[Mimedefang] Inconsistent scoring problem

Tim Boyer tim at denmantire.com
Sat Oct 21 10:55:35 EDT 2006


I've been using SA for years.  I'm running 3.1.6 on a Red Hat box, and 99% of
the time, all is well.

Last week I added a rule to tag those annoying .gif pump-and-dump emails.
Nothing fancy:

rawbody IMG_SRC_CID         /src\=(\"c|c)id\:/i
score IMG_SRC_CID       2.0

Most of the time it works fine.  However, occasionally, I'll get an email that
ONLY sees that rule.  I'm using MimeDefang to rewrite the headers, and all it
shows is

X-Spam-Score: 2 (**) IMG_SRC_CID

But when I do a spamassassin --debug<test with the message, it finds all kinds
of fun things:


Content analysis details:   ( 6.6 points, 9.0 required)
 
 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
 1.5 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
-0.3 BAYES_40               BODY: Bayesian spam probability is 20 to 40%
                            [score: 0.2631]
 1.9 HTML_IMAGE_ONLY_28     BODY: HTML: images with 2400-2800 bytes of words
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.4 HTML_10_20             BODY: Message is 10% to 20% HTML
 0.0 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 2.0 IMG_SRC_CID            RAW: cid in body

The very next message is the same kind of scam, but sees everything:

X-Spam-Score: 7.967 (*******)
BAYES_00,DNS_FROM_RFC_ABUSE,FORGED_RCVD_HELO,HTML_
00_10,HTML_MESSAGE,IMG_SRC_CID,MIME_HTML_ONLY,RCVD_NUMERIC_HELO


So what obvious mistake am I making?  Thanks for any help...

-- 
tim boyer
tim at denmantire.com




More information about the MIMEDefang mailing list