Topic: Help with SpamAssassin, please

[robbracken]

I'm using fetchmail to pick up mail from two different POP servers. SpamAssassin is successfully filtering out SPAM from one of the servers, but not the other.

Here's a sample set of headers from a mail that was successfully marked as SPAM:
=======================================
Received: (qmail 7540 invoked by alias); 7 Jun 2006 16:05:43 -0000
Delivered-To: alias-localdelivery-rob_bracken@xxxxxx
Received: (qmail 7536 invoked from network); 7 Jun 2006 16:05:33 -0000
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
   my-sme-server
X-Spam-Report:
   *  0.1 FORGED_RCVD_HELO Received: contains a forged HELO
   *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
   *      lines
   *  2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
   *      [score: 0.9210]
   *  0.5 HTML_40_50 BODY: Message is 40% to 50% HTML
   *  0.0 HTML_MESSAGE BODY: HTML included in message
   *  3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
   *      [83.53.211.228 listed in sbl-xbl.spamhaus.org]
   *  1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
   *      [83.53.211.228 listed in combined.njabl.org]
   *  1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
   *      [URIs: tranenterro.com]
X-Spam-Status: Yes, score=10.1 required=8.0 tests=BAYES_80,FORGED_RCVD_HELO,
   HTML_40_50,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_XBL,
   UNPARSEABLE_RELAY,URIBL_SBL autolearn=no version=3.1.0
X-Spam-Level: **********
X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on my-sme-server
Received: from localhost (127.0.0.1)
  by my-sme-server (127.0.0.1) with ESMTP; 07 Jun 2006 16:05:32 -0000
Received: from pop3.yyyyyy
   by localhost with POP3 (fetchmail-5.9.0)
   for rob_bracken@xxxxxx (multi-drop); Wed, 07 Jun 2006 17:05:32 +0100 (BST)
Received: from mwinf3107.yyyyyy (mwinf3107.yyyyyy)
   by mwinb3006 (SMTP Server) with LMTP; Wed, 07 Jun 2006 18:04:58 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: rob_bracken@xxxxxx
Received: from me-yyyyyy (localhost [127.0.0.1])
   by mwinf3107.yyyyyy (SMTP Server) with ESMTP id ED1D51C00B4F
   for <rob_bracken@xxxxxx>; Wed,  7 Jun 2006 18:04:57 +0200 (CEST)
Received: from some_domain (228.Red-83-53-211.dynamicIP.rima-tde.net [83.53.211.228])
   by mwinf3107.yyyyyy (SMTP Server) with SMTP id 41EA21C00B54
   for <rob_bracken@xxxxxx>; Wed,  7 Jun 2006 18:04:55 +0200 (CEST)
X-ME-UUID: 20060607160456270.41EA21C00B54@mwinf3107.yyyyyy
Message-ID: <000001c68a4c$1ea0f390$536ca8c0@yce54>
Reply-To: "Martha Remillard" <some_address_or_other>
From: "Martha Remillard" <some_address_or_other>
To: rob_bracken@xxxxxx
Subject: [SPAM 10.1 of 8.0] test kyv
Date: Wed, 7 Jun 2006 09:04:56 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----=_NextPart_000_0001_01C68A11.72448C90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-me-spamlevel: not-spam
X-me-spamrating: 45.564843
X-Spam-Prev-Subject: test kyv
=======================================
Here's a sample set of headers from an email that wasn't marked as SPAM:
=======================================
Received: (qmail 8150 invoked by alias); 7 Jun 2006 16:35:21 -0000
Delivered-To: alias-localdelivery-rob.bracken@xxxxxx
Received: (qmail 8146 invoked by uid 101); 7 Jun 2006 16:35:21 -0000
Delivered-To: admin@my-sme-server
Received: (qmail 8144 invoked by alias); 7 Jun 2006 16:35:21 -0000
Delivered-To: alias-localdelivery-admin@xxxxxx
Received: (qmail 8141 invoked by alias); 7 Jun 2006 16:35:21 -0000
Delivered-To: info@my-sme-server
Received: (qmail 8138 invoked by alias); 7 Jun 2006 16:35:20 -0000
Delivered-To: alias-localdelivery-info@xxxxxx
Received: (qmail 8134 invoked from network); 7 Jun 2006 16:35:10 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
   my-sme-server
X-Spam-Status: No, score=3.9 required=8.0 tests=BAYES_50,RCVD_IN_XBL
   autolearn=no version=3.1.3
X-Spam-Level: ***
X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on my-sme-server
Received: from localhost (127.0.0.1)
  by my-sme-server (127.0.0.1) with ESMTP; 07 Jun 2006 16:35:06 -0000
Envelope-to: info@xxxxxx
Delivery-date: Wed, 07 Jun 2006 17:30:30 +0100
Received: from mail
   by localhost with POP3 (fetchmail-5.9.0)
   for info@xxxxxx (multi-drop); Wed, 07 Jun 2006 17:35:06 +0100 (BST)
Received: from myaccount by twx3.zzzzzz with local-bsmtp (Exim 4.52)
   id 1Fo0vJ-0006BF-7m
   for info@xxxxxx; Wed, 07 Jun 2006 17:30:30 +0100
Received: from [59.37.83.211] (helo=some_domain)
   by twx3.zzzzzz with smtp (Exim 4.52)
   id 1Fo0vH-00069t-Nw
   for robb@xxxxxx; Wed, 07 Jun 2006 17:30:24 +0100
Message-ID: <b51d01c68a11$3e582900$0f024598@dusenbury>
From: "Alfred" <some_address_or_other>
To: "Spouffourth" <robb@xxxxxx>
Subject: Tell me..
Date: Wed, 07 Jun 2006 09:03:29 -0800
MIME-Version: 1.0
Content-Type: text/plain;
   charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
=======================================
Please excuse me for being paranoid, but I've changed domain names, etc., as follows:
xxxxxx = my own domain
yyyyyy = the domain of the first POP server I pick up mail from
zzzzzz = the domain of the second POP server I pick up mail from
my-sme-server = the name of my SME Server.

