Hallo there,
I looked at scoring for an email on an SA installation and noticed differences between hand scanning with spamc and scanning with spamd. My manually scanned email hit CLAMAV sane security, (ignore Bayes because the user had Bayes process this and then asked me about this), whilst this spamd delivered message did not hit CLAMAV_SANE The local.cf had a timeout of 250 seconds (default is 300). The clamav logs did not record any connection from SA during the spamd scan, yet did record a connection from spamc when I manually scanned the message so I think spamd skipped clamav scans. I'd be really grateful if you could tell me where I could start looking so that I can work out why CLAMAV did not get read/called. Running on Debian 6 / SpamAssassin 3.3.2 Thanks, S. ----------------------------------------- Hand scanned with # cat $MESSAGEFILE | spamc -R -u spamd Content analysis details: (15.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.1 JOB_OFFERS_PHASES BODY: Phrases typical of English language job offers 0.0 MTX_FAIL MTX: Failed: http://www.chaosreigns.com/mtx/ 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.7 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) 0.0 CLAMAV Clam AntiVirus detected something doubtful contained within. [Sanesecurity.Rogue.0hr.0528v11148.UNOFFICIAL(f96fcb039ace92f345acb2356f3462b2:145148)] 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 7.5 CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures 0.0 T_REMOTE_IMAGE Message contains an external image Results when scanned by spamd via postfix: Tue May 28 14:17:36 2013 [20590] info: spamd: processing message <51a49fdb.908...@hsbc.co.uk> for exam...@example.co.uk:5002 Tue May 28 14:17:55 2013 [20590] info: spamd: result: . 5 - BAYES_50,DCC_CHECK,HTML_IMAGE_ONLY_20,HTML_MESSAGE,JOB_OFFERS_PHASES,MTX_FAIL,RDNS_NONE,SPF_HELO_SOFTFAIL,SPF_SOFTFAIL,T_REMOTE_IMAGE scantime=18.9,size=145848,user=exam...@example.co.uk,uid=5002,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=38517,mid=<51a49fdb.908...@hsbc.co.uk>,bayes=0.500979,autolearn=no,shortcircuit=no X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on example.co.uk X-Spam-Level: ***** X-Spam-Status: No, score=5.5 required=6.0 tests=BAYES_50,DCC_CHECK, HTML_IMAGE_ONLY_20,HTML_MESSAGE,JOB_OFFERS_PHASES,MTX_FAIL,RDNS_NONE, SPF_HELO_SOFTFAIL,SPF_SOFTFAIL,T_REMOTE_IMAGE shortcircuit=no autolearn=no version=3.3.2 X-Spam-Virus: No X-Spam-Report: * -0.1 JOB_OFFERS_PHASES BODY: Phrases typical of English language job * offers * 0.0 MTX_FAIL MTX: Failed: http://www.chaosreigns.com/mtx/ * 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) * 0.7 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) * 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5001] * 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS * 0.0 T_REMOTE_IMAGE Message contains an external image
