From rblists at gmail.com Fri Jun 18 05:37:00 2010 From: rblists at gmail.com (Raphael Bauduin) Date: Fri, 18 Jun 2010 14:37:00 +0200 Subject: [SA-exim] sapamassissaing check and process Message-ID: Hi, I'm trying to help someone using Exim with the Debian packaged spamassassin 3.2.5-2 and sa-exim 4.2.1-11 I've looked for information on how a mail is processed precisely but didn't find any explanation of the following. In the spamd logs, I see that each mail is processed 2 times: one "checking" the mail, one "processing" the mail. I've looked for information on these two steps, but didn't find any. Here's an example: Jun 18 14:20:25 vsExim4 spamd[13098]: spamd: connection from localhost [127.0.0.1] at port 55664 Jun 18 14:20:25 vsExim4 spamd[13098]: spamd: setuid to Debian-exim succeeded Jun 18 14:20:25 vsExim4 spamd[13098]: spamd: checking message <4C1B6488.80502 at XXXX> for Debian-exim:102 Jun 18 14:20:26 vsExim4 spamd[13098]: spamd: clean message (-3.3/5.0) for Debian-exim:102 in 1.7 seconds, 1154 bytes. Jun 18 14:20:26 vsExim4 spamd[13098]: spamd: result: . -3 - ALL_TRUSTED,AWL,BAYES_00 scantime=1.7,size=1154,user=Debian-exim,uid=102,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=55664,mid=<4C1B6488.80502 at XXXX>,bayes=0.000000,autolearn=ham Jun 18 14:20:26 vsExim4 spamd[14908]: spamd: connection from localhost [127.0.0.1] at port 55670 Jun 18 14:20:26 vsExim4 spamd[14908]: spamd: setuid to Debian-exim succeeded Jun 18 14:20:26 vsExim4 spamd[14908]: spamd: processing message <4C1B6488.80502 at XXXX> for Debian-exim:102 Jun 18 14:20:26 vsExim4 spamd[18117]: prefork: child states: IB A problem I encountered is that the two steps have different results.Here's an example: According to my understanding, the checking step had a score of 3.9 (put in the header to X-Spam_score) with this info in the X-Spam_report header: 0.0 HTML_MESSAGE BODY: HTML included in message 2.0 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5% [score: 0.0336] 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.6 DC_PNG_UNO_LARGO Message contains a single large inline gif 0.0 DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text 0.0 DC_IMAGE_SPAM_HTML Possible Image-only spam 1.0 AWL AWL: From: address is in the auto white-list The processing on the other hand generated this: X-Spam-Status: Yes, score=6.9 required=5.0 tests=AWL,BAYES_95, DC_IMAGE_SPAM_HTML,DC_IMAGE_SPAM_TEXT,DC_PNG_UNO_LARGO,HTML_IMAGE_ONLY_04, HTML_MESSAGE,MIME_QP_LONG_LINE autolearn=no version=3.2.5 The difference is: * BAYES_95 in place of BAYES_05 * score is 6.9 in place of 3.9 My questions are then: - is it normal to have the messages handled twice, once for check, once for process? - is this configured somewhere? Thanks in advance for your help! Raph -- Web database: http://www.myowndb.com Free Software Developers Meeting: http://www.fosdem.org From marc at merlins.org Fri Jun 18 06:57:37 2010 From: marc at merlins.org (Marc MERLIN) Date: Fri, 18 Jun 2010 06:57:37 -0700 Subject: [SA-exim] sapamassissaing check and process In-Reply-To: References: Message-ID: <20100618135737.GB574@merlins.org> On Fri, Jun 18, 2010 at 02:37:00PM +0200, Raphael Bauduin wrote: > My questions are then: > - is it normal to have the messages handled twice, once for check, > once for process? No. SA-Exim only runs SA once per message. > - is this configured somewhere? What's going on is that you likely have a filter or procmail or something that is running SA on the Email before it's delivered and after it's already been checked by SA-Exim. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/