Mailing List Archive

Getting different SA scores when using -R argument with spamc
When I run spamc without -R option like this:

spamc -u some_user < some_email

I get the following output:

============================================================================

<HEADERS>

This is a multi-part message in MIME format.

<snip>


Content analysis details: (5.2 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record
(softfail)
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
https://www.dnswl.org/,
low trust
[69.252.207.38 listed in list.dnswl.org]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[69.252.207.38 listed in wl.mailspike.net]
1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image
area
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily

<EMAIL BODY>

===============================================================================



However, when I run this command on the same email with the -R command
to get the SA scores only like this:

spamc -R -u some_user < some_email


I get this output:


===============================================================================

2.6/5.0
Spam detection software, running on the system "email.dondley.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Spam detection software, running on the system
"email.dondley.com",
has identified this incoming email as possible spam. The original
message
has been attached to this so you can view it or label simi [...]

Content analysis details: (2.6 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
-0.0 NO_RELAYS Informational: message was not relayed via
SMTP
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image
area


================================================================================


Notice the scores are totally different. According to man page, -R says:

Just output the SpamAssassin report text to stdout, for all messages.
See -r for details of the output format used.

So why are the scores different with and without the -R option?
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
On 6 Apr 2021, at 12:54, Steve Dondley wrote:

> When I run spamc without -R option like this:
>
> spamc -u some_user < some_email
>
> I get the following output:
>
[...]
>
> However, when I run this command on the same email with the -R command
> to get the SA scores only like this:
>
> spamc -R -u some_user < some_email
>
>
> I get this output:
[...]
>
> Notice the scores are totally different.

Also, rules related to parsing the headers are wildly different. That
shouldn't happen with the same input. I suspect a subtle difference
between your inputs.

> According to man page, -R says:
>
> Just output the SpamAssassin report text to stdout, for all messages.
> See -r for details of the output format used.
>
> So why are the scores different with and without the -R option?

Dunno. I cannot reproduce it despite trying with the last 50 messages to
be seen by my mail server. I'm trying another 125 also but I don't
really expect to see differences.

Can you provide a working example message AND the operative user prefs?

Run this:

spamassassin --prefs-file user_prefs_file -D all < some_email

Does the score and hits match one of your spamc tests?

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
> Can you provide a working example message AND the operative user prefs?

OK, I was being very stupid. It finally dawned on me that the SA scores
that appeared above the message body and below the headers when spamc
was run without the -R option were SA scores embedded in the message by
the postfix software and were not getting generated by spamc.

But that doesn't change the fact that the spamassassin score that is
generated by the postfix command is different than what I'm getting
directly on the command line. Here's is what is in my postfix master.cf
file:

spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -u ${user} -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}


>
> spamassassin --prefs-file user_prefs_file -D all < some_email
>
> Does the score and hits match one of your spamc tests?

No. The headers have a different score and the tests are different. It's
scored only as 2.6 with BAYES_50 while what was embedded in the email by
postfix had a BAYES_99 and BAYES_999 ans scored 5.2. postfix score also
shows RCVD_IN_DNSWL_LOW while running from the command line does not
show any such test hit.

And I cannot reproduce the SA scores embedded in the email by postfix
even if I log in as user "s" and run this command:

spamassassin --prefs-file=/home/s/.spamassassin/user_prefs -t <
some_email

So I'm not sure what's going on.
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
PLEASE NOTE:

I read the mailing list obsessively and DO NOT NEED (or want) the extra
copies sent when you send both to me and to the list.


On 6 Apr 2021, at 14:17, Steve Dondley wrote:

>> Can you provide a working example message AND the operative user
>> prefs?
>
> OK, I was being very stupid. It finally dawned on me that the SA
> scores that appeared above the message body and below the headers when
> spamc was run without the -R option were SA scores embedded in the
> message by the postfix software and were not getting generated by
> spamc.
>
> But that doesn't change the fact that the spamassassin score that is
> generated by the postfix command is different than what I'm getting
> directly on the command line. Here's is what is in my postfix
> master.cf file:
>
> spamassassin unix - n n - - pipe
> user=debian-spamd argv=/usr/bin/spamc -u ${user} -e
> /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Nitpick: Postfix is not adding the score report in the header, spamd is.
That line hands off the message to spamc, which sends it to spamd and
gets back a scored copy, which it then re-injects via sendmail (which is
actually part of Postfix...)

>> spamassassin --prefs-file user_prefs_file -D all < some_email
>>
>> Does the score and hits match one of your spamc tests?
>
> No. The headers have a different score and the tests are different.
> It's scored only as 2.6 with BAYES_50 while what was embedded in the
> email by postfix had a BAYES_99 and BAYES_999 ans scored 5.2. postfix
> score also shows RCVD_IN_DNSWL_LOW while running from the command line
> does not show any such test hit.
>
> And I cannot reproduce the SA scores embedded in the email by postfix
> even if I log in as user "s" and run this command:
>
> spamassassin --prefs-file=/home/s/.spamassassin/user_prefs -t <
> some_email
>
> So I'm not sure what's going on.

