I keep getting spam, usually for investment scams, with something like
"Subject: [Spam:******* 7.0 SpamScore] Investment Strategy" in the subject line.
Within the header is something like "X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore".

If the score is this high and the probability is 99.99%, why isn't this stuff being blocked?

I have my options set to block anything of 5 or higher.

Ken

Show us all the X-headers from the message, there is usually one that gives the reason why it was or was not blocked.

As Telarin states, there should be a header line .. usually, it's noted that the e-mail was whitelisted in a case like this.

And to add another data point, those headers (subjet change or x-xanit...) are not added by spamcop and not looked at by spamcop. We need the headers asked for to see what spamcop is scoring the message. I understand managers of SpamAssassin systems can set the scores for each test to whatever they feel is best.

I may be wrong but I don't believe that the 'X-CanIt-Tag-Reason' tag is related to SpamCop Email. You need to check the 'X-SpamCop-Disposition' value which will tell you what the SpamAssassin score is for the particular message.

I have mine set at a trigger value of 2 and this works well with very few false positives. That said I'm considering moving to a value of 3 to see if this makes any difference.

Andrew

Here is the complete header on one of these pieces of spam. I have x'd out my e-mail address.

X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade1
X-Spam-Level: *
X-Spam-Status: hits=2.0 tests=SARE_CSNUMTAG,SARE_RMML_Stock4,
UNPARSEABLE_RELAY version=3.1.1
Received: from unknown (192.168.1.101)
by blade1.cesmail.net with QMQP; 9 Nov 2006 19:32:10 -0000
Received: from mail.directus.net (HELO directus.net) (68.142.68.26)
by mailgate.cesmail.net with SMTP; 9 Nov 2006 19:32:10 -0000
Received: from SMTP32-FWD by xxxx.xxx
(SMTP32) id A823E01B30000EF7C; Thu, 9 Nov 2006 14:32:14 -0500
Received: from canit.directus.net [68.142.68.43] by directus.net with ESMTP
(SMTPD-8.20) id A23E07C8; Thu, 09 Nov 2006 14:32:14 -0500
Received: from -1214940928 (88-104-5-9.dynamic.dsl.as9105.com [88.104.5.9])
by canit.directus.net (8.13.4/8.13.4) with SMTP id kA9JqXxs005244
for <xxxx[at]xxxx.xxx>; Thu, 9 Nov 2006 14:52:39 -0500
Received: from ghanareview.com (-1214534096 [-1214539128])
by gerrytanner.com (Qmailv1) with ESMTP id DFDEE3011A
for <xxxx[at]xxxx.xxx>; Thu, 09 Nov 2006 14:30:03 -0600
Date: Thu, 09 Nov 2006 14:30:03 -0600
From: "Bloomer S. Gucci" <extstp[at]ghanareview.com>
X-Mailer: The Bat! (v2.00.2) Personal
X-Priority: 3
Message-ID: <5809710179.20061109143003[at]ghanareview.com>
To: Pwrr <xxxx[at]xxxx.xxx>
Subject: [Spam:******* 7.0 SpamScore] Investment Strategy
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by AMaViS perl-11 mion
X-Bayes-Prob: 0.9999 (Score 5)
X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore
X-CanItPRO-Stream: 12_Moderate
X-Canit-Stats-ID: 8221572 - 8e91405497db
X-Scanned-By: CanIt (www . roaringpenguin . com) on 68.142.68.43
X-SpamCop-Checked: 192.168.1.101 68.142.68.26 68.142.68.43 88.104.5.9

Ken

I'm not sure where the [Spam:******* 7.0 SpamScore] is being inserted but not by the SpamCop Email system - looks like roaringpenguin.com

I don't see, in the headers, a SpamAssassin score so that will be why the message isn't picked up by the SpamCop system.

You seem to have spam checking going on in SpamCop Email and roaringpenguin.com In this case roaringpenguin has identified the spam item and the SpamCop SpamAssassin filters have not.

Andrew

Andrew: The SpamAssassin headers are at the top of the headers now fron spamcop:

X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade1
X-Spam-Level: *
X-Spam-Status: hits=2.0 tests=SARE_CSNUMTAG,SARE_RMML_Stock4,UNPARSEABLE_RELAY version=3.1.1

This message only scored 2.0 on SpamCop's system.

Things keep moving around :-) But a score of 2 was below the OP's threshold so definitely the reason it hasn't been caught.

Andrew

I have no idea where the Roaring Penguin info is coming from. Perhaps it is my ISP but I don't know for sure. I have Spamcop set to a SpamAssassin score of 5 so it should be picking up this garbage too???????

Ken

...Thus I shall assume this resolves the OP's inquiry and so mark the thread.

I would think that if Roaring Penguin rates something as a 7 and a 99.99 percent probability that is is spam, SpamAssassin should also give it a high score. How are the criteria for SpamAssassin established?


I just went to the Roaring Penguin website and it says their software is based upon SpamAssassin. How then can the ratings be so different???? Now I am really confused.

Ken

It is up to the admin that configures SpamAssassin as to what score it associates with particular criteria. Roaring Penguin may have their own BL that they are pulling data from, or they may simply score particular attributes higher.

If you have SpamAssassin set to 5, then it will filter messages scored 5 and ABOVE. You would need to set it to 2 to catch that particular message, which may cause you problems with false positives. You might want to just lower it gradually to see what works best for you.

No, because the SC SpamAssasin check gave a score of 2 - below the threshold you set within SC Email.

The thing is, each company can set up their own scoring systems within SpamAssassin so RoaringPenguin could be applying entirely different checks to SC Email - hence a different score.

As you know, some spam does filter through most checking services - the aim is to reduce this to a minimal, easily managed level. Selecting a good split of BLs plus a SpamAssassin score of 3 typically catches 98% of spam - at least for me.

Andrew