Seems like spam and blacklisted items are getting through today, since about 1 am PDT.
Spamassassin broken?
General discussions and other topics.
4 posts
Page 1 of 1
Were these messages coming through completely bare of their Spamassassin headers, or was the blacklist rule simply not tripped?
John Fitzgerald
Sonic Technical Support
Sonic Technical Support
No USER_IN_BLACKLIST_TO in X-Spam-Status:
Actually it had a NEGATIVE score:
X-Spam-Status: No, score=-0.4 required=5.0 tests=DCC_CHECK,DCC_REPUT_90_94,
HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_HELO_SOFTFAIL
autolearn=disabled version=3.3.2
How is that possible?
Full header:
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on a.spam.sonic.net
X-Spam-Level:
X-Spam-Status: No, score=-0.4 required=5.0 tests=DCC_CHECK,DCC_REPUT_90_94,
HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_HELO_SOFTFAIL
autolearn=disabled version=3.3.2
Received: from b.mx.sonic.net (b.mx.sonic.net [69.12.208.74])
by d.spam.sonic.net (8.14.4/8.14.4) with ESMTP id r7FFtn4X014104
for <[email protected]>; Thu, 15 Aug 2013 08:55:49 -0700
Received: from flowerdelivery.com (flowerdelivery.com [74.100.228.3] (may be forged))
by b.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id r7FFtgsn011709
for <[email protected]>; Thu, 15 Aug 2013 08:55:48 -0700
Reply-To: [email protected]
From: "FlowerDelivery.com" <[email protected]>
To: [email protected]
Subject: FlowerDelivery.com Order Today, Receive Today.
Date: 15 Aug 2013 08:55:30 -0700
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0012_8761687C.9057DEA3"
X-Sonic-SB-IP-RBLs: IP RBLs .
Actually it had a NEGATIVE score:
X-Spam-Status: No, score=-0.4 required=5.0 tests=DCC_CHECK,DCC_REPUT_90_94,
HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_HELO_SOFTFAIL
autolearn=disabled version=3.3.2
How is that possible?
Full header:
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on a.spam.sonic.net
X-Spam-Level:
X-Spam-Status: No, score=-0.4 required=5.0 tests=DCC_CHECK,DCC_REPUT_90_94,
HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_HELO_SOFTFAIL
autolearn=disabled version=3.3.2
Received: from b.mx.sonic.net (b.mx.sonic.net [69.12.208.74])
by d.spam.sonic.net (8.14.4/8.14.4) with ESMTP id r7FFtn4X014104
for <[email protected]>; Thu, 15 Aug 2013 08:55:49 -0700
Received: from flowerdelivery.com (flowerdelivery.com [74.100.228.3] (may be forged))
by b.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id r7FFtgsn011709
for <[email protected]>; Thu, 15 Aug 2013 08:55:48 -0700
Reply-To: [email protected]
From: "FlowerDelivery.com" <[email protected]>
To: [email protected]
Subject: FlowerDelivery.com Order Today, Receive Today.
Date: 15 Aug 2013 08:55:30 -0700
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0012_8761687C.9057DEA3"
X-Sonic-SB-IP-RBLs: IP RBLs .
If you take a look at the big board of default SpamAssassin rules at https://members.sonic.net/email/spam/scores/index.php you'll see that there are several is negative values. These are rules that trigger under conditions that make a message look less like spam than it otherwise would. In the case of the message headers above, we see:
+1.1 DCC_CHECK
+0.4 DCC_REPUT_90_94
+ 0.001 HTML_IMAGE_RATIO_06
+ 0.001 HTML_MESSAGE
- 2.799 RP_MATCHES_RCVD
+ 0.896 SPF_HELO_SOFTFAIL
=
-0.401
So in this case the single negative (likely to be proper mail) rule outweighed all the positive (likely to be spam) rules that were triggered. Even without that negative score, the other rules weren't enough to tip the message over the 5.0 threshhold, but it would have had to look significantly spammier (in the eyes of SpamAssassin) to get there.
[edit]correction: https://members.sonic.net/email/spam/wh ... /view_all/ has the blacklist_to info still there, and I see the dd.antigone.com currently listed for that email account. I'm directing this to some internal investigation.
[edit]update: the user_in_blacklist_to seems to be working properly on my account today. I happened to be testing from a whitelisted address, so the -100 for the whitelist overpowered the +10 from the blacklist_to.
X-Spam-Status: No, score=-91.2 required=5.0 tests=RCVD_IN_BRBL_LASTEXT,
RP_MATCHES_RCVD,USER_IN_BLACKLIST_TO,USER_IN_WHITELIST autolearn=disabled
version=3.3.2
+1.1 DCC_CHECK
+0.4 DCC_REPUT_90_94
+ 0.001 HTML_IMAGE_RATIO_06
+ 0.001 HTML_MESSAGE
- 2.799 RP_MATCHES_RCVD
+ 0.896 SPF_HELO_SOFTFAIL
=
-0.401
So in this case the single negative (likely to be proper mail) rule outweighed all the positive (likely to be spam) rules that were triggered. Even without that negative score, the other rules weren't enough to tip the message over the 5.0 threshhold, but it would have had to look significantly spammier (in the eyes of SpamAssassin) to get there.
[edit]correction: https://members.sonic.net/email/spam/wh ... /view_all/ has the blacklist_to info still there, and I see the dd.antigone.com currently listed for that email account. I'm directing this to some internal investigation.
[edit]update: the user_in_blacklist_to seems to be working properly on my account today. I happened to be testing from a whitelisted address, so the -100 for the whitelist overpowered the +10 from the blacklist_to.
X-Spam-Status: No, score=-91.2 required=5.0 tests=RCVD_IN_BRBL_LASTEXT,
RP_MATCHES_RCVD,USER_IN_BLACKLIST_TO,USER_IN_WHITELIST autolearn=disabled
version=3.3.2
John Fitzgerald
Sonic Technical Support
Sonic Technical Support
4 posts
Page 1 of 1