Since the scores being added during delivery are much richer, detecting
enough info to do SPF and DKIM analysis, I am 99.9% certain that the
format of 'some_email' is mangled, probably missing critical headers or
using CR linebreaks instead of proper LFs.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
On 2021-04-06 02:32 PM, Bill Cole wrote:
> PLEASE NOTE:
>
> I read the mailing list obsessively and DO NOT NEED (or want) the
> extra copies sent when you send both to me and to the list.

Sorry, I still haven't figured out how to properly respond. When I hi
"reply all" it cc's the list and sends to you. When I hit just "reply"
it only sends to you. I've manually deleted you from the "To" box and
sending it directly to the list here. Hopefully that fixes things up.

> Since the scores being added during delivery are much richer,
> detecting enough info to do SPF and DKIM analysis, I am 99.9% certain
> that the format of 'some_email' is mangled, probably missing critical
> headers or using CR linebreaks instead of proper LFs.

Hmm, this is on a linux box, so I'm not sure how it could be screwing up
the line breaks. Is it possible that when spamd injects the scores
before the body of the email, it is screwing things up?

Here is email as it sits in my inbox now, which is after it gets
processed by spamd. I was under the impression that an email that had
already been processed by SA could be processed again and it would
ignore any modifications made by earlier passes through SA.

Return-Path:
<bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>
Delivered-To: s@exmaple.com
Received: from email.exmaple.com
by email.exmaple.com with LMTP
id kAhSKc1dY2BCKgAAB604Gw
(envelope-from
<bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
for <s@exmaple.com>; Tue, 30 Mar 2021 13:20:13 -0400
Received: by email.exmaple.com (Postfix, from userid 115)
id A64BE200C8; Tue, 30 Mar 2021 13:20:13 -0400 (EDT)
Received: from localhost by email.exmaple.com
with SpamAssassin (version 3.4.2);
Tue, 30 Mar 2021 13:20:13 -0400
From: "Home Warranty - AHS" <send@forgetmassives.com>
To: <steveexmaple@comcast.net>
Subject: *****SPAM***** It's getting warmer, are you covered?
Date: Tue, 30 Mar 2021 05:18:34 -0700
Message-Id: <B3.BE.10603.49D53606@emsmta18>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
email.exmaple.com
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.2 required=5.0 tests=BAYES_99,BAYES_999,
DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,

HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,
SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no
autolearn_force=no version=3.4.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_60635DCD.A0F5D194"

This is a multi-part message in MIME format.

------------=_60635DCD.A0F5D194
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "email.exmaple.com",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Your AHS Home Warranty covers the repair or
replacement of
many system and appliance breakdowns, but not necessarily the entire
system
or appliance. Please refer to your contract for details. American
Home Shield
150 Peabody Pl., Memphis, TN 38103. Unsubscribe | Privacy Policy ©
2021
American Home Shield Corporation. All rights reserved.

Content analysis details: (5.2 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record
(softfail)
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
https://www.dnswl.org/,
low trust
[69.252.207.38 listed in list.dnswl.org]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[69.252.207.38 listed in wl.mailspike.net]
1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image
area
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.


------------=_60635DCD.A0F5D194
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received-SPF: Softfail (mailfrom) identity=mailfrom;
client-ip=69.252.207.38; helo=resqmta-ch2-06v.sys.comcast.net;
envelope-from=bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com;
receiver=<UNKNOWN>
Authentication-Results: email.exmaple.com;
dkim=pass (2048-bit key; secure) header.d=comcastmailservice.net
header.i=@comcastmailservice.net header.b="YTHf56Fx";
dkim=pass (1024-bit key; unprotected)
header.d=forgetmassives.com header.i=@forgetmassives.com
header.b="Cc3SOvHE";
dkim-atps=neutral
Received: from resqmta-ch2-06v.sys.comcast.net
(resqmta-ch2-06v.sys.comcast.net [69.252.207.38])
by email.exmaple.com (Postfix) with ESMTPS id F0A9D200C8
for <s@exmaple.com>; Tue, 30 Mar 2021 13:20:12 -0400 (EDT)
Received: from resomta-ch2-06v.sys.comcast.net ([69.252.207.102])
by resqmta-ch2-06v.sys.comcast.net with ESMTP
id RCA7l3lgvsjoSRI2ElIKl6; Tue, 30 Mar 2021 17:20:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=comcastmailservice.net; s=20180828_2048; t=1617124810;
bh=EzUwkxtc+07gV+1cIeMVwIqhGkZuGI/a4ukUrCjG7nM=;

h=Received:Received:Received:Received:Received:Received:Received:
Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:
Content-Type;

