Back to Community Threads
1
reading/troubleshooting spam scores
Question asked by Robbie Wright - 9/8/2014 at 1:58 PM
Unanswered
We're relatively new to SM and trying to figure out all of its secrets. We're trying to tune the spam settings a bit and have a question about spam assassin scoring. 
 
Here's the delivery log for a sample email that was (mistakenly) marked as spam. Note that bayesian and uribl were the only ones that came back as failed.
 
[2014.09.08] 13:24:38 [19155] Spam check results: [_SPF: Pass], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [RHSBL: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [SPAMHAUS - XBL: passed], [SPAMHAUS - XBL2: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: failed], [_INTERNALSPAMASSASSIN: 0:0], [_DK: Pass], [_DKIM: Pass], [SURBL: passed], [URIBL: failed]
 
We have bayesian and uribl both set to their default of three. However, in the message header of the email in question, we have this:
 
X-SmarterMail-Spam: SPF_Pass, Bayesian Filtering, ISpamAssassin 0 [raw: 0], DK_Pass, DKIM_Pass, URIBL:6
X-SmarterMail-SpamDetail: 0.5 FRT_TODAY2
X-SmarterMail-TotalSpamWeight: 10
 
Note the score of ten. In my mind, this should have only been scored as a 6 (3 from bayesian, 3 from uribl) but clearly it is not. Additionally, the domain in question is not listed on the uribl site, but still returned failed.
 
Are we missing something when reviewing the logs? Any other way besides setting smtp logs to detailed to get more info on where that 10 score came from?

10 Replies

Reply to Thread
0
Bruce Barnes Replied
9/8/2014 at 2:04 PM
It's all based on the scores you assign to the individual tests in the spam scoring process.

Check the SMTP logs to see what spam scores SmarterMail assigns to each test.

When you add ISpamAssassin, it completely modifies everything that's done with the scoring in SmarterMail and can cause very confusing results.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
9/8/2014 at 2:18 PM
Just a few clarifications on that:

We are looking in the delivery logs for spam scores, not smtp. The smtp logs do not seem to contain any spam info. Is that normal?

I noticed the ISpamAssassin in there as well and have no idea what that is as it isn't listed in the spam settings. Is that SpamAssassin Pattern Matching or something else?
0
Bruce Barnes Replied
9/8/2014 at 2:40 PM
If your SMTP and DELIVERY LOGS are set to DETAILED, they will contain individual spam testing information for every e-mail message received by SmarterMail.

There is no SmarterMail spam log - it's all in the SMTP and DELIVERY logs - along with the logs and/or reports for any other antispam system you use.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
9/8/2014 at 3:29 PM
Yes, they are both set to detailed but spam scores only show in delivery logs, not smtp.

SA pattern based matching is enabled with test scores and test names being inserted into the header to help us troubleshoot.

Anyone have any clarity on which spam check the ISpamAssassin is or what the second line of spam detail is? I'm inclined to think the spam detail is pattern matching and it found a combination of words it didn't like.

Or why 3+3=10 in this case?
0
Bruce Barnes Replied
9/8/2014 at 4:32 PM
New math?
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
9/9/2014 at 5:48 AM
ISpamAssassin is the pattern matching that's built into Smartermail. Uribl is 6 so your equation above make no sense... shouldn't it be 6 + x = 10 where x = your pattern matching score.
0
Steve Reid Replied
9/9/2014 at 5:49 AM
Maybe your DNS IP is being blocked from the RBL checks... You should find out why it's a false positive.
0
Robbie Wright Replied
9/9/2014 at 7:06 AM
Thanks for the answer Steve, that's what I was looking for. And you're correct. uribl and bayesian are the only filters that tripped. Both of those are only set to 3 each. And clearly the message header says some else. And, when you actually check the url of the send against the uribl website, it comes back without issue.
0
Steve Reid Replied
9/9/2014 at 7:29 AM
The URIBL:6 is an indication that there where pehaps two urls in the email that both failed.
0
Robbie Wright Replied
9/9/2014 at 9:27 AM
See Steve, that makes perfect sense. Kinda of. Now on to why it got a false positive.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Cannot Send Email MessagesSmarterMail > Troubleshooting
Slow 250 response after Mail From command is issued during an SMTP session.SmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Configure Perfmon to capture Disk IO activity and potential Disk Issues.SmarterMail > Troubleshooting