On 11/4/2014 11:33 AM, btb wrote:
i've noticed lately a trend in which two messages which appear to be
identical arrive a few minutes apart, and one is marked as spam while
the other is not. aside from time stamps, queue ids, etc, i believe
the headers and content of the two messages to be identical. i can
see obvious differences in the X-Spam-Status: headers, but i'm not
sure how to figure out why one of the messages seems to match so many
more rules. here are the X-Spam-Status: headers from one such set of
examples:
X-Spam-Status: No, score=-0.597 required=5 tests=[BAYES_20=-0.001,
RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
X-Spam-Status: Yes, score=6.9 required=5 tests=[AWL=-7.497, BAYES_50=0.8,
DIGEST_MULTIPLE=0.293, KAM_VERY_BLACK_DBL=5, PYZOR_CHECK=1.392,
RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
RAZOR2_CHECK=0.922, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5]
autolearn=spam autolearn_force=no
I didn't look at the emails but most of these appear to be reactive
network-based tests like RBL and Razor/Pyzor. It would make complete
sense that it might slip by and then be caught in the future.