b=YTHf56FxVyphxJLrqEnfZKfP5M62QfSc0ICCe5ZS/2UXQUsumO0ltgCO6ZjDRxrso

Up8oEgr4gqv8kNMAtJEM532f15eLObwwty+P0OAS8HncjfsiHJspdnk3Eg0aC4A57k

5w8gnpRbQoa/KaAn0bejQNcCdr+KArf6VwKO+q5/HY9UQxa2RxIWUsoxIMmyZX0WpF

upTL1nKnd+zaRENmudAllcfxCLMUpnc9oK/Ea//4bcT/51ofrewbe/J0ZhaAUfJu5O

/40UsSsWx49VFVQ1X7Bifw/CE56spoesfnOSm9/7W/V0PptjjleM6LIQ3S+xWRJFaS
xfwTExYFqt5sw==
Received: from dovback2-asa-09o.email.comcast.net ([96.118.48.40])
by resomta-ch2-06v.sys.comcast.net with ESMTP
id RI2Dlb2J4RxAFRI2EldEBV; Tue, 30 Mar 2021 17:20:10 +0000
X-Xfinity-VAAS:
gggruggvucftvghtrhhoucdtuddrgeduledrudeitddgudduvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihdpqfgfvfdppffquffrtefokffrnecuuegrihhlohhuthemuceftddunecundfotefknffkpffiucdludejmdenucfjughrpefkfffhrhfvuffjgggtsegrtderredttdejnecuhfhrohhmpedfjfhomhgvucghrghrrhgrnhhthicuqdcutefjufdfuceoshgvnhgusehfohhrghgvthhmrghsshhivhgvshdrtghomheqnecuggftrfgrthhtvghrnhepfeefffetveetheffvdfgieeuueehleffleeghfeuudffgeejhfeugfffgfeufeejnecuffhomhgrihhnpegslhhuvghhohhrnhgvthdrtghomhenucfkphepleeirdduudekrdegkedrgedtpdeijedrvdduiedrvddvgedrgedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghlohepughovhgsrggtkhdvqdgrshgrqddtlehordgvmhgrihhlrdgtohhmtggrshhtrdhnvghtpdhinhgvthepleeirdduudekrdegkedrgedtpdhmrghilhhfrhhomhepsghouhhntggvqdhushgvpehmpeeggeeikedvjeefgeekfeeipegvtghhohegpeeiughftdgrkegtudeivdgtuggtvdekuddtuggtkegsgehfvgdtrgduudelkedujeesrhgvthhurhhnphgrthhhrdgslhhuvghhohhrnhgvthdrtghomhdprhgtphhtthhopehsseguohhnughlvgihrdgtohhm
X-Xfinity-CCat: promotional
X-Xfinity-VMeta: sc=17.00;st=mce
X-Sieve: Pigeonhole Sieve 0.5.12 (f22f7ab3)
X-Sieve-Redirected-From: steveexmaple@comcast.net
Delivered-To: steveexmaple@comcast.net
Received: from dovdir2-asa-02o.email.comcast.net ([69.252.207.53])
by dovback2-asa-09o.email.comcast.net with LMTP
id 6GaMGsZdY2AmPwAAmOiKAQ
(envelope-from
<bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
for <steveexmaple@comcast.net>; Tue, 30 Mar 2021 17:20:06 +0000
Received: from dovpxy-asb-13o.email.comcast.net ([69.252.207.53])
by dovdir2-asa-02o.email.comcast.net with LMTP
id iGWMF8ZdY2AdXwAAq9RwVw
(envelope-from
<bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
for <steveexmaple@comcast.net>; Tue, 30 Mar 2021 17:20:06 +0000
Received: from resimta-ch2-34v.sys.comcast.net ([69.252.207.53])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits))
by dovpxy-asb-13o.email.comcast.net with LMTPS
id yLhCFMZdY2D5eQAAV/MBng
(envelope-from
<bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
for <steveexmaple@comcast.net>; Tue, 30 Mar 2021 17:20:06 +0000
Received: from smtp.liberal.bluehornet.com ([67.216.224.40])
by resimta-ch2-34v.sys.comcast.net with ESMTP
id RI22lqxlK2vXGRI29lQ6xW; Tue, 30 Mar 2021 17:20:06 +0000
X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=1;DMARC=
Authentication-Results: resimta-ch2-34v.sys.comcast.net;
dkim=pass header.d=forgetmassives.com
header.i=@forgetmassives.com
header.b=Cc3SOvHE
X-MSFBL:
c3RldmVkb25kbGV5QGNvbWNhc3QubmV0QGJlcm5hcmRfbGliZXJhbEBiZXJuYXJk
QGJvdW5jZS11c2U9TT00NDY4MjczNDgzNj1lY2hvND02REYwQThDMTYyQ0RDMjgx
MERDOEI0RkUwQTExOTgxNw==
DKIM-Signature: v=1; a=rsa-sha256; d=forgetmassives.com; s=s1024-1.bh;
c=simple/simple;
q=dns/txt; i=@forgetmassives.com; t=1617124756;

h=From:Subject:Date:To:Mime-Version:List-Unsubscribe:List-Unsubscribe-Post:Content-Type;
bh=v0lCvbtRqApG1XU1/ouMo37AJee75nZOebhHsT2gjbw=;

