[BlueOnyx:26314] Re: negative AV-Spam score

Thu Jun 22 09:31:19 -05 2023

thank you Jürg, now I found the catch:

This clever jerk managed to send his blackmailing spam *from and to* my server administrator address. And since my server administrator address is in the whitelist (sorry! now politically correct: in the welcomelist:-) because I don't want to have my users to be blocklisted when I write them something, the e-mail got presumably this high negative score of -61.5

You might have noticed this HackersBitcoinAddress rule in the X-Spam-Status, it's a rule I created with this cool BO «SpamAssassin Rule Editor» in AV-Spam. In this rule, I inserted the long bitcoin wallet address (as Expression) to be searched in the message body. I gave it a score of 9. Now I increased the score to 100, hope that works out.

Do you know where all those rules and their dedicated scores are listed? Can they be edited?

Thank you and best regards

で⊃ Meaulnes Legler
Zurich, Switzerland

On 22.06.23 12:57, Juerg Sommer via Blueonyx wrote:
> Hi Meaulnes
> 
>> I'm confronted with a peculiar situation: spam slips untagged thru with a *negative* score
>>
>> X-Spam-Status: No, score=-61.5 required=5.0 tests=BITCOIN_DEADLINE,
>>     BITCOIN_MALF_HTML,BITCOIN_SPAM_07,DCC_CHECK,DIGEST_MULTIPLE,
>>     DOS_OUTLOOK_TO_MX,FSL_BULK_SIG,HTML_EXTRA_CLOSE,HTML_MESSAGE,
>>     HackersBitcoinAddress,NO_FM_NAME_IP_HOSTN,PDS_BTC_ID,PYZOR_CHECK,
>>     RATS_NOPTR,RATWARE_NO_RDNS,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_XBL,
>>     RDNS_NONE,SBLXBL_SPAM,SPF_SOFTFAIL,TO_EQ_FM_DIRECT_MX,TXREP,
>>     T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
>>     autolearn=no autolearn_force=no version=3.4.2
>> X-Spam-Relay-Country: TN
>>
>> what's wrong here? I set the Required Reject Hits to 9 instead of 10 and that mail shouldn't have appeared at all if the score had been 61.5, but positive! How does it turn negative?
> 
> That's normal. SpamAssasin gives positive and negative points based on rules. There are some rules that indicates harmless mails (ex. BAYES score 1-10%), in your case USER_IN_WELCOMELIST  and USER_IN_WHITELIST. And some other rules, hat indicates spam like BITCOIN_DEADLINE. If the sum of all affected rules is greater than the defined score, the mail is marked as spam.
> 
> I don't know/use the BlueOnyx plugin for spam scanning. Perhaps you can define your Welcome-List Addresses in the gui and should check if this sender address is whitelisted. There's maybe a missconfiguration, but negative points are not generally a problem.
> 
> BTW: SpamAssassin has changed their wording (like many other companies). Whitelist is now welcomelist, blacklist is blocklist. So one of the rules above would be an alias of the other and I don't know how it's named in the GUI.
> 
> Best regards,
> Juerg
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx