spamassassin-users December 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: [SOLVED] Re: USER_IN_BLACKLIST identified bu

[SOLVED] Re: USER_IN_BLACKLIST identified but not reported as spam

From: Bruno Costacurta <techie_at_nospam>
Date: Sat Dec 03 2011 - 20:41:11 GMT
To: users@spamassassin.apache.org

Quoting "Kevin A. McGrail" <KMcGrail@PCCC.com>:

> On 12/3/2011 1:46 PM, Bruno Costacurta wrote:
>>>> note : spamassassin version = 3.3.1, called from Postfix as
>>>> spamd, platform is Debian stable Squeeze
>>>>
>>>> I configured a test blacklist user in /etc/spamassassin/local.cf.
>>>> Indeed the blacklist user is identified as below via process
>>>> spamd in Postfix mail.info :
>>>>
>>>> ..etc..
>>>> spamd: result: Y 97 -
>>>> BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,TVD_SPACE_RATIO,T_DKIM_INVALID,USER_IN_BLACKLIST
>>>> ..etc..
>>>>
>>>> However the header do not mention it, and the score is negative
>>>> so the email is considered as a non-spam.
>>>>
>>>> X-Spam-Status: No, score=-2.6 required=2.0
>>>> tests=BAYES_00,FREEMAIL_FROM,
>>>> HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,TVD_SPACE_RATIO,T_DKIM_INVALID
>>>> autolearn=ham version=3.3.1
>>>>
>>>> In file /usr/share/spamassassin/50_scores.cf :
>>>> score USER_IN_BLACKLIST 100.000
>>>>
>>>> In /etc/spamassassin/local.cf
>>>> blacklist_from here-a-test-email-address@gmail.com
>>>>
>>>> Something is missing ?
>>>> Do I need to configure more than the local.cf file ?
>>>
>>> Looks like you are calling spamassassin more than once on the same
>>> email. And a required score of 2.0 is not a very good idea IMO.
>>>
>>> Regards,
>>> KAM
>>
>>
>> Hummm...log mail.info only reflect more than one treatment by spamassassin.
>> See processes hereafter.
>>
>> ...
>> Dec 3 19:36:55 vps622 postfix/smtpd[7541]: 8D3653574419:
>> client=mail-pz0-f47.google.com[209.85.210.47]
>> Dec 3 19:36:55 vps622 postfix/cleanup[7543]: 8D3653574419:
>> message-id=<CADwU8diy+PZ5hQvLpTuE8Ljwa5rGbwATkF+=tyKGhfegpYCRUQ@mail.gmail.com>
>> Dec 3 19:36:55 vps622 postfix/qmgr[19645]: 8D3653574419:
>> from=<bad@zzzz.com>, size=1476, nrcpt=1 (queue active)
>> Dec 3 19:36:55 vps622 spamd[1165]: spamd: connection from
>> localhost [127.0.0.1] at port 60247
>> Dec 3 19:36:55 vps622 spamd[1165]: spamd: setuid to spamfilter succeeded
>> Dec 3 19:36:55 vps622 spamd[1165]: spamd: processing message
>> <CADwU8diy+PZ5hQvLpTuE8Ljwa5rGbwATkF+=tyKGhfegpYCRUQ@mail.gmail.com> for
>> spamfilter:5001
>> Dec 3 19:36:56 vps622 spamd[1165]: spamd: identified spam
>> (97.5/2.0) for spamfilter:5001 in 1.0 seconds, 1512 bytes.
>> Dec 3 19:36:56 vps622 spamd[1165]: spamd: result: Y 97 -
>> BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,TVD_SPACE_RATIO,T_DKIM_INVALID,USER_IN_BLACKLIST scantime=1.0,size=1512,user=spamfilter,uid=5001,required_score=2.0,rhost=localhost,raddr=127.0.0.1,rport=60247,mid=<CADwU8diy+PZ5hQvLpTuE8Ljwa5rGbwATkF+=tyKGhfegpYCRUQ@mail.gmail.com>,bayes=0.000000,autolearn=no Dec 3 19:36:57 vps622 spamd[1164]: prefork: child states:
>> II
>> Dec 3 19:36:57 vps622 postfix/pipe[7544]: 8D3653574419:
>> to=<xxxx@yyyyyyy.org>, relay=myprocmail, delay=2.4,
>> delays=1.3/0.01/0/1.2, dsn=2.0.0, status=sent (delivered via
>> myprocmail service)
>
> Well this one is a score of 97.5 and indicates user_in_blacklist worked:
> spamd: result: Y 97 -
> BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,TVD_SPACE_RATIO,T_DKIM_INVALID,USER_IN_BLACKLIST
> ..etc..
>
> This header indicates a different score and not spam and no
> user_in_blacklist:
>
> X-Spam-Status: No, score=-2.6 required=2.0
> tests=BAYES_00,FREEMAIL_FROM,
> HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,TVD_SPACE_RATIO,T_DKIM_INVALID
> autolearn=ham version=3.3.1
>
> That header is coming from somewhere...
>
> However, the required=2.0 is highly odd. Try changing to
> required=2.1 or something similar in your local.cf and see if you
> get two different required scores.
>
> regards,
> KAM

Solved.
Indeed it was already working previously.
My confusion came from my reading of the file mail.info
In fact for USER_IN_BLACKLIST there is *no* indication like the following :

For a real spam the following is indicated in the log file.
Obviously this is not the case for USER_IN_BLACKLIST.

...
spamd: identified spam (5.0/2.0) for spamfilter:5001 in 0.6 seconds,
1451 bytes.
...

Thanks for your attention.

Bye,
Bruno