I have a mail setup with an internet facing postfix mail server "edge"
(LAN name "firewall") and in internal LAN postfix with dovecot server
"internal".
They both run the same version of SA with the same rules.
"edge" receives internet mail, scans it with spamassassin, and then
forwards it to "internal" which also scans it with spamassassin.
The problem in this instance is "edge" got a spam score of 21.3, while
"internal" got a score of 3.3
This is puzzling. Any explanations?
< Below headers from "internal" >
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on internal.lan
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 required=5.0
tests=ALL_TRUSTED,DATE_IN_PAST_03_06,
FROM_MISSPACED,HK_NAME_MR_MRS,HTML_MESSAGE,MISSING_HEADERS,
T_FILL_THIS_FORM_SHORT autolearn=no autolearn_force=no version=3.4.6
Received: from edge.<redacted>
by <...> (Postfix) with ESMTPS id E64F48601CD
for <...>; Thu, 7 Apr 2022 09:32:58 +0800 (AWST)
< below headers and content from "edge" aka "firewall" >
Received: by edge.<...> (Postfix, from userid 115)
id DC8554188D; Thu, 7 Apr 2022 09:32:58 +0800 (AWST)
Received: from localhost by firewall.lan
with SpamAssassin (version 3.4.6);
Thu, 07 Apr 2022 09:32:58 +0800
From: "MR. CHRISTOPHER TOWE."<mail@thaidevhost.com>
Subject: MR. CHRISTOPHER TOWE.Director Airport Inspection Officer United
Nations.
Date: Wed, 6 Apr 2022 15:09:53 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_624E3F4A.AF957A3D"
Message-Id: <20220407013258.DC8554188D@edge.<redacted>
This is a multi-part message in MIME format.
------------=_624E3F4A.AF957A3D
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "<firewall>.lan",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Good day. Thanks, how are you doing today? Hope you
are doing
very fine? I am newly transferred from Hartsfield-Jackson Atlanta
International
Airport to Laguardia International Airport New York City for an impo
[...]
Content analysis details: (21.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.0 NSL_RCVD_FROM_USER Received from User
1.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1.2 MISSING_HEADERS Missing To: header
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MISSING_MID Missing Message-Id: header
1.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
1.0 HK_NAME_MR_MRS No description available.
1.0 FROM_MISSP_USER From misspaced, from "User"
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
1.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1.0 FSL_NEW_HELO_USER Spam's using Helo and User
0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
1.9 REPLYTO_WITHOUT_TO_CC No description available.
2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
1.0 FROM_MISSP_REPLYTO From misspaced, has Reply-To
1.0 TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
1.0 FROM_MISSPACED From: missing whitespace
1.0 TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.0 FORM_FRAUD_3 Fill a form and several fraud phrases
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
--
Jeremy
(LAN name "firewall") and in internal LAN postfix with dovecot server
"internal".
They both run the same version of SA with the same rules.
"edge" receives internet mail, scans it with spamassassin, and then
forwards it to "internal" which also scans it with spamassassin.
The problem in this instance is "edge" got a spam score of 21.3, while
"internal" got a score of 3.3
This is puzzling. Any explanations?
< Below headers from "internal" >
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on internal.lan
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 required=5.0
tests=ALL_TRUSTED,DATE_IN_PAST_03_06,
FROM_MISSPACED,HK_NAME_MR_MRS,HTML_MESSAGE,MISSING_HEADERS,
T_FILL_THIS_FORM_SHORT autolearn=no autolearn_force=no version=3.4.6
Received: from edge.<redacted>
by <...> (Postfix) with ESMTPS id E64F48601CD
for <...>; Thu, 7 Apr 2022 09:32:58 +0800 (AWST)
< below headers and content from "edge" aka "firewall" >
Received: by edge.<...> (Postfix, from userid 115)
id DC8554188D; Thu, 7 Apr 2022 09:32:58 +0800 (AWST)
Received: from localhost by firewall.lan
with SpamAssassin (version 3.4.6);
Thu, 07 Apr 2022 09:32:58 +0800
From: "MR. CHRISTOPHER TOWE."<mail@thaidevhost.com>
Subject: MR. CHRISTOPHER TOWE.Director Airport Inspection Officer United
Nations.
Date: Wed, 6 Apr 2022 15:09:53 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_624E3F4A.AF957A3D"
Message-Id: <20220407013258.DC8554188D@edge.<redacted>
This is a multi-part message in MIME format.
------------=_624E3F4A.AF957A3D
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "<firewall>.lan",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Good day. Thanks, how are you doing today? Hope you
are doing
very fine? I am newly transferred from Hartsfield-Jackson Atlanta
International
Airport to Laguardia International Airport New York City for an impo
[...]
Content analysis details: (21.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.0 NSL_RCVD_FROM_USER Received from User
1.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1.2 MISSING_HEADERS Missing To: header
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MISSING_MID Missing Message-Id: header
1.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
1.0 HK_NAME_MR_MRS No description available.
1.0 FROM_MISSP_USER From misspaced, from "User"
0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
1.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1.0 FSL_NEW_HELO_USER Spam's using Helo and User
0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
1.9 REPLYTO_WITHOUT_TO_CC No description available.
2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
1.0 FROM_MISSP_REPLYTO From misspaced, has Reply-To
1.0 TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
1.0 FROM_MISSPACED From: missing whitespace
1.0 TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.0 FORM_FRAUD_3 Fill a form and several fraud phrases
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
--
Jeremy