b=Cc3SOvHEcyP4NtvbU8vbw/j8DZPj9Cyd5Aw6l3XX1J8YDiJ/qk2Im4rmgzw7eBIz
cjwPM9nPlEG30CU7033+PruH+O/lL5Es5TDUXBICgEJ8MzAFSS6FBz/J2dfygBLw
NnSJvpGkQG8f/M1CQW4DpF5+cB9yBlE2+c+heD8vEeA=;
Received: from [172.16.9.190] ([172.16.9.190:44982]
helo=localhost.localdomain)
by returnpath.bluehornet.com (envelope-from
<bounce-use=M=44682734836=echo4=6DF0A8C162CDC2810DC8B4FE0A119817@returnpath.bluehornet.com>)
(ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTP
id B3/BE-10603-49D53606; Tue, 30 Mar 2021 10:19:16 -0700
Message-ID: <B3.BE.10603.49D53606@emsmta18>
Date: Tue, 30 Mar 2021 05:18:34 -0700
From: "Home Warranty - AHS" <send@forgetmassives.com>
Reply-To: send@forgetmassives.com
To: <steveexmaple@comcast.net>
X-Outgoing: bernard
Subject: It's getting warmer, are you covered?
List-Unsubscribe:
<mailto:unsub-44682734836-echo4-6DF0A8C162CDC2810DC8B4FE0A119817@listunsub.bluehornet.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--6063171a83296-MultiPart-Mime-Boundary"



----6063171a83296-MultiPart-Mime-Boundary
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit



Your AHS Home Warranty covers the repair or replacement of many
system and appliance breakdowns, but not necessarily the entire
system or appliance. Please refer to your contract for details.

American Home Shield 150 Peabody Pl.,
Memphis, TN 38103.
Unsubscribe | Privacy Policy
© 2021 American Home Shield Corporation. All
rights reserved.

This message was intended for: steveexmaple@comcast.net
You were added to the system October 20, 2020.
For more information please follow the URL below:
http://echo4.bluehornet.com/p/iT5IWP_2NK

Follow the URL below to update your preferences or opt-out:
http://echo4.bluehornet.com/p/oT5IWP_2NK

To unsubscribe from future mailings, send an email to
mailto:unsub-44682734836-echo4-6DF0A8C162CDC2810DC8B4FE0A119817@emailsendr.net?Subject=Unsubscribe&body=Please%20remove%20me%20from%20further%20mailings
with "Unsubscribe" as the subject line.



----Powered by DMLS----






----6063171a83296-MultiPart-Mime-Boundary
Content-Type: text/html; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit



<html><!--

*******************************************************
*Note: If you are having trouble viewing this message,*
*copy and paste the link below into your browser *
*address field and hit the Enter button on your *
*keyboard. *
http://echo4.bluehornet.com/p/vT5IWP_2NK
If you would like to change your preferences *
or unsubscribe, copy the URL below: *
This message was intended for: steveexmaple@comcast.net
You were added to the system October 20, 2020.
For more information please follow the URL below:
http://echo4.bluehornet.com/p/iT5IWP_2NK

Follow the URL below to update your preferences or opt-out:
http://echo4.bluehornet.com/p/oT5IWP_2NK

To unsubscribe from future mailings, send an email to
mailto:unsub-44682734836-echo4-6DF0A8C162CDC2810DC8B4FE0A119817@emailsendr.net?Subject=Unsubscribe&body=Please%20remove%20me%20from%20further%20mailings
with "Unsubscribe" as the subject line.


*******************************************************
-->
<html dir="ltr"><head><title></title></head><body><table width="620"
align="center"> </table><table align="center"> <tbody><tr><td
align="center"><a
href="http://echo4.bluehornet.com/ct/100057356:T5IWP_2NK:m:1:3292882242:C5DB59115FB99008217C5611CDEF14ED:r"><img
src="https://newbukett.s3.amazonaws.com/AHS_0325/Spring/AHS_Spring_2019_1.png"
alt="" width="620" height="1310" border="0" /></a></td></tr><tr><td
width="600" align="center"><p><font size="2" face="Arial"
color="#697080"><br /> Your AHS Home Warranty covers the repair or
replacement of many
system and appliance breakdowns, but not necessarily the entire system
or appliance. Please refer to your contract for details. <br /><br />
American
Home Shield 150 Peabody Pl., Memphis, TN 38103. <br /><a
href="http://echo4.bluehornet.com/ct/100057357:T5IWP_2NK:m:1:3292882242:C5DB59115FB99008217C5611CDEF14ED:r">Unsubscribe</a>
| <a
href="http://echo4.bluehornet.com/ct/100057358:T5IWP_2NK:m:1:3292882242:C5DB59115FB99008217C5611CDEF14ED:r">Privacy
Policy</a><a> <br />&copy; 2021 American Home Shield
Corporation. All rights reserved.
</a></font></p></td></tr></tbody></table> <br /><br /><br /><br
/></body>

