On 18 May 2012 15:11, Mark Martinec <[email protected]> wrote: > Simon, > >> I use log-watch to summarize my postfix and amavis log on a daily basis. >> The amavis one is never and issue but the postfix one occasionally >> triggers spamassassin and so amavis flags it (never higher enough to >> outright discard it. >> >> For example, this morning.. > [...] >> SPAM-TAG, <[email protected]> -> <[email protected]>, Yes, score=5.365 >> tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, DRUGS_ERECTILE=1.994, >> NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, SPOOF_COM2COM=2.048, >> SPOOF_COM2OTH=2.723, URI_NOVOWEL=0.5] autolearn=no >> >> Now, I see nothing in the mail about erectile drugs, so I'm confused why >> that one is there. Also the spoofing seems strange. >> >> Both mails are injected with: >> cat postfix.logwatch | /usr/sbin/sendmail -t [email protected] >> >> So, if that were responsible for the spoofing, I'd expect to see it on >> both. >> >> The spam-tag for the amavis mail for example is: >> May 18 06:26:12 mail amavisd-new[5072]: (05072-04) SPAM-TAG, >> <[email protected]> -> <[email protected]>, No, score=-0.777 >> tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, FILL_THIS_FORM=0.001, >> NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, URI_HEX=1.122] autolearn=no >> >> Why is my very boring log-file analysis triggering SA test for drugs and >> spoofing? :) > > Log files (from a web server or alike) often contain domain names > which are otherwise indicative of spam, so mailing log files with > URLs or domain names is likely to cause false positives. > > You either need to whitelist your source of such mail messages, or > scramble their contents, e.g. by ziping attachments and encrypting > them with some trivial password.
Which reminds me of the other question I meant to include in that first email.. How can I get injected mails to be added to the autolearn function? These mails go out daily, so it would be nice for amavis to start tagging them automatically as ham. Simon
