Re: Every e-mail is now getting a new score, creating a lot of false postive.

From: cpayne <cpayne(at)magigames.net>
Date: Fri Sep 28 2007 - 01:37:16 EDT

cpayne wrote:
> Mark Martinec wrote:

>> Just in case, make sure the --lint passess with no complaints, e.g:
>>
>>   # su vscan -c 'spamassassin --lint'
>>
>>
>> David B Funk writes,
>>  
>>> Cannot tell for sure (I don't use amavisd) but that looks like 
>>> something
>>> is broken in the way that messages are being passed into the SA 
>>> engine so
>>> that it no longer 'sees' headers vs body part of the message.
>>> The RFC message format is headers first, then a blank line then body.
>>> So if something is feeding a blank line to SA -first- then the message,
>>> SA will think that the message has no headers and -all- of it is 
>>> "body".
>>>     
>>
>> So it seems. I'm not aware of any such compatibility problems between
>> amavisd and SpamAssassin, it is more likely it is a mail submission 
>> problem,
>> or there was really such a broken mail that arrived to MTA 'from the 
>> wild'.
>>
>>  
>>> Is there some way to collect telemetry on what is actually being fed 
>>> into
>>> the SA engine? Some amavisd option that is equivalent to running spamd
>>> with the '-D' option?
>>>     
>>
>> The
>>   # amavisd debug-sa
>> turns on SpamAssassin logging.
>>
>> If a mail gathered enough spam points it was already captured in a
>> quarantine and can be examined there.
>>
>> An alternative is to specify a 'test sender address', e.g.:
>>   @debug_sender_maps = ( ['user@example.com'] );
>> When a mail is seen whose envelope sender address matches the configured
>> one, a temporary file with a message is preserved and can be examined.
>> The log reports the fact, and tells the directory, e.g.:
>>
>> (42432-01) DEBUG_ONESHOT CAUSES EVIDENCE TO BE PRESERVED
>> (42432-01) (!)PRESERVING EVIDENCE
>>   in /var/amavis/tmp-am/amavis-20070924T195255-42432
>>
>> Mark
>>   

> Well, I am NOT using amavisd for spam scanning, I am using it only for
> scanning emails for virus. I am using spamassassin 3.1.8 on openSuSE
> 10 with a day update for rules, and this started about the day of the
> post.

>

> Anyway, it becoming more and more of a pain.

>

> Here is a good header that is whitelist... and you can see it there.
> And as you can see

>

> MISSING_SUBJECT,
> NO_RECEIVED,TO_CC_NONE

>
>
>

> This is on every email.

>

> Payne

>

> From - Fri Sep 28 00:11:32 2007
> X-Account-Key: account5
> X-UIDL: WQC!!`$?!!GZp"!Q9d!!
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> X-Mozilla-Keys:
> $label5
> Return-Path: <root@mail.pegasusofamerica.com>
> X-Original-To: cepayne@magidesign.com
> Delivered-To: cepayne@magidesign.com
> Received: from localhost (unknown [127.0.0.1])
> by magi.magidesign.com (Postfix) with ESMTP id 7F1EA1A40E
> for <cepayne@magidesign.com>; Fri, 28 Sep 2007 04:18:32 +0000 (UTC)
> Received: from magi.magidesign.com ([127.0.0.1])
> by localhost (magi.magidesign.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id 20195-04 for <cepayne@magidesign.com>;
> Fri, 28 Sep 2007 00:17:52 -0400 (EDT)
> Received: by magi.magidesign.com (Postfix, from userid 65534)
> id 03F761A3BA; Fri, 28 Sep 2007 00:17:48 -0400 (EDT)
> X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
> magi.magidesign.com
> X-Spam-Level: X-Spam-Status: No, score=(-0.2), required=1.5,
> tests=BAYES_00,MISSING_SUBJECT,
> NO_RECEIVED,TO_CC_NONE, autolearn=no, bayes score = 0.0000,
> version=3.1.8
> date scan = Fri, 28 Sep 2007 00:17:48 -0400
> X-Spam-remote: hostinfo = localhost @ 127.0.0.1
> Received-SPF: none (mail.pegasusofamerica.com: No applicable sender
> policy available) receiver=magi.magidesign.com; identity=mfrom;
> envelope-from="root@mail.pegasusofamerica.com";
> helo=mail.pegasusofamerica.com; client-ip=72.17.187.66
> Received: from mail.pegasusofamerica.com (mail.pegasusofamerica.com
> [72.17.187.66])
> by magi.magidesign.com (Postfix) with ESMTP id 99F481A406
> for <cepayne@magidesign.com>; Fri, 28 Sep 2007 00:17:39 -0400 (EDT)
> Received: by mail.pegasusofamerica.com (Postfix)
> id 033B71C85; Fri, 28 Sep 2007 00:00:24 -0400 (EDT)
> Delivered-To: root@mail.pegasusofamerica.com
> Received: by mail.pegasusofamerica.com (Postfix, from userid 0)
> id EC6041C83; Fri, 28 Sep 2007 00:00:07 -0400 (EDT)
> To: root@mail.pegasusofamerica.com
> Subject: Local Daily Security for mail: Changes
> Message-Id: <20070928040007.EC6041C83@mail.pegasusofamerica.com>
> Date: Fri, 28 Sep 2007 00:00:07 -0400 (EDT)
> From: root@mail.pegasusofamerica.com (root)
> X-Virus-Scanned: by amavisd-new-2.3.3 (20050822) (SuSE 10.0) at
> magidesign.com
> X-UIDL: WQC!!`$?!!GZp"!Q9d!!

>
>
>
>
>
>

I think I have found the problem I am seeing for the first time in my logs the following error, failed to run header check, Illegal declaration in ratware.cf. Received on Fri Sep 28 01:38:40 2007