[BlueOnyx:26313] Re: negative AV-Spam score

[Juerg Sommer]

Hi Meaulnes

> I'm confronted with a peculiar situation: spam slips untagged thru 
> with a *negative* score
>
> X-Spam-Status: No, score=-61.5 required=5.0 tests=BITCOIN_DEADLINE,
>     BITCOIN_MALF_HTML,BITCOIN_SPAM_07,DCC_CHECK,DIGEST_MULTIPLE,
>     DOS_OUTLOOK_TO_MX,FSL_BULK_SIG,HTML_EXTRA_CLOSE,HTML_MESSAGE,
>     HackersBitcoinAddress,NO_FM_NAME_IP_HOSTN,PDS_BTC_ID,PYZOR_CHECK,
>     RATS_NOPTR,RATWARE_NO_RDNS,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_XBL,
>     RDNS_NONE,SBLXBL_SPAM,SPF_SOFTFAIL,TO_EQ_FM_DIRECT_MX,TXREP,
>     T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
>     autolearn=no autolearn_force=no version=3.4.2
> X-Spam-Relay-Country: TN
>
> what's wrong here? I set the Required Reject Hits to 9 instead of 10 
> and that mail shouldn't have appeared at all if the score had been 
> 61.5, but positive! How does it turn negative?

That's normal. SpamAssasin gives positive and negative points based on 
rules. There are some rules that indicates harmless mails (ex. BAYES 
score 1-10%), in your case USER_IN_WELCOMELIST  and USER_IN_WHITELIST. 
And some other rules, hat indicates spam like BITCOIN_DEADLINE. If the 
sum of all affected rules is greater than the defined score, the mail is 
marked as spam.

I don't know/use the BlueOnyx plugin for spam scanning. Perhaps you can 
define your Welcome-List Addresses in the gui and should check if this 
sender address is whitelisted. There's maybe a missconfiguration, but 
negative points are not generally a problem.

BTW: SpamAssassin has changed their wording (like many other companies). 
Whitelist is now welcomelist, blacklist is blocklist. So one of the 
rules above would be an alias of the other and I don't know how it's 
named in the GUI.

Best regards,
Juerg