Score discrepancy

Ryan Thompson 29 Jul 2004 15:55:37 -0000


Hi all,

It's rare for mail to slip through the cracks these days, but this one
really got my attention:

Message-Id: <[EMAIL PROTECTED]>
From: "Automatic Email Delivery Software" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Guiqznmo
Date: Thu, 29 Jul 2004 10:02:15 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0004_F14B32F8.CD3D5862"
tests=RT_SUBJ68=0.9,FORGED_RCVD_HELO=0.0,MSGID_FROM_MTA_ID=2.4,
    BAYES_99=4.0,UPPERCASE_25_50=0.3,RT_BTZP=5.0,
    FORGED_MUA_OUTLOOK=1.3 autolearn=no version=3.000000-pre2
X-Spam-Level: *

----------

The message itself contained one 7-bit text/plain; charset=us-ascii part
containing almost all 8-bit characters, and one attachment consisting of
an unencrypted .zip archive, with an embedded unencrypted .zip
containing a 1.1KB file by the name of '[EMAIL PROTECTED]', with
unrecognizable 8-bit data. It all *looks* like a virus, but it didn't
get caught by clamav, and doesn't match any binary format that I know of
(or that file(1) knows of :-), so I'm checking into that angle, too.
However, it did hit enough tests to get flagged by SA.

As you can see, the scores in X-Spam-Status definitely don't add up to
1.1. So, I ran through -D -t and got a score of 11.6 points, but noticed
the following:

debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=195.68 scores 4/10.926
debug: AWL active, pre-score: 20.383, autolearn score: 20.383, mean: 2.7315, 
IP: 195.68.26.170
debug: add_score: New count: 5, new totscore: 31.309
debug: DB addr list: untie-ing and unlocking.
debug: DB addr list: file locked, breaking lock.
debug: unlock: 16955 unlink /var/spool/SpamAssassin/auto-whitelist.lock
debug: Post AWL score: 20.383

Fine, but in the attached report, I get this:

-8.8 AWL                    AWL: From: address is in the auto white-list

This is the second time I've run this message through -D -t, and at
least the third time SA has seen it. The first time I ran it through,
the AWL score was about -12.0, so it seems to be increasing, and looks
about right, considering the message scored 20.4 points before SA, yet
the average is this:

     6.3        (31.3/5)  --  [EMAIL PROTECTED]|ip=195.68

I then removed that address from the whitelist, and re-ran SA -D -t,
and, as should be, the message didn't get an AWL score, and scored 20.4
points on its own (de)merits.

So, the problem I see is twofold:
1. In the original message, as processed by MIMEDefang, a bunch of
   points got subtracted that didn't show up in any tests. The AWL score
   didn't even show up in the X-Spam-Status header. It does for every
   other AWL sender that I've seen. Who knows. Maybe it wasn't even an
   AWL adjustment that subtracted the points initially, and that I'm
   barking up the wrong tree.
2. [EMAIL PROTECTED]|ip=195.68 (actually, from *any* IP) was not
   in the AWL database as of yesterday (I checked a backup), and the
   message I received is the only message from any IP with sender
   '[EMAIL PROTECTED]' that appears in our maillogs for at least
   the past 10 days. Why, when I received the message the first time,
   then, did it apparently subtract over 14 points from the message (as
   shown in the headers, knocking it down to 1.1 points)? (See also my
   bet hedging in #1).

Any ideas? (Yes, I've confirmed that I'm using the same auto-whitelist
database and configuration for both runs, and have looked at the usual
suspects for score mismatches. We run a pretty tight ship, here. :-)

System: SA 3.0.0-pre2, MIMEDefang, on FreeBSD RELENG_4_9.

- Ryan

--
  Ryan Thompson <[EMAIL PROTECTED]>

  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America

Score discrepancy

Reply via email to