Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Bayes_99 result different on 2 accounts.

Discussion in 'E-mail Discussion' started by nosajix, May 10, 2019.

  1. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    I have a problem with the Bayes_99 rule catching email on one cpanel account but not another. Its an inconspicuous email and I am not sure why it would trigger this rule to begin with. The content is as follows:

    ___________________start msg
    Someone left a negative review on Facebook how about you. I'm not sure how you want me to address it.

    His name is [name omitted], A fireman I think.

    Jason
    __________________end of msg

    I send this to two different cpanel accounts on this server and one triggers the bayes_99 while the other does not.

    The only real difference between the two accounts is one (the one that throws the flag) is not checked often and is normally just set up to forward to a yahoo account and keep a record of messages. The other is treated normally and doesn't even register a bayes score.

    Any idea or suggestions what might be happening here?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    Would this be different per cpanel account?
     
  4. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    Another odd tidbit - it may not be content related as I tested it where the original sender was a gmail account and it did not trigger it. The emails that did trigger it are cpanel emails from another server... I am going to continue to work on this
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Interesting, do you happen to also have gmail whitelisted anywhere?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Yea bayes data is in /home/$user/.spamassassin/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    No
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I can't think of a reason that rule wouldn't get hit if the mail content is the same but just originating from a different provider - spam headers might be helpful in this case as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    This one flagged:


    X-OutGoing-Spam-Status: No, score=-0.6
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - serv.hostname.com
    X-AntiAbuse: Original Domain - domain.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - domain.com
    X-Get-Message-Sender-Via: serv.hostname.com: authenticated_id: jason@domain.com
    X-Authenticated-Sender: serv.berksites.com: jason@domain.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-Spam-Status: Yes, score=5.0
    X-Spam-Score: 50
    X-Spam-Bar: +++++
    X-Spam-Report: Spam detection software, running on the system "domain1.domain.com",
    has identified this incoming email as possible spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.
    Content preview: Someone left a negative review on Facebook how about you.
    I'm not sure how you want me to address it. His name is [omitted], [omitted]
    fireman I think. Jason
    Content analysis details: (5.0 points, 5.0 required)
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    [score: 0.9983]
    -0.0 SPF_PASS SPF: sender matches SPF record
    0.0 HTML_MESSAGE BODY: HTML included in message
    X-Spam-Flag: YES
    Subject: ***SPAM*** Heads Ups



    ======================================================================


    This one didn't:

    X-Spam-Status: No, score=0.6
    X-Spam-Score: 6
    X-Spam-Bar: /
    X-Ham-Report: Spam detection software, running on the system "domain1.domain.com",
    has NOT identified this incoming email as spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.
    Content preview: Someone left a negative review on Facebook how about you.
    I'm not sure how you want me to address it. His name is [omitted], [omitted]
    fireman I think. Jason
    Content analysis details: (0.6 points, 5.0 required)
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
    [score: 0.5000]
    -0.0 SPF_PASS SPF: sender matches SPF record
    0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
    provider (user[at]gmail.com)
    0.0 HTML_MESSAGE BODY: HTML included in message
    -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    author's domain
    -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
    envelope-from domain
    -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    valid
    -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at dnswl.org – E-Mail Reputation – Protect against false positives,
    no trust
    [209.85.222.174 listed in list.dnswl.org]
    X-Spam-Flag: NO
     
    #9 nosajix, May 10, 2019
    Last edited by a moderator: May 10, 2019
  10. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    Can you copy the headers and let me delete them? I feel a bit exposed having that data "out there"
     
  11. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    So my assumption after seeing these is that because gmail is a more trusted provider it's bayes weight is lighter than the other domain so it's hitting the lower bayesian score
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    ok - so its not the message content but rather the sender domain? strange. I manage both servers, the sending is not a bad actor. I still havent read up on the bayes documentation. guess I'll look there.
     
  13. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    It's not necessarily that it's a bad actor but that the reputation isn't as strong. You can teach bayes not to do this though, the bayes FAQ i sent should explain how to do this properly using sa-learn.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    So - interesting development, it seems according to docs here: Rules/BAYES_99 - Spamassassin Wiki - Bayes_99 is a reaction to looking towards dnsbl's (which because of server migration where the destination server recycled an abusing ip, its ip was in sorbs.) That being said, it was removed just yesterday - does cpanel cache dnsbl's? could that be happening here?

    It still doesn't explain why two accounts on this server react differently to the same sender and body though.

    Also it seems as though sa-learn is not installed? Installation notes say its included with Spamassassin?
     
    #14 nosajix, May 10, 2019
    Last edited: May 10, 2019
  15. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,161
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I believe this is more related to the bayesian database each account has. Keep in mind bayesian filters are subject to that users email history and what the system shows them routinely marking as spam - the weight of the bayes_99 rule is determined by this.

    That's really easily explained, they are weighted differently. From the link you posted:


    This rule just marks the spam probability based on key words and the user's history.

    It should be there but you just may have to call it from the full path like so:

    Code:
    /usr/local/cpanel/3rdparty/bin/sa-learn
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice