Bayes_99 result different on 2 accounts.

[nosajix]

I have a problem with the Bayes_99 rule catching email on one cpanel account but not another. Its an inconspicuous email and I am not sure why it would trigger this rule to begin with. The content is as follows:

___________________start msg
Someone left a negative review on Facebook how about you. I'm not sure how you want me to address it.

His name is [name omitted], A fireman I think.

Jason
__________________end of msg

I send this to two different cpanel accounts on this server and one triggers the bayes_99 while the other does not.

The only real difference between the two accounts is one (the one that throws the flag) is not checked often and is normally just set up to forward to a yahoo account and keep a record of messages. The other is treated normally and doesn't even register a bayes score.

Any idea or suggestions what might be happening here?

 

[cPanelLauren]

Hi @nosajix

I wonder if there isn't an issue with the bayes db on that account - you might try the troubleshooting steps here: BayesNotWorking - Spamassassin Wiki

Their bayes faq is really useful/helpful as well and might get you pointed more in the right direction: BayesFaq - Spamassassin Wiki

 

[nosajix]

Hi @nosajix

I wonder if there isn't an issue with the bayes db on that account - you might try the troubleshooting steps here: BayesNotWorking - Spamassassin Wiki

Their bayes faq is really useful/helpful as well and might get you pointed more in the right direction: BayesFaq - Spamassassin Wiki

Would this be different per cpanel account?

 

[nosajix]

Another odd tidbit - it may not be content related as I tested it where the original sender was a gmail account and it did not trigger it. The emails that did trigger it are cpanel emails from another server... I am going to continue to work on this

 

[cPanelLauren]

Interesting, do you happen to also have gmail whitelisted anywhere?

 

[cPanelLauren]

Would this be different per cpanel account?

Yea bayes data is in /home/$user/.spamassassin/

 

[nosajix]

Interesting, do you happen to also have gmail whitelisted anywhere?

No

 

[cPanelLauren]

I can't think of a reason that rule wouldn't get hit if the mail content is the same but just originating from a different provider - spam headers might be helpful in this case as well.

 

[nosajix]

I can't think of a reason that rule wouldn't get hit if the mail content is the same but just originating from a different provider - spam headers might be helpful in this case as well.

This one flagged:


X-OutGoing-Spam-Status: No, score=-0.6
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - serv.hostname.com
X-AntiAbuse: Original Domain - domain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - domain.com
X-Get-Message-Sender-Via: serv.hostname.com: authenticated_id: [email protected]
X-Authenticated-Sender: serv.berksites.com: [email protected]
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam-Status: Yes, score=5.0
X-Spam-Score: 50
X-Spam-Bar: +++++
X-Spam-Report: Spam detection software, running on the system "domain1.domain.com",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Someone left a negative review on Facebook how about you.
I'm not sure how you want me to address it. His name is [omitted], [omitted]
fireman I think. Jason
Content analysis details: (5.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 0.9983]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Flag: YES
Subject: ***SPAM*** Heads Ups



======================================================================


This one didn't:

X-Spam-Status: No, score=0.6
X-Spam-Score: 6
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "domain1.domain.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Someone left a negative review on Facebook how about you.
I'm not sure how you want me to address it. His name is [omitted], [omitted]
fireman I think. Jason
Content analysis details: (0.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (user[at]gmail.com)
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at dnswl.org – E-Mail Reputation – Protect against false positives,
no trust
[209.85.222.174 listed in list.dnswl.org]
X-Spam-Flag: NO

 

[nosajix]

Can you copy the headers and let me delete them? I feel a bit exposed having that data "out there"

 

[cPanelLauren]

So my assumption after seeing these is that because gmail is a more trusted provider it's bayes weight is lighter than the other domain so it's hitting the lower bayesian score

 

[nosajix]

ok - so its not the message content but rather the sender domain? strange. I manage both servers, the sending is not a bad actor. I still havent read up on the bayes documentation. guess I'll look there.

 

[cPanelLauren]

It's not necessarily that it's a bad actor but that the reputation isn't as strong. You can teach bayes not to do this though, the bayes FAQ i sent should explain how to do this properly using sa-learn.

 

[nosajix]

It's not necessarily that it's a bad actor but that the reputation isn't as strong. You can teach bayes not to do this though, the bayes FAQ i sent should explain how to do this properly using sa-learn.

So - interesting development, it seems according to docs here: Rules/BAYES_99 - Spamassassin Wiki - Bayes_99 is a reaction to looking towards dnsbl's (which because of server migration where the destination server recycled an abusing ip, its ip was in sorbs.) That being said, it was removed just yesterday - does cpanel cache dnsbl's? could that be happening here?

It still doesn't explain why two accounts on this server react differently to the same sender and body though.

Also it seems as though sa-learn is not installed? Installation notes say its included with Spamassassin?

 

[cPanelLauren]

That being said, it was removed just yesterday - does cpanel cache dnsbl's? could that be happening here?

I believe this is more related to the bayesian database each account has. Keep in mind bayesian filters are subject to that users email history and what the system shows them routinely marking as spam - the weight of the bayes_99 rule is determined by this.

It still doesn't explain why two accounts on this server react differently to the same sender and body though.

That's really easily explained, they are weighted differently. From the link you posted:

If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flag the message as spam), the Bayesian algorithm will assign a lower score to it.

This rule just marks the spam probability based on key words and the user's history.

Also it seems as though sa-learn is not installed? Installation notes say its included with Spamassassin?

It should be there but you just may have to call it from the full path like so:

/usr/local/cpanel/3rdparty/bin/sa-learn

 

[nosajix]

This is an issue still. Bayes_99 is scoring 5 points and I still haven't ben able to fix it. Can you offer any assistance?

 

[cPanelLauren]

If the details discussed in this thread previously are not providing assistance, then I'd suggest opening a support ticket at this juncture.