some spamassassin checks not occurring

Hello list,

Forgive me if this has come up before, I did try searching
the archives
but found it extremely tricky to get the correct search and
have found
no useful information.

I have a problem whereby a lot of spamassassin checks do not
appear to
be happening when mail goes through amavis. One particular
email scored
3.632 when it first arrived, but when passed through
spamassassin on a
different server with same local.cf it scored 10.0.

Both serers are running FreeBSD 6.1. The failing server is
running
amavisd-new-2.4.2 (20060627) installed from ports
collection, with
SpamAssassin version 3.1.4, Perl version 5.8.8. I am running
clamd and
amavisd chrooted, with Postfix mta. The other spamassassin
install is
3.2.1 on Perl 5.8.8.

I have tried running "amavisd debug-sa" but I
could see no errors that I
think would cause this, only some dns / whois timeouts and a
problem
with razor2 not working, but I think this is unrelated
because I get the
same high-score if I switch off razor2 in the standalone
spamassassin.

I am quite stuck with this and have no idea what to do to
make it work.
Does anyone have any suggestions?

Thanks in advance,


Matt

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Tue, Sep 04, 2007 at 12:48:40PM +0100,
matthew_bucklandwordbank.com wrote:
> Hello list,
> 
> Forgive me if this has come up before, I did try
searching the archives
> but found it extremely tricky to get the correct search
and have found
> no useful information.
> 
> I have a problem whereby a lot of spamassassin checks
do not appear to
> be happening when mail goes through amavis. One
particular email scored
> 3.632 when it first arrived, but when passed through
spamassassin on a
> different server with same local.cf it scored 10.0.
> 
> Both serers are running FreeBSD 6.1. The failing server
is running
> amavisd-new-2.4.2 (20060627) installed from ports
collection, with
> SpamAssassin version 3.1.4, Perl version 5.8.8. I am
running clamd and
> amavisd chrooted, with Postfix mta. The other
spamassassin install is
> 3.2.1 on Perl 5.8.8.
> 
> I have tried running "amavisd debug-sa" but I
could see no errors that I
> think would cause this, only some dns / whois timeouts
and a problem
> with razor2 not working, but I think this is unrelated
because I get the
> same high-score if I switch off razor2 in the
standalone spamassassin.
> 
> I am quite stuck with this and have no idea what to do
to make it work.
> Does anyone have any suggestions?
> 
> Thanks in advance,
> 
> 
> Matt
> 

...sorry, I think I may have just partly figured out what's
wrong. The
two status lines look like this:

X-Spam-Status: No, score=3.632 required=4.5
tests=[BAYES_50=0.001,
DATE_IN_FUTURE_06_12=1.668, EXTRA_MPART_TYPE=1.091,
HTML_30_40=0.374,
HTML_IMAGE_ONLY_16=0.497, HTML_MESSAGE=0.001]

and

X-Spam-Status: Yes, score=9.9 required=5.0
tests=AWL,DATE_IN_FUTURE_06_12,
	EXTRA_MPART_TYPE,HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_QP_LO
NG_LINE,
	PART_CID_STOCK,RDNS_NONE,STOCK_IMG_CTYPE,STOCK_IMG_HDR_FROM
,STOCK_IMG_HTML,
	T_TVD_FW_GRAPHIC_ID1,UNPARSEABLE_RELAY autolearn=no
version=3.2.1

So it looks like only some of the tests are missing (perhaps
to do with
the difference SA versions), but what I'm now noticing is
the difference
in the scores for the different tests. Eg, the
DATE_IN_FUTURE_06_12 test
is 1.668 for the amavisd scanner, but the standalone SA
gives it a 3.1!!

Does anyone know how I can get them to be the same. I can
see some small
differences in the contents of
/usr/local/share/spamassassin/*.cf but am
unsure of how to interpret the differences, nor why they
would be
different in the first place. Is it safe to simply overwrite
one set of
*.cf files with a different one or is that not advisable?
(sorry if
that's slightly off-topic).


