rimas-kudelis
commented
6 years ago @mrxanto have you figured it out?
Closed mrxanto closed 6 years ago
rimas-kudelis
commented
6 years ago @mrxanto have you figured it out?
mrxanto
commented
6 years ago Yes.
This was because the exim was compiled with an option "sa-exim", and exim checked e-mail twice: first in ACL "acl_check_content" by "check spam = spamd:true" directive and second "implicit" : "SA: Debug: check succeeded, running spamc". Is there a way to check in exim's config enabled this option or not?
The different e-mail score is due to the TxRep Spamassassin module.
After update exim's configure file from two-year old to newest from github, I found that some e-mail have different spam score from SA:
2018-07-10 12:35:02 1fcp2x-000KZ3-Mv SA: Action: flagged as Spam but accepted: score=6.7 required=5.0 (scanned in 1/1 secs | ... 2018-07-10 12:35:02 1fcp2x-000KZ3-Mv => /usr/local/mail/domain/info/Maildir/.Spam info@domain R=ditch_spam T=virtual_ditch_spam_transport
From headers:
X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=6.7 required=5.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_BRBL_LASTEXT, RP_MATCHES_RCVD,SPF_PASS,TXREP autolearn=disabled version=3.4.1 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail.kriptos.ru) X-Spam-Flag: YES X-Spam-Score: 10.1 X-Spam-Report: Spam detection software, running on the system "domain", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see The administrator of that system for details.
Content analysis details: (10.1 points, 5.0 required)
pts rule name description
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available. [xxx.xxx.xxx.xxx listed in bb.barracudacentral.org] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.0000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 5.1 TXREP TXREP: Score normalizing based on sender's reputation
Some other e-mail:
2018-07-08 22:53:22 1fcFkE-000GOp-N9 SA: Action: scanned but message isn't spam: score=4.6 required=5.0 (scanned in 1/1 secs | Message-Id: 2018-07-08 22:53:22 1fcFkE-000GOp-N9 => /usr/local/mail/domain/mail/Maildir/.Spam mail@domain R=ditch_spam T=virtual_ditch_spam_transport
X-Spam-Level: **** X-Spam-Status: No, score=4.6 required=5.0 tests=BAYES_99,BAYES_999,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RP_MATCHES_RCVD,TXREP autolearn=disabled version=3.4.1 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail.domain) X-Spam-Flag: YES X-Spam-Score: 6.6
Content analysis details: (6.6 points, 5.0 required)
pts rule name description
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE BODY: HTML included in message 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 3.0 TXREP TXREP: Score normalizing based on sender's reputation
exim's configure:
ditch_spam: driver = redirect allow_fail file_transport = virtual_ditch_spam_transport data = ${lookup mysql{select concat(smtp,'/.Spam') \ from users,domains \ where localpart = '${quote_mysql:$local_part}' \ and domain = '${quote_mysql:$domain}' \ and domains.enabled = '1' \ and users.enabled = '1' \ and users.domain_id = domains.domain_id}} condition = ${if >={$spam_score_int}{${lookup mysql{select \ users.sa_refuse * 10 from users,domains \ where localpart = '${quote_mysql:$local_part}' \ and domain = '${quote_mysql:$domain}' \ and users.on_spamassassin = '1' \ and domains.spamassassin = '1' \ and users.spam_drop = '0' \ and users.on_forward = '0' \ and users.type = 'local' \ and users.domain_id=domains.domain_id \ and users.sa_refuse > 0 }{$value}fail}} {yes}{no}} headers_add = ${if and { \ {match{$domain}{$original_domain}} \ {match{$local_part}{$original_local_part}} \ } {X-Spam-Flag: YES\nX-Spam-Score: $acl_m_spam_score\nVEXIM_SPAM_REPORT_HEADER_NAME: $acl_m_spam_report}{} } .ifdef VEXIM_LOCALPART_SUFFIX local_part_suffix = VEXIM_LOCALPART_SUFFIX local_part_suffix_optional .endif retry_use_local_part
virtual_ditch_spam_transport: driver = appendfile envelope_to_add return_path_add mode = 0600 maildir_format = true create_directory = true user = ${lookup mysql{select users.uid from users,domains \ where localpart = '${quote_mysql:$local_part}' \ and domain = '${quote_mysql:$domain}' \ and users.domain_id = domains.domain_id}} group = ${lookup mysql{select users.gid from users,domains \ where localpart = '${quote_mysql:$local_part}' \ and domain = '${quote_mysql:$domain}' \ and users.domain_id = domains.domain_id}} maildir_use_size_file = false
Why score in X-Spam-Status != X-Spam-Score?