<p><font face="Verdana, Arial, Helvetica, sans-serif" size="1"
color="#999999">
This message was intended for: <a
href='mailto:steveexmaple@comcast.net'>steveexmaple@comcast.net</a> <br
/>
You were added to the system October 20, 2020.<br />
For more information <a
href='http://echo4.bluehornet.com/p/iT5IWP_2NK'>click here</a>. <a
href='http://echo4.bluehornet.com/p/oT5IWP_2NK'>Update your
preferences</a><br />
<a
href='http://echo4.bluehornet.com/p/oT5IWP_2NK'>Unsubscribe</a> | <a
href='mailto:unsub-44682734836-echo4-6DF0A8C162CDC2810DC8B4FE0A119817@emailsendr.net?Subject=Unsubscribe&body=Please%20remove%20me%20from%20further%20mailings'>Unsubscribe
via email</a><br />
<br />
</font></p><br><br><a href=""><img
src="http://echo4.bluehornet.com/skins/329d6fe2ad79accb/powered_by.jpg"
border="0"></a></b></font></p><img
src="http://echo4.bluehornet.com/imagelibrary/N-T5IWP_2NK-72D5B94E3EAF68018D90DE9FBDD9E339.jpg"
width="1" height="1" style="border:none; visibility:hidden;
max-height:0px; max-width:0px; overflow:hidden;">

</html>



----6063171a83296-MultiPart-Mime-Boundary--

------------=_60635DCD.A0F5D194--
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
On 2021-04-06 02:55 PM, Steve Dondley wrote:
> On 2021-04-06 02:32 PM, Bill Cole wrote:
>> PLEASE NOTE:
>>
>> I read the mailing list obsessively and DO NOT NEED (or want) the
>> extra copies sent when you send both to me and to the list.
>
> Sorry, I still haven't figured out how to properly respond. When I hi
> "reply all" it cc's the list and sends to you. When I hit just "reply"
> it only sends to you. I've manually deleted you from the "To" box and
> sending it directly to the list here. Hopefully that fixes things up.
>
>> Since the scores being added during delivery are much richer,
>> detecting enough info to do SPF and DKIM analysis, I am 99.9% certain
>> that the format of 'some_email' is mangled, probably missing critical
>> headers or using CR linebreaks instead of proper LFs.
>

I just noticed the date in the email header was from about a week ago.
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
On 6 Apr 2021, at 14:55, Steve Dondley wrote:

> On 2021-04-06 02:32 PM, Bill Cole wrote:
>> PLEASE NOTE:
>>
>> I read the mailing list obsessively and DO NOT NEED (or want) the
>> extra copies sent when you send both to me and to the list.
>
> Sorry, I still haven't figured out how to properly respond. When I hi
> "reply all" it cc's the list and sends to you. When I hit just "reply"
> it only sends to you. I've manually deleted you from the "To" box and
> sending it directly to the list here. Hopefully that fixes things up.

It seems to have done so. Thank you.

Some MUAs have a "Reply to List" function that uses the List-Post header
(and sometimes heuristics when that header is missing) to send replies
only to a list itself.

>
>> Since the scores being added during delivery are much richer,
>> detecting enough info to do SPF and DKIM analysis, I am 99.9% certain
>> that the format of 'some_email' is mangled, probably missing critical
>> headers or using CR linebreaks instead of proper LFs.
>
> Hmm, this is on a linux box, so I'm not sure how it could be screwing
> up the line breaks. Is it possible that when spamd injects the scores
> before the body of the email, it is screwing things up?
>
> Here is email as it sits in my inbox now, which is after it gets
> processed by spamd. I was under the impression that an email that had
> already been processed by SA could be processed again and it would
> ignore any modifications made by earlier passes through SA.

It can only do so if report_safe is set to 0. With non-zero report_safe
settings, the original mail is encapsulated as an attachment inside a
wrapper message also including the report. That wrapper message
containing the SA report is "safe" because it is fully local, the
text/plain part won't look like spam to any spam filter, and the
original, encapsulated as a message/rfc822 attachment, should be skipped
by any filter. If you want to test the *original* message, you have to
extract the message/rfc822 part into its own file and test that.

So these are the headers you were checking post-delivery:

> Return-Path:
> <bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>
> Delivered-To: s@exmaple.com
> Received: from email.exmaple.com
> by email.exmaple.com with LMTP
> id kAhSKc1dY2BCKgAAB604Gw
> (envelope-from
> <bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
> for <s@exmaple.com>; Tue, 30 Mar 2021 13:20:13 -0400
> Received: by email.exmaple.com (Postfix, from userid 115)
> id A64BE200C8; Tue, 30 Mar 2021 13:20:13 -0400 (EDT)
> Received: from localhost by email.exmaple.com
> with SpamAssassin (version 3.4.2);
> Tue, 30 Mar 2021 13:20:13 -0400
> From: "Home Warranty - AHS" <send@forgetmassives.com>
> To: <steveexmaple@comcast.net>
> Subject: *****SPAM***** It's getting warmer, are you covered?
> Date: Tue, 30 Mar 2021 05:18:34 -0700
> Message-Id: <B3.BE.10603.49D53606@emsmta18>
> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
> email.exmaple.com
> X-Spam-Flag: YES
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.2 required=5.0 tests=BAYES_99,BAYES_999,
> DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
> HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,
> SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no
> autolearn_force=no version=3.4.2
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----------=_60635DCD.A0F5D194"

