[BlueOnyx:26315] Re: negative AV-Spam score

Larry Smith lesmith at ecsis.net
Thu Jun 22 09:55:07 -05 2023 

Meaulnes,

  Believe the modifications to scoring and such are
kept in /etc/mail/spamassin directory but the rules
themselvers are located in /usr/share/spamassassin
and the main scoring file is 50_scores.cf, 72_scores.cf
and possibly some in 73_sandbox_manual_scores.cf

-- 
Larry Smith
lesmith at ecsis.net

On Thu June 22 2023 09:31, Meaulnes Legler @ MailList via Blueonyx wrote:
> thank you Jürg, now I found the catch:
>
> This clever jerk managed to send his blackmailing spam *from and to* my
> server administrator address. And since my server administrator address is
> in the whitelist (sorry! now politically correct: in the welcomelist:-)
> because I don't want to have my users to be blocklisted when I write them
> something, the e-mail got presumably this high negative score of -61.5
>
> You might have noticed this HackersBitcoinAddress rule in the
> X-Spam-Status, it's a rule I created with this cool BO «SpamAssassin Rule
> Editor» in AV-Spam. In this rule, I inserted the long bitcoin wallet
> address (as Expression) to be searched in the message body. I gave it a
> score of 9. Now I increased the score to 100, hope that works out.
>
> Do you know where all those rules and their dedicated scores are listed?
> Can they be edited?
>
> Thank you and best regards
>
> で⊃ Meaulnes Legler
> Zurich, Switzerland
>
> On 22.06.23 12:57, Juerg Sommer via Blueonyx wrote:
> > Hi Meaulnes
> >
> >> I'm confronted with a peculiar situation: spam slips untagged thru with
> >> a *negative* score
> >>
> >> X-Spam-Status: No, score=-61.5 required=5.0 tests=BITCOIN_DEADLINE,
> >>     BITCOIN_MALF_HTML,BITCOIN_SPAM_07,DCC_CHECK,DIGEST_MULTIPLE,
> >>     DOS_OUTLOOK_TO_MX,FSL_BULK_SIG,HTML_EXTRA_CLOSE,HTML_MESSAGE,
> >>     HackersBitcoinAddress,NO_FM_NAME_IP_HOSTN,PDS_BTC_ID,PYZOR_CHECK,
> >>     RATS_NOPTR,RATWARE_NO_RDNS,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_XBL,
> >>     RDNS_NONE,SBLXBL_SPAM,SPF_SOFTFAIL,TO_EQ_FM_DIRECT_MX,TXREP,
> >>     T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
> >>     autolearn=no autolearn_force=no version=3.4.2
> >> X-Spam-Relay-Country: TN
> >>
> >> what's wrong here? I set the Required Reject Hits to 9 instead of 10 and
> >> that mail shouldn't have appeared at all if the score had been 61.5, but
> >> positive! How does it turn negative?
> >
> > That's normal. SpamAssasin gives positive and negative points based on
> > rules. There are some rules that indicates harmless mails (ex. BAYES
> > score 1-10%), in your case USER_IN_WELCOMELIST  and USER_IN_WHITELIST.
> > And some other rules, hat indicates spam like BITCOIN_DEADLINE. If the
> > sum of all affected rules is greater than the defined score, the mail is
> > marked as spam.
> >
> > I don't know/use the BlueOnyx plugin for spam scanning. Perhaps you can
> > define your Welcome-List Addresses in the gui and should check if this
> > sender address is whitelisted. There's maybe a missconfiguration, but
> > negative points are not generally a problem.
> >
> > BTW: SpamAssassin has changed their wording (like many other companies).
> > Whitelist is now welcomelist, blacklist is blocklist. So one of the rules
> > above would be an alias of the other and I don't know how it's named in
> > the GUI.
> >
> > Best regards,
> > Juerg
> > _______________________________________________
> > Blueonyx mailing list
> > Blueonyx at mail.blueonyx.it
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list