I'm running SME Server 6.0 with Jasper Knudsen's SpamAssassin contrib (brilliant! - many thanks, Jasper). I've just updated it today to version 3.1.3.

Any help will be much appreciated.

[Curly]

I see no real strange things, both the emails were scanned for spam (the line X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on my-sme-server) and one scored spam (10.1 points) , the other scored no-spam (3.9 points). The scores vary per email, depending on their characteristics.

Use sa-learn to train spam-assassin and it should get better in time. You could always change the spam threshold from 8 to even lower, but you might get false positives.

For as far as I can see, everything works ok.

[robbracken]

"I see no real strange things, both the emails were scanned for spam"

Well, yes, but the 2nd email wasn't scanned correctly.

For instance, i've set up a blacklist & set the score for being in the blacklist to 100 (in /etc/mail/spamassassin/local.cf), but emails from domains on the blacklist still get through & blacklist_from doesn't appear in the list of SpamAssassin scores.

I also find that similar SPAM is treated differently, depending on which server it came through.

Is SpamAssassin getting confused by the mail server changing the "for" address ("for robb" changes to "for info")?

[Curly]

I agree that the blacklist doesn't work. Spamassassin works, the change in "for" doesn't matter.

Spamassassin depends on rules, some of these rules are triggered by the servers the message has passed through, some rules are triggered by the content (body) of the message. Some are even triggered by the subject of the message.

[robbracken]

Hmmm...

Why doesn't the blacklist work?

I think I need to investigate SpamAssassin further.

It would be interesting to get some feedback from other members about what works for them.

I'll post some results here when I've looked into it further (prob. in a couple of weeks).

Thanks, Curly.

[kruhm]

Blacklists work by looking up where the email is coming from.
You're using FETCHMAIL and getting email from your servers.
Your servers are not a blacklist.

[robbracken]

"Your servers are not a blacklist."

Um, agreed, but I've set up a domain blacklist. As I understand, any mail with a FROM address in those domains should trigger the "blacklist_from" check, which I've given a score of 100. That's not happening.