Re: Spam with AWL and Bayes00

Tue, 10 Mar 2009 14:34:39 -0700 

Karsten Bräckelmann wrote:

The AWL score for this message is minimal (one can tell by calculating
the stock rules' scores without it). Your problem here is BAYES_00 and
RCVD_IN_DNSWL_MED.

BAYES_00 means your Bayes DB is pretty skewed. You should train sa-learn
on these messages.


I do.  Daily.
Note, I train on my personal account. But is there also a system-wide Bayes db that might be causing this score? 




RCVD_IN_DNSWEL_MED is a -4 alone. So either  (a) your trusted_networks
should be expanded, or  (b) the IP in question needs to be removed from
DNSWL.org. Can't tell without seeing the full headers.
Here is another, almost identical header, spam that got through with a nearly identical SA report. Does this help? 

Return-Path: <off...@itsjss.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
        vmmail.physics.tamu.edu
X-Spam-Level:
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,
   DATE_IN_PAST_06_12, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,
   HTML_TAG_BALANCE_BODY, MIME_HTML_ONLY, RCVD_IN_DNSWL_MED,SPF_FAIL
   autolearn=disabled version=3.2.5
X-Original-To: cbar...@mail.physics.tamu.edu
Delivered-To: cbar...@mail.physics.tamu.edu
Received: from tr-2-int.cis.tamu.edu (tamu-relay.tamu.edu
   [165.91.22.121]) by mail.physics.tamu.edu (Postfix) with ESMTP
   id 2D8B8950C1 for <cbar...@mail.physics.tamu.edu>; Tue, 10 Mar
   2009 01:22:52 -0500 (CDT)
Received: from localhost (localhost.tamu.edu [127.0.0.1])
   by tr-2-int.cis.tamu.edu (Postfix) with ESMTP id DF2CA1FD92
   for <chris-bar...@tamu.edu>; Tue, 10 Mar 2009 01:22:51 -0500(CDT)
X-Virus-Scanned: amavisd-new at tamu.edu
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from Outbound-four.nuos.com (outbound-four.nuos.com
   [63.149.233.44]) by tr-2-int.cis.tamu.edu (Postfix) with SMTP
   id 37F521FD65 for <chris-bar...@tamu.edu>; Tue, 10 Mar 2009 01:22:50
  -0500 (CDT)
Message-ID: <63342009319223327...@itsjss.com>
X-EM-Version: 5, 0, 0, 4
X-EM-Registration: #01E0530610F50E00AC00
From: "IT Solution Journal" <off...@itsjss.com>
To: "Chris Barnes" <chris-bar...@tamu.edu>






As John said, AWL is a pure score averager, based on the sender's
address and IP. I guess in such a case as outlined as example above,
they appear to come from the list server (thus sharing a /24 netblock),
instead of all using their actual originating network...

Also see these for reference:
  http://wiki.apache.org/spamassassin/AutoWhitelist
  http://wiki.apache.org/spamassassin/AwlWrongWay


Reading now....

Reply via email to