Hi all, I've been running amavisd-new for several years now with no
issues, but now one has cropped up with an SA plugin that I have need
of. A vendor recently updated their SA plugin and now it returns
different results when run through SA vs. when it is run through
amavisd-new/SA. Following are results of a manual scan with SA:
[mail:/home/vmail/taisweb.net/archive_received/Maildir] 9:22am#
spamassassin --siteconfigpath=/usr/local/etc/mail/spamassassin -x -t
.blah/new/1237155804.M27154P10624V0000005CI0051B175_0.mail.taisweb.net,S
=3981
Return-Path: <sys...@blogsuccess.com>
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on
mail.taisweb.net
X-Spam-GBUdb-Analysis: 2, 67.131.25.27, Ugly c=0 p=0 Source New
X-Spam-Status: No, score=-1.8 required=5.0
tests=HABEAS_ACCREDITED_COI,SNF4SA,
URIBL_GREY autolearn=disabled version=3.2.1
X-Spam-SNF-Result: 62 (Obfuscation Techniques)
X-Spam-DCC: CollegeOfNewCaledonia: mail.taisweb.net 1189; Body=1 Fuz1=1
Fuz2=1
X-Spam-Level:
X-Spam-MessageSniffer-Rules:
62-469556-2307-2317-m
62-469556-4261-4271-m
62-469556-0-5994-f
X-Spam-MessageSniffer-Scan-Result:
X-Original-To: OBFUSCATED
Delivered-To: OBFUSCATED
Received: from localhost (localhost.taisweb.net [127.0.0.1])
by mail.taisweb.net (Postfix) with ESMTP id D7B292B2C87
for < OBFUSCATED >; Sun, 15 Mar 2009 18:23:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at taisweb.net
Received: from mx1.rmslink.net (mx1.rmslink.net [68.118.154.10])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.taisweb.net (Postfix) with ESMTP id 65A522B2C92
for < OBFUSCATED >; Sun, 15 Mar 2009 18:23:20 -0400 (EDT)
Received: from platinum-smtp.infusionsoft.com
(blogsuccess.platinum-smtp.infusionsoft.com [67.131.25.27])
by mx1.rmslink.net (Postfix) with ESMTP id 1EBDC39824
for < OBFUSCATED >; Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
Received: from gil (unknown [10.3.0.124])
by smtp29.infusionsoft.com (Postfix) with ESMTP id 1B41B20841874
for < OBFUSCATED >; Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
Date: Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
From: Jack Humphrey <listrespo...@blogsuccess.com>
Sender: sys...@blogsuccess.com
To: OBFUSCATED
Message-ID: <1429329783.1408551237155799111.javamail.tom...@gil>
Subject: J, this is BIG news!
Errors-To: sys...@blogsuccess.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
BatchId: 27269
X-BatchId: 27269
X-campaignid: infusion_blogsuccess27269
X-InfApp: blogsuccess
X-BBounce: blogsuccess_3812781
X-InfContact: 235195
X-InfSent: 3812781
Package: platinum
X-inf-package: platinum
X-inf-source: MailBatchFulfillRequest
X-MinStatusFlags: Double Opt-In
X-MaxStatusFlags: Double Opt-In
X-inf-uflags: Double Opt-In
X-inf-iflags: Double Opt-In
X-Virus-Scanned: ClamAV 0.94.2/9110/Sun Mar 15 01:06:44 2009 on
mx1.rmslink.net
X-Virus-Status: Clean
[...EMAIL BODY SNIPPED...]
Content analysis details: (-1.8 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-8.0 HABEAS_ACCREDITED_COI RBL: Habeas Accredited Confirmed Opt-In or
Better
[67.131.25.27 listed in
sa-accredit.habeas.com]
6.0 SNF4SA Message Sniffer
0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: infusionsoft.com]
Here, you can see that the SNF4SA plugin returns a weight of 6 when
spamassassin is invoked manually, which is correct. However, Following
are log lines from amavisd-new (note this is not the same email, but it
doesn't matter because the results are ALWAYS the same):
May 15 08:59:20 mail amavis[87045]: (87045-09) SPAM,
<n.11602.1187...@focusknock.com> -> <dia...@artsleague.com>, Yes,
score=29.552 tag=-999 tag2=6 kill=6 tests=[DCC_CHECK=1.37,
DIGEST_MULTIPLE=0.001, FB_TO_STOP_DISTRO=3.096, FH_XMAIL_RND_833=0.001,
HTML_IMAGE_ONLY_20=1.808, HTML_MESSAGE=0.001,
HTML_SHORT_LINK_IMG_3=0.556, MARKETING_PARTNERS=2.355,
MIME_QP_LONG_LINE=1.819, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5,
RAZOR2_CHECK=0.5, SNF4SA=1, SNIFFER=6, SPF_FAIL=0.992,
URIBL_BLACK=1.961] autolearn=disabled
The important bits is the weight for SNF4SA plugin. When run via
amavisd-new, SNF4SA ALWAYS adds a weight of 1 to EVERY MAIL (not just
mails that it identifies as spam). The SNF4SA plugin is working in that
it is recording log lines stating its results, and it is correctly
identifying some spam and some ham in its own logs, but the result is
always +1 to the SA weight.
Here is one that wasn't identified as spam:
May 15 08:59:20 mail amavis[87039]: (87039-09) spam_scan: score=1.956
autolearn=disabled
tests=[DCC_CHECK=1.37,HTML_MESSAGE=0.001,SNF4SA=1,SPF_FAIL=0.992]
I'm hoping that someone can shed some light on why this may be returning
different results in SA alone vs. amavisd-new+SA? Is there a way within
amavisd-new to debug this?
Another question I have is that these weights don't seem to add up
correctly? From that last one:
(1.37 + 0.001 + 1 + 0.992 != 1.956)
Versions:
amavisd-new-2.6.3
SpamAssassin version 3.2.1
running on Perl version 5.8.8
Thanks,
Dan Horne
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
