Re: not scoring correctly

A rough guess and probably wrong as usual, but could the message size be larger than what you have set in amavisd-new? If so then SA would be bypassed but not when you manually test the message.

Robert Fitzpatrick wrote:
> We use SA 3.1.7 with Postfix and amavisd-new 2.4.4 and clamav. I
> received several PDF's this morning even though we have updated
> protection. They all came from one server, so I did a lookup in the mail
> logs to find 'Hits: -', that's it. After some more searching on
> different servers, I see this frequently, what does it mean as far as
> score?
>
> Logged in as the amavisd user 'vscan' and running sa test, it clearly
> scores well above the 5.0 threshold. Any ideas why these type of
> messages would have gotten through SA?
>
> esmtp# bzcat /var/log/maillog.0.bz2 | grep "ysHkeL+S2PmL"
> Jul 17 19:03:43 esmtp amavis[51729]: (51729-14) Passed CLEAN, [89.214.60.100] [108.83.93.165] <anup_pettigrew@goldyplace.com> -> <webmaster@webtent.com>, quarantine: clean-ysHkeL+S2PmL.gz, Message-ID: <14550229.5393314@goldyplace.com>, mail_id: ysHkeL+S2PmL, Hits: -, queued_as: 0787037B4FA, 821 ms
> esmtp# su vscan
> $ spamassassin -t < /var/virusmails/clean-ysHkeL+S2PmL
> <snip>
> Content analysis details: (11.7 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 2.4 MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary
> 4.5 BOTNET_NORDNS Relay's IP address has no PTR record
> [botnet_nordns,ip=89.214.60.100]
> 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match
> 3D4E25DE4A05695681D694716D579474
> 1.8 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block
> [108.83.93.165 listed in combined-HIB.dnsiplists.completewhois.com]
> 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
>
> Thanks for any help!
>
>
Received on Wed Jul 18 10:58:37 2007