reading/troubleshooting spam scores
Question asked by Robbie Wright - September 8, 2014 at 1:58 PM
Unanswered
We're relatively new to SM and trying to figure out all of its secrets. We're trying to tune the spam settings a bit and have a question about spam assassin scoring. 
 
Here's the delivery log for a sample email that was (mistakenly) marked as spam. Note that bayesian and uribl were the only ones that came back as failed.
 
[2014.09.08] 13:24:38 [19155] Spam check results: [_SPF: Pass], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [RHSBL: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [SPAMHAUS - XBL: passed], [SPAMHAUS - XBL2: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: failed], [_INTERNALSPAMASSASSIN: 0:0], [_DK: Pass], [_DKIM: Pass], [SURBL: passed], [URIBL: failed]
 
We have bayesian and uribl both set to their default of three. However, in the message header of the email in question, we have this:
 
X-SmarterMail-Spam: SPF_Pass, Bayesian Filtering, ISpamAssassin 0 [raw: 0], DK_Pass, DKIM_Pass, URIBL:6
X-SmarterMail-SpamDetail: 0.5 FRT_TODAY2
X-SmarterMail-TotalSpamWeight: 10
 
Note the score of ten. In my mind, this should have only been scored as a 6 (3 from bayesian, 3 from uribl) but clearly it is not. Additionally, the domain in question is not listed on the uribl site, but still returned failed.
 
Are we missing something when reviewing the logs? Any other way besides setting smtp logs to detailed to get more info on where that 10 score came from?

10 Replies

Reply to Thread
0
Bruce Barnes Replied
It's all based on the scores you assign to the individual tests in the spam scoring process.

Check the SMTP logs to see what spam scores SmarterMail assigns to each test.

When you add ISpamAssassin, it completely modifies everything that's done with the scoring in SmarterMail and can cause very confusing results.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Just a few clarifications on that:

We are looking in the delivery logs for spam scores, not smtp. The smtp logs do not seem to contain any spam info. Is that normal?

I noticed the ISpamAssassin in there as well and have no idea what that is as it isn't listed in the spam settings. Is that SpamAssassin Pattern Matching or something else?
0
Bruce Barnes Replied
If your SMTP and DELIVERY LOGS are set to DETAILED, they will contain individual spam testing information for every e-mail message received by SmarterMail.

There is no SmarterMail spam log - it's all in the SMTP and DELIVERY logs - along with the logs and/or reports for any other antispam system you use.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Yes, they are both set to detailed but spam scores only show in delivery logs, not smtp.

SA pattern based matching is enabled with test scores and test names being inserted into the header to help us troubleshoot.

Anyone have any clarity on which spam check the ISpamAssassin is or what the second line of spam detail is? I'm inclined to think the spam detail is pattern matching and it found a combination of words it didn't like.

Or why 3+3=10 in this case?
0
Bruce Barnes Replied
New math?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
ISpamAssassin is the pattern matching that's built into Smartermail. Uribl is 6 so your equation above make no sense... shouldn't it be 6 + x = 10 where x = your pattern matching score.
0
Steve Reid Replied
Maybe your DNS IP is being blocked from the RBL checks... You should find out why it's a false positive.
0
Thanks for the answer Steve, that's what I was looking for. And you're correct. uribl and bayesian are the only filters that tripped. Both of those are only set to 3 each. And clearly the message header says some else. And, when you actually check the url of the send against the uribl website, it comes back without issue.
0
Steve Reid Replied
The URIBL:6 is an indication that there where pehaps two urls in the email that both failed.
0
See Steve, that makes perfect sense. Kinda of. Now on to why it got a false positive.

Reply to Thread