Junk Mail Header Strangeness


#1

I can’t make sense of the junk mail headers. There doesn’t seem to be any consistency in how things are scanned. These examples are all from spam received today on the same account. All of them were let through despite my 999/3 junk mail settings. What gives?

Example #1
X-DH-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at punisher
X-Spam-Status: No, hits=5.2 tagged_above=4.0 required=6.3
tests=DATE_IN_FUTURE_96_XX, DIET_1, HTML_20_30, HTML_MESSAGE,
INVALID_DATE
X-Spam-Level: *****

Example #2
X-DH-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at enforcer
X-Spam-Status: No, hits=0.2 tagged_above=0.0 required=1.3 tests=HTML_70_80,
HTML_MESSAGE
X-Spam-Level:

Example #3
X-DH-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at deathwish
X-Spam-Status: No, hits=1.9 tagged_above=-999.0 required=999.0 tests=DIET_1,
HTML_20_30, HTML_MESSAGE
X-Spam-Level: *

Example #4
X-DH-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at enforcer
X-Spam-Status: No, hits=0.0 tagged_above=-999.0 required=999.0 tests=
X-Spam-Level:

scratching his head
Nathan


#2

The only inconsistency I see are the tagged_above and required flags. Are these all going to the same mailbox? You do say it’s the same account, though, so that’s baffling. Did you set the Tag and Quarantine thresholds in your mailboxes.yourdomain.com settings? How long ago?

The “tests” flags just state which items caught SA’s attention, with the “hits” flag being the cumulative score of the test.

-Scott


#3

Oh, I thought tests= was tests run. That makes more sense if it’s only the tests with a hit value.

Those are all from the same account. The thresholds have been set that way for a couple days. Do you think it takes more time to propagate to certain filter servers? I’ll wait a few days and see if the required flags match.

It’s a new account (less than a week old) so perhaps I’m just being impatient. :slight_smile:


#4

I don’t know if junk mail settings actually propagate. I’ve never looked, but seeing how you have multiple servers receiving your mail, that may be the case.

-Scott