME_BOUND_DIGITS_15   Spam tool pattern in MIME boundary
>  4.5 BOTNET_NORDNS          Relay's IP address has no PTR record
>                             [botnet_nordns,ip=89.214.60.100]
>  2.0 GMD_PDF_FUZZY2_T3      BODY: Fuzzy MD5 Match
>                             3D4E25DE4A05695681D694716D579474
>  1.8 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP block
>            [108.83.93.165 listed in combined-HIB.dnsiplists.completewhois.com]
>  1.0 TVD_PDF_FINGER01       Mail matches standard pdf spam fingerprint
>
> Thanks for any help!
>
>   

Mime
View raw message