[...]

but this is the original header block buried in the attachment:

> Received-SPF: Softfail (mailfrom) identity=mailfrom;
> client-ip=69.252.207.38; helo=resqmta-ch2-06v.sys.comcast.net;
> envelope-from=bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com;
> receiver=<UNKNOWN>
> Authentication-Results: email.exmaple.com;
> dkim=pass (2048-bit key; secure)
> header.d=comcastmailservice.net header.i=@comcastmailservice.net
> header.b="YTHf56Fx";
> dkim=pass (1024-bit key; unprotected)
> header.d=forgetmassives.com header.i=@forgetmassives.com
> header.b="Cc3SOvHE";
> dkim-atps=neutral
> Received: from resqmta-ch2-06v.sys.comcast.net
> (resqmta-ch2-06v.sys.comcast.net [69.252.207.38])
> by email.exmaple.com (Postfix) with ESMTPS id F0A9D200C8
> for <s@exmaple.com>; Tue, 30 Mar 2021 13:20:12 -0400 (EDT)
> Received: from resomta-ch2-06v.sys.comcast.net ([69.252.207.102])
> by resqmta-ch2-06v.sys.comcast.net with ESMTP
> id RCA7l3lgvsjoSRI2ElIKl6; Tue, 30 Mar 2021 17:20:10 +0000
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=comcastmailservice.net; s=20180828_2048; t=1617124810;
> bh=EzUwkxtc+07gV+1cIeMVwIqhGkZuGI/a4ukUrCjG7nM=;
> h=Received:Received:Received:Received:Received:Received:Received:
> Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:
> Content-Type;
> b=YTHf56FxVyphxJLrqEnfZKfP5M62QfSc0ICCe5ZS/2UXQUsumO0ltgCO6ZjDRxrso
> Up8oEgr4gqv8kNMAtJEM532f15eLObwwty+P0OAS8HncjfsiHJspdnk3Eg0aC4A57k
> 5w8gnpRbQoa/KaAn0bejQNcCdr+KArf6VwKO+q5/HY9UQxa2RxIWUsoxIMmyZX0WpF
> upTL1nKnd+zaRENmudAllcfxCLMUpnc9oK/Ea//4bcT/51ofrewbe/J0ZhaAUfJu5O
> /40UsSsWx49VFVQ1X7Bifw/CE56spoesfnOSm9/7W/V0PptjjleM6LIQ3S+xWRJFaS
> xfwTExYFqt5sw==
> Received: from dovback2-asa-09o.email.comcast.net ([96.118.48.40])
> by resomta-ch2-06v.sys.comcast.net with ESMTP
> id RI2Dlb2J4RxAFRI2EldEBV; Tue, 30 Mar 2021 17:20:10 +0000
> X-Xfinity-VAAS:
> gggruggvucftvghtrhhoucdtuddrgeduledrudeitddgudduvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihdpqfgfvfdppffquffrtefokffrnecuuegrihhlohhuthemuceftddunecundfotefknffkpffiucdludejmdenucfjughrpefkfffhrhfvuffjgggtsegrtderredttdejnecuhfhrohhmpedfjfhomhgvucghrghrrhgrnhhthicuqdcutefjufdfuceoshgvnhgusehfohhrghgvthhmrghsshhivhgvshdrtghomheqnecuggftrfgrthhtvghrnhepfeefffetveetheffvdfgieeuueehleffleeghfeuudffgeejhfeugfffgfeufeejnecuffhomhgrihhnpegslhhuvghhohhrnhgvthdrtghomhenucfkphepleeirdduudekrdegkedrgedtpdeijedrvdduiedrvddvgedrgedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghlohepughovhgsrggtkhdvqdgrshgrqddtlehordgvmhgrihhlrdgtohhmtggrshhtrdhnvghtpdhinhgvthepleeirdduudekrdegkedrgedtpdhmrghilhhfrhhomhepsghouhhntggvqdhushgvpehmpeeggeeikedvjeefgeekfeeipegvtghhohegpeeiughftdgrkegtudeivdgtuggtvdekuddtuggtkegsgehfvgdtrgduudelkedujeesrhgvthhurhhnphgrthhhrdgslhhuvghhohhrnhgvthdrtghomhdprhgtphhtthhopehsseguohhnughlvgihrdgtohhm
> X-Xfinity-CCat: promotional
> X-Xfinity-VMeta: sc=17.00;st=mce
> X-Sieve: Pigeonhole Sieve 0.5.12 (f22f7ab3)