Thanks again,

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Tue, Sep 04, 2007 at 01:17:06PM +0100,
matthew_bucklandwordbank.com wrote:
> On Tue, Sep 04, 2007 at 12:48:40PM +0100,
matthew_bucklandwordbank.com wrote:
...
> > Forgive me if this has come up before, I did try
searching the archives
> > but found it extremely tricky to get the correct
search and have found
> > no useful information.
> > 
> > I have a problem whereby a lot of spamassassin
checks do not appear to
> > be happening when mail goes through amavis. One
particular email scored
> > 3.632 when it first arrived, but when passed
through spamassassin on a
> > different server with same local.cf it scored
10.0.
> > 
> > Both serers are running FreeBSD 6.1. The failing
server is running
> > amavisd-new-2.4.2 (20060627) installed from ports
collection, with
> > SpamAssassin version 3.1.4, Perl version 5.8.8. I
am running clamd and
> > amavisd chrooted, with Postfix mta. The other
spamassassin install is
> > 3.2.1 on Perl 5.8.8.
> > 
> > I have tried running "amavisd debug-sa"
but I could see no errors that I
> > think would cause this, only some dns / whois
timeouts and a problem
> > with razor2 not working, but I think this is
unrelated because I get the
> > same high-score if I switch off razor2 in the
standalone spamassassin.
...

  You have too many variables there to sort things out
readily; you
should expect different versions of SA to score individual
tests quite
differently.

  I'd start by taking out the chrooting in the failing
system and see
if its scores shift dramatically. 
 
> ...sorry, I think I may have just partly figured out
what's wrong. The
> two status lines look like this:
> 
> X-Spam-Status: No, score=3.632 required=4.5
tests=[BAYES_50=0.001,
> DATE_IN_FUTURE_06_12=1.668, EXTRA_MPART_TYPE=1.091,
HTML_30_40=0.374,
> HTML_IMAGE_ONLY_16=0.497, HTML_MESSAGE=0.001]
> 
> and
> 
> X-Spam-Status: Yes, score=9.9 required=5.0
tests=AWL,DATE_IN_FUTURE_06_12,
>
	EXTRA_MPART_TYPE,HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_QP_LO
NG_LINE,
>
	PART_CID_STOCK,RDNS_NONE,STOCK_IMG_CTYPE,STOCK_IMG_HDR_FROM
,STOCK_IMG_HTML,
> 	T_TVD_FW_GRAPHIC_ID1,UNPARSEABLE_RELAY autolearn=no
version=3.2.1
> 
> So it looks like only some of the tests are missing
(perhaps to do with
> the difference SA versions), but what I'm now noticing
is the difference
> in the scores for the different tests. Eg, the
DATE_IN_FUTURE_06_12 test
> is 1.668 for the amavisd scanner, but the standalone SA
gives it a 3.1!!
 
 It isn't clear if when you say "standalone" you
mean you're running a
test with the spamassassin command line on the same server,
but I'll
assume you are.  (As I said, you should expect different
versions of SA
to score individual tests quite differently.)

  This might suggest that amavisd is picking up a different
set of SA
config files than the SA scanner run standalone.  Look at
the list of
directories amavisd logs when it starts up, and see if you
find some SA
files in a directory that's ahead of the ones you're looking
at.  Also
in general look for warnings during the startup.  Again, the
number one
thing to try is to toggle chroot on and off and observe how
the scoring
is affected; it's far easier to troubleshoot without it, get
it the way
you like and only then try to get chrooting working.

> Does anyone know how I can get them to be the same. I
can see some small
> differences in the contents of
/usr/local/share/spamassassin/*.cf but am
> unsure of how to interpret the differences, nor why
they would be
> different in the first place. Is it safe to simply
overwrite one set of
> *.cf files with a different one or is that not
advisable? (sorry if
> that's slightly off-topic).

  The .cf files need to match the version of SA or it will
be less
accurate.  Concentrate on making sure that the new system
has a
consistent version of everything and that amavisd is seeing
it.  If you
really need to downgrade SA, you should downgrade both the
installed SA
and its config files; I would not recommend just swapping
old versions
of the config files in en masse.  
 
  -- Clifton

-- 
    Clifton Royston  --  cliftonriandicomputing.com /
cliftonrlava.net
       President  - I and I Computing * http://www.iandicomput
ing.com/
 Custom programming, network design, systems and network
consulting services

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Hi Mark,

> 
> The version of amavisd-new should not have any effect
on SpamAssassin scores.
> 
> Use the same version of SpamAssassin and the same set
of rules
> (like SARE rules, same sa-update channels, local.cf,
*.pre,
> bayes db, awl, ...).

I now have a setup on a non-production server with same SA
and amavis
versions and config as the one I am trying to debug.

> 
> See also:
>   http://w
ww.ijs.si/software/amavisd/#faq-spam
> 
> and search for "SpamAssassin returns different
score ..."

