SPAM - Spam Assassin says score is 1.9 but it's higher

[tensigh]

Hello,

Sonic insists on keeping Spam Assassin despite its track record, so I'm trying to modify my SA scores (again!) to stop spam.

I received a spam that merely scored 1.9 (my SA settings are at 2.0). But when I added up these factors, the spam should have rated at least 6! Is Spam Assassin as bad at math as it is at stopping spam?

Here's what was in the headers:

------------
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on d.spam.sonic.net
X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=2.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,SNF4SA,T_REMOTE_IMAGE,URIBL_BLACK
------------

I've tweaked most of these settings (again, in the past). Two of them had -.01, but all of the others were positive (from .4 to .5) except for SNF4SA, which is set at 5.0!!! How does 5.0 + .4 + .5 + 1.0 + -.01 = 1.9?

Can someone explain this to me, or is this message going to be ignored like the ones I send to [email protected]?

[thulsa_doom]

SNF4SA is a sniffer with a point value that varies on a per-message basis.

[Guest]

Hah! It's not a Spam Assassin; it's a Spam Collaborator!

[thulsa_doom]

Hah! It's not a Spam Assassin; it's a Spam Collaborator!

Is it the Neville Chamberlain of spam countermeasures?

[tensigh]

SNF4SA may vary, but unless it makes the total negative then this message should have been blocked.

Do you have more information? That didn't really answer the question.

[tensigh]

Sorry, I should note that HTML_MESSAGE is also set to 1.9, so even if SNF4SA isn't actually 5 then the total would still be over 1.9.

[tensigh]

Hah! It's not a Spam Assassin; it's a Spam Collaborator!

Is it the Neville Chamberlain of spam countermeasures?

Apparently, that's SA. It's about as effective at stopping spam as Chamberlain was at stopping the Nazis.

[liz]

It seems like I need to adjust SA frequently too, looking at headers and upping scores. I just got this phishing spam a few minutes ago. Bad papadoob, leave Sonic aloooone.

Code: Select all

-------- Original Message --------
Return-Path: 	<[email protected]>
X-Spam-Checker-Version: 	SpamAssassin 3.4.0 (2014-02-07) on c.spam.sonic.net
X-Spam-Level: 	
X-Spam-Status: 	No, score=-1.0 required=3.5 
tests=ALL_TRUSTED,HTML_MESSAGE, RP_MATCHES_RCVD,SNF4SA,SONIC_DEAR_ME1 
autolearn=disabled version=3.4.0
X-Spam-SNF-Result: 	0 (Standard White Rules)
X-Spam-MessageSniffer-Scan-Result: 	
X-Spam-MessageSniffer-Rules: 	0-0-0-4565-c
X-Spam-GBUdb-Analysis: 	0, 69.12.208.80, Ugly c=1 p=-0.5 Source Normal
Received: 	from i.mx.sonic.net (b.spam-proxy.sonic.net [69.12.208.80]) 
by c.spam.sonic.net (8.14.4/8.14.4) with ESMTP id sA5EHPr8017560 
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 
verify=NOT); Wed, 5 Nov 2014 06:17:25 -0800
Received: 	from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) by 
i.mx.sonic.net (8.14.9/8.14.9) with ESMTP id sA5EHK8r026447 
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 
verify=NOT); Wed, 5 Nov 2014 06:17:25 -0800
Received: 	from webmail.sonic.net (webmail.a.apps.sonic.net 
[64.142.109.105]) (authenticated bits=0) by d.mail.sonic.net 
(8.14.9/8.14.9) with ESMTP id sA5EHGmR028608; Wed, 5 Nov 2014 06:17:16 -0800
Received: 	from [41.71.151.182] by webmail.sonic.net with HTTP (HTTP/1.1 
POST); Wed, 05 Nov 2014 06:17:16 -0800
MIME-Version: 	1.0
Content-Type: 	multipart/alternative; 
boundary="=_88d4d946460d0be80ccb8ca9078913d1"
Date: 	Wed, 05 Nov 2014 15:17:16 +0100
From: 	Sonic <[email protected]>
To: 	undisclosed-recipients:;
Subject: 	Users Notification
Message-ID: 	<[email protected]>
User-Agent: 	Roundcube Webmail/0.9.5
X-Sonic-Auth: 
kt/kqOulawwtCtB7h9LNP2GZmJm2MgmlcGC3xRhMyLwe5bWogSyczTkHHxycqOr8exBa9jzQjdubW6/KQq8uyltV5JUWIrknfp+VCGyWp50=
X-Sender: 	([email protected])
X-Sonic-CAuth: 
UmFuZG9tSVaJKxTjRgLeiKTu6PczgNUhS2FH5NQDi6W5k/odfoZ9M2LVIwOZ7VGZobbiF/vxQDiD4dwiYfopbQ2eOAG+beyU
X-Sonic-ID: 	C;iHD+cfZk5BGxiigW/FJGkA== M;Wj4EcvZk5BGxiigW/FJGkA==
X-Sonic-Spam-Details: 	-0.5/5.0 by cerberusd
X-Orthrus: 	tar= grey=no co=US os=Linux/3.1-3.10/3951 spf=none dkim=none

Dear User,

Due to recent complaints, we are determined to serve you better. We need 
to be sure your account is active.

Re-Log-in <unsaved:///69.73.150.226/~manlyucu/index.html> using our 
secured link

Regards,

Maintenance Crew.

[kgc]

Even though we're finding most of these exploited accounts and locking them automatically after just a couple of smtp transactions they still manage to deliver a disappointing amount of mail. What gets through and reported is used to make new rules that help block the messages until they rewrite them enough that our filters don't catch them.