> X-Sieve-Redirected-From: steveexmaple@comcast.net
> Delivered-To: steveexmaple@comcast.net
> Received: from dovdir2-asa-02o.email.comcast.net ([69.252.207.53])
> by dovback2-asa-09o.email.comcast.net with LMTP
> id 6GaMGsZdY2AmPwAAmOiKAQ
> (envelope-from
> <bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
> for <steveexmaple@comcast.net>; Tue, 30 Mar 2021 17:20:06
> +0000
> Received: from dovpxy-asb-13o.email.comcast.net ([69.252.207.53])
> by dovdir2-asa-02o.email.comcast.net with LMTP
> id iGWMF8ZdY2AdXwAAq9RwVw
> (envelope-from
> <bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
> for <steveexmaple@comcast.net>; Tue, 30 Mar 2021 17:20:06
> +0000
> Received: from resimta-ch2-34v.sys.comcast.net ([69.252.207.53])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> (256/256 bits))
> by dovpxy-asb-13o.email.comcast.net with LMTPS
> id yLhCFMZdY2D5eQAAV/MBng
> (envelope-from
> <bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119817@returnpath.bluehornet.com>)
> for <steveexmaple@comcast.net>; Tue, 30 Mar 2021 17:20:06
> +0000
> Received: from smtp.liberal.bluehornet.com ([67.216.224.40])
> by resimta-ch2-34v.sys.comcast.net with ESMTP
> id RI22lqxlK2vXGRI29lQ6xW; Tue, 30 Mar 2021 17:20:06 +0000
> X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=1;DMARC=
> Authentication-Results: resimta-ch2-34v.sys.comcast.net;
> dkim=pass header.d=forgetmassives.com
> header.i=@forgetmassives.com
> header.b=Cc3SOvHE
> X-MSFBL:
> c3RldmVkb25kbGV5QGNvbWNhc3QubmV0QGJlcm5hcmRfbGliZXJhbEBiZXJuYXJk
> QGJvdW5jZS11c2U9TT00NDY4MjczNDgzNj1lY2hvND02REYwQThDMTYyQ0RDMjgx
> MERDOEI0RkUwQTExOTgxNw==
> DKIM-Signature: v=1; a=rsa-sha256; d=forgetmassives.com; s=s1024-1.bh;
> c=simple/simple;
> q=dns/txt; i=@forgetmassives.com; t=1617124756;
> h=From:Subject:Date:To:Mime-Version:List-Unsubscribe:List-Unsubscribe-Post:Content-Type;
> bh=v0lCvbtRqApG1XU1/ouMo37AJee75nZOebhHsT2gjbw=;
> b=Cc3SOvHEcyP4NtvbU8vbw/j8DZPj9Cyd5Aw6l3XX1J8YDiJ/qk2Im4rmgzw7eBIz
> cjwPM9nPlEG30CU7033+PruH+O/lL5Es5TDUXBICgEJ8MzAFSS6FBz/J2dfygBLw
> NnSJvpGkQG8f/M1CQW4DpF5+cB9yBlE2+c+heD8vEeA=;
> Received: from [172.16.9.190] ([172.16.9.190:44982]
> helo=localhost.localdomain)
> by returnpath.bluehornet.com (envelope-from
> <bounce-use=M=44682734836=echo4=6DF0A8C162CDC2810DC8B4FE0A119817@returnpath.bluehornet.com>)
> (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTP
> id B3/BE-10603-49D53606; Tue, 30 Mar 2021 10:19:16 -0700
> Message-ID: <B3.BE.10603.49D53606@emsmta18>
> Date: Tue, 30 Mar 2021 05:18:34 -0700
> From: "Home Warranty - AHS" <send@forgetmassives.com>
> Reply-To: send@forgetmassives.com
> To: <steveexmaple@comcast.net>
> X-Outgoing: bernard
> Subject: It's getting warmer, are you covered?
> List-Unsubscribe:
> <mailto:unsub-44682734836-echo4-6DF0A8C162CDC2810DC8B4FE0A119817@listunsub.bluehornet.com>
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--6063171a83296-MultiPart-Mime-Boundary"
>


