On 1/9/2013 9:13 PM, John Hardin wrote: > On Wed, 9 Jan 2013, Ben Johnson wrote: > >> On 1/9/2013 7:36 PM, wolfgang wrote: >>> >>>> RCVD_IN_BRBL_LASTEXT,RCVD_IN_CSS,RCVD_IN_PSBL,RCVD_IN_XBL,URIBL_DBL_S >>>> PAM, URIBL_JP_SURBL autolearn=disabled version=3.3.1 >>> >>> I am not familiar with amavis, but I know that it calls spamassassin in >>> a special way, depending on the amavis config. Wild guess: could it be >>> that RBL/URIBL queries are disabled in your amavis config? >> >> Thanks for the reply. >> >> What you say about the RBL/URIBL tests makes sense. > > Check your amavis configuration to see whether you have network tests > disabled. That's the simplest explanation. >
Thanks, John. On the surface, network tests appear to be enabled: # grep -ir sa_local_tests_only /etc/amavis /etc/amavis/conf.d/20-debian_defaults:$sa_local_tests_only = 0; # only tests which do not require internet access? Also, some of the incoming messages do contain network test scoring data in the X-Spam-Status header; here are two examples: Yes, score=8.451 tagged_above=-999 required=2 tests=[BAYES_99=3.5, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_CSS=1, RDNS_NONE=0.793, SPF_PASS=-0.001, T_LOTS_OF_MONEY=0.01, URIBL_DBL_SPAM=1.7] autolearn=disabled Yes, score=12.266 tagged_above=-999 required=2 tests=[BAYES_50=0.8, DATE_IN_FUTURE_12_24=3.199, DIET_1=0.001, HTML_MESSAGE=0.001, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PSBL=2.7, RCVD_IN_XBL=0.375, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=1.25] autolearn=disabled (Several of those are network tests, right?) What's strange is that another message was delivered at nearly the same time as the above two, yet it shows no evidence of network tests being performed (right?): No, score=0.8 tagged_above=-999 required=2 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=disabled It seems as though the SPAM that slips through never shows evidence of network tests, whereas the SPAM that is caught (and usually has a high score -- 10 or higher) always seems to show evidence of network tests. This observation begs the question: why are network tests being performed for some messages but not others? To my knowledge, no white/gray/black listing has been done on this box. Thanks again, -Ben