I have read this part of the FAQ and have checked everything
there. I am
still not sure what is happening. I have tried running
outside of the
chroot but the same thing happens still. I have run amavisd
and
spamassassin in debug mode and they both produce almost
identical
results. The main difference is that the scores are
different. Even the
same tests are occurring. Why would this be?

Is it possible someone could take a look at my debug output
and see
if there is something I'm missing? It's quite large so I
have put the
files here:

<http://www.wordbank.
com/matt>

Thanks again,

Matt

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> Is it possible someone could take a look at my debug
output and see
> if there is something I'm missing?

> Output from "amavisd-new debug-sa"
> Output from "spamassassin -D -t < msg"

In the first case an empty message came to SpamAssassin.

See amavisd log if the message was also empty when it came
to amavisd,
or was the content somehow lost when it was passed to
SpamAssassin.

Just in case, please also check sanity of SA rules and
settings:

  # su vscan -c 'spamassassin --lint'


Mark

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Thu, Sep 06, 2007 at 01:23:13PM +0200, Mark Martinec
wrote:
> > Is it possible someone could take a look at my
debug output and see
> > if there is something I'm missing?
> 
> > Output from "amavisd-new debug-sa"
> > Output from "spamassassin -D -t <
msg"
> 
> In the first case an empty message came to
SpamAssassin.

Oh, ok. I'm being stupid, wasn't injecting the message in
properly. I
think I have done it correctly this time.

> 
> Just in case, please also check sanity of SA rules and
settings:
> 
>   # su vscan -c 'spamassassin --lint'

No output, exits with 0, which I assume is good.

Thanks again,

Matt

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Matt,

> I think I have done it correctly this time.

Ok, this looks better now.

Here are some noteworthy differences:

[64986] dbg: bayes: not available for scanning, only 0
spam(s) in bayes DB < 200
[64986] dbg: config: score set 1 chosen.

versus:

[40259] dbg: config: score set 3 chosen.

Since Bayes db on one host is empty, SpamAssassin selects
score set 1
instead of 3, which can explain different score values for
tests
which got hit. (see man Mail::SpamAssassin::Conf and search
for
explanation of a 'score' setting to learn about score
sets).

Don't know about HTML_30_40, probably different rules.
It doesn't exist in current versions of SpamAssassin.

The RCVD_IN_NJABL_DUL is probably due to an additional
Received header field inserted in the message by MTA when
message was submitted to amavisd, and to the interaction
of the IP address from that header field with your
settings of internal_networks and trusted_networks.

You'd received a matching result if you submitted to
a command line spamassassin the message as it came
through the MTA+amavisd+amavis chain, with hand-removed
top two Received header fields that (inserted by amavisd
and by MTA on port 10025).

The __ENV_AND_HDR_FROM_MATCH is probably because you didn't
pay attention to envelope sender address - amavisd makes it
available to SpamAssassin as a 'Return-Path' header field,
which you probably didn't have in your test message as
submitted
to a command line spamassassin.

You should have the following in local.cf:

always_trust_envelope_sender 1
envelope_sender_header  Return-Path

and make sure to get the trusted_networks,
internal_networks
and the new msa_networks set up correctly in local.cf,
matching your IP address space and topology of mailers.

  Mark

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Thu, Sep 06, 2007 at 03:53:28PM +0200, Mark Martinec
wrote:
> Matt,
> 
> > I think I have done it correctly this time.
> 
> Ok, this looks better now.
> 

[snip lots of good stuff]

Thankyou so much for all of that information. I will study
it and make
the changes to my configuration.


Matt

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Hello again,

On Thu, Sep 06, 2007 at 03:13:59PM +0100,
matthew_bucklandwordbank.com wrote:
> On Thu, Sep 06, 2007 at 03:53:28PM +0200, Mark Martinec
wrote:
> > Matt,
> > 
> > > I think I have done it correctly this time.
> > 
> > Ok, this looks better now.
> > 
> 
> [snip lots of good stuff]
> 
> Thankyou so much for all of that information. I will
study it and make
> the changes to my configuration.
> 
> 

I think that it's now working on the non-production server
that I set up,
just had to point it to the correct bayes path. However this
is not the
problem with the production server. I managed to run outside
of chroot
environment without impacting people's email too much and
when it's
running outside the chroot it gives the same score as with
command line
 the
trouble is that I don't really want to run it outside the
chroot
and I'm not sure how to figure out what is different. I have
debugging
output from both <http://www.wordbank
.com/matt>. If anyone can see
something obvious I (and my users) would be very very
happy.


Thanks again,

Matt

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/