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
> It seems to have done so. Thank you.
>
> Some MUAs have a "Reply to List" function that uses the List-Post
> header (and sometimes heuristics when that header is missing) to send
> replies only to a list itself.

I've recently switched to Roundcube from gmail. I didn't see that option
but I think I've figured out I just need to hit "reply". Thanks for
pointing out you were getting dupes.


> It can only do so if report_safe is set to 0. With non-zero
> report_safe settings, the original mail is encapsulated as an
> attachment inside a wrapper message also including the report. That
> wrapper message containing the SA report is "safe" because it is fully
> local, the text/plain part won't look like spam to any spam filter,
> and the original, encapsulated as a message/rfc822 attachment, should
> be skipped by any filter. If you want to test the *original* message,
> you have to extract the message/rfc822 part into its own file and test
> that.

OK, so that's the problem, I guess. That config option is commented out
in my local.cf file:

# report_safe 1

So what do you recommend setting this to '1'? Any downsides to that? I'm
just a little leery of changing a default setting. But I'll do whatever
the pros suggest.

It says a value of '2' sets it "use text/plain instead" but I don't know
what that is referring to.
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
> Some MUAs have a "Reply to List" function that uses the List-Post
> header (and sometimes heuristics when that header is missing) to send
> replies only to a list itself.

Ah! I see that option now under the little down arrow next to "Reply
all". My day is made. Thanks!
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
On 2021-04-06 04:19 PM, Steve Dondley wrote:
>> It seems to have done so. Thank you.
>>
>> Some MUAs have a "Reply to List" function that uses the List-Post
>> header (and sometimes heuristics when that header is missing) to send
>> replies only to a list itself.
>
> I've recently switched to Roundcube from gmail. I didn't see that
> option but I think I've figured out I just need to hit "reply". Thanks
> for pointing out you were getting dupes.
>
>
>> It can only do so if report_safe is set to 0. With non-zero
>> report_safe settings, the original mail is encapsulated as an
>> attachment inside a wrapper message also including the report. That
>> wrapper message containing the SA report is "safe" because it is fully
>> local, the text/plain part won't look like spam to any spam filter,
>> and the original, encapsulated as a message/rfc822 attachment, should
>> be skipped by any filter. If you want to test the *original* message,
>> you have to extract the message/rfc822 part into its own file and test
>> that.
>
> OK, so that's the problem, I guess. That config option is commented
> out in my local.cf file:
>
> # report_safe 1

I should read the documentation before asking questions. So '1' is the
default which encapsulates the original spam as an attachment.
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
On 6 Apr 2021, at 16:19, Steve Dondley wrote:
[...]
>> It can only do so if report_safe is set to 0. With non-zero
>> report_safe settings, the original mail is encapsulated as an
>> attachment inside a wrapper message also including the report. That
>> wrapper message containing the SA report is "safe" because it is
>> fully
>> local, the text/plain part won't look like spam to any spam filter,
>> and the original, encapsulated as a message/rfc822 attachment, should
>> be skipped by any filter. If you want to test the *original* message,
>> you have to extract the message/rfc822 part into its own file and
>> test
>> that.
>
> OK, so that's the problem, I guess. That config option is commented
> out in my local.cf file:
>
> # report_safe 1

That is to document the fact that it is not explicitly set but that it
defaults to 1.

> So what do you recommend setting this to '1'?

It's 1 now, by default. I use '0' because I overtly reject mail that SA
scores over my threshold, while stashing a pristine copy in a 3-day
message dumpster. The best choice depends on how you handle messages
that SA scores as spam after that determination, and who your users are.
The default is good because it raises the difficulty for users to
accidentally treat spam as ham after delivery, if they are the sort to
not notice things like subject tagging or the fact that a message is in
a folder named "Spam." I think that '2' is misguided in principle,
because it leaves the original message open to re-filtering, is likely
to cause Bayes poisoning if you autolearn, and opens accidental access
to a broader range of users.


> Any downsides to that? I'm just a little leery of changing a default
> setting. But I'll do whatever the pros suggest.

Leaving it at the default setting of 1 leaves you where you are. The
main downside to that in my opinion is that the wrapper is a nuisance if
you want to work with original spam messages. Once you understand how to
handle that, it's a minor problem to work around.

> It says a value of '2' sets it "use text/plain instead" but I don't
> know what that is referring to.

The attached original message uses a MIME file type of 'message/rfc822'
when report_safe is 1. That is the standard MIME file type for Internet
email messages embedded in other messages. When report_safe is 2, it
uses the type 'text/plain' which makes the original message more widely
accessible to MUAs and when extracted to an independent text file. In
practice, the only difference is whether the extracted file as a '.eml'
or '.txt' extension.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Getting different SA scores when using -R argument with spamc [ In reply to ]
> It can only do so if report_safe is set to 0. With non-zero
> report_safe settings, the original mail is encapsulated as an
> attachment inside a wrapper message also including the report. That
> wrapper message containing the SA report is "safe" because it is fully
> local, the text/plain part won't look like spam to any spam filter,
> and the original, encapsulated as a message/rfc822 attachment, should
> be skipped by any filter. If you want to test the *original* message,
> you have to extract the message/rfc822 part into its own file and test
> that.

OK, did some more googling on this. Let me spell this out and help clear
up those who may be as confused as I was:

1) sa-learn *will* "unwrap" the original encapsulated spam emails when
they are encapsulated by SA:
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/LearningMarkedUpMessages
2) However, the spamassassin command (or spamc/spamd) does not do this
for you. You must use the -d option to remove any spam markup.

What this means is if that report_safe is set to "1" (the default) in
your SA config file, you must pull the original spam email out with the
-d option if you wish to run it through spamassassin/spamc again. You do
*not* have to worry about doing this with the sa-learn command.

If I got this wrong, let me know. Thanks.