Matt Kettler wrote:
>> I'm running SA 3.1.7 on Windows XP and it is working
>> pretty well. However I have a question about AWL.
>> Every now and then I can see a spam header
>> where AWL gives some negative score.
>
> That alone should not be worrisome. A negative score does not
> imply the AWL thinks the message sender is nonspam. In fact,
> modest negative scores from the AWL on spam are actually a
> good sign, as it means the spammer's current messages are
> higher scoring than in the past. If the AWL is always positive,
> that means the scores are constantly declining, and eventually
> won't be tagged at all.
>
> In your example below, the AWL had a historical score of about
> 9.8. The message pre-awl scored about 15.2. The AWL split the
> difference and deducted 2.7 to make the final score 12.5. The
> AWL still thought it was a spam sender, just less spammy than
> current.
>
> Perfectly normal.
>
> See also
>
> http://wiki.apache.org/spamassassin/AwlWrongWay
Thanks for the explanation. I have already read the
page you are referring and I believe that I understand
the behaviour of AWL. But then again examples (like
the one below) make me wonder if there should be a
limit to AWL scoring. Most stock spams get here scores
between 10 and 20. A high negative AWL score could
let the spam in.
The sender's address used in the spam below has
a listing like this in my auto-whitelist file:
14.6 (29.1/2) -- [EMAIL PROTECTED]|ip=66.111
>> The "debora" stock spams seem to have this problem
>> more often than the others.
>>
>> I'd like to check the contents of the AWL database,
>> but I'm not sure how "check_whitelist" works on a
>> Windows platform. Can you give me a hint?
>
> I'm not sure about windows specifics. You need to feed
> it the path to the AWL db file, as it will not find this
> automatically on its own on
Ok, this seems to work fine on command line:
perl check_whitelist "C:\Documents and
Settings\Administrator\.spamassassin\auto-whitelist" > list.txt
I was just a bit afraid because of the missing - ever so
important - file name extension.
Regards
Jyri Korhonen
---
Return-path: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on virusscan
X-Spam-Level: **************
X-Spam-Status: Yes, score=14.6 required=5.0 tests=AWL,BAYES_99,
HELO_DYNAMIC_IPADDR2,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,
RCVD_IN_SORBS_DUL,RCVD_IN_XBL,SARE_CSBIG,SARE_MLB_Stock1,
SARE_MLB_Stock5 autolearn=spam version=3.1.7
X-Spam-Report:
* 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious
hostname (IP
* addr 2)
* 1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
* 1.7 SARE_CSBIG BODY: Only Mexican food gives me an Explosive
Gain.
* 1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or
OTC.
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic
IP address
* [200.89.151.186 listed in dnsbl.sorbs.net]
* 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
* [Blocked - see
<http://www.spamcop.net/bl.shtml?200.89.151.186>]
* 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [200.89.151.186 listed in sbl-xbl.spamhaus.org]
* 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local
SMTP
* [200.89.151.186 listed in combined.njabl.org]
* -7.2 AWL AWL: From: address is in the auto white-list
Received: from r2d2.sci.fi [195.74.0.50]
by mailcenter.plandent.com; Thu, 09 Nov 2006 06:19:37 +0200
Received: from 186-151-89-200.fibertel.com.ar
(186-151-89-200.fibertel.com.ar [200.89.151.186])
by r2d2.sci.fi (Postfix) with ESMTP id E1EEAF67D0306
for <[EMAIL PROTECTED]>; Thu, 9 Nov 2006 06:19:36 +0200
(EET)
Received: from 66.111.4.71 (HELO in1.smtp.messagingengine.com)
by planmeca.fi with esmtp (KD8J5CIM 3L3WH)
id L307GC-34MFAK-FU
for [EMAIL PROTECTED]; Thu, 9 Nov 2006 04:20:12 +0180
From: "Salvador Glover" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: *SPAM* It's Salvador :)
Date: Thu, 9 Nov 2006 04:20:12 +0180
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
Thread-Index: Aca6QZUQ5M8J73RV3T40TZ2BHVXU9C==
X-Spam-Prev-Subject: It's Salvador :)
