Identical messages, but different scores!

[DavidT]

I have two SC mailboxes, one for me and one for my wife, and we both received identical messages from AAA (the auto club) today, but in my wife's case, it wound up in her Held Mail (we're both using a SpamAssassin value of 4.0 as a threshhold) with the following X headers:

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level: ****

X-spam-Status: hits=4.5 tests=CLICK_BELOW,COMPARE_RATES,EARN_MONEY,HTML_50_60,

HTML_FONTCOLOR_RED,HTML_LINK_CLICK_HERE,HTML_MESSAGE,

HTML_TAG_EXISTS_TBODY,HTML_WEB_BUGS,REMOVE_PAGE,SAVE_UP_TO,

VACATION_SCAM version=2.63

X-SpamCop-Checked: 192.168.1.101 66.84.24.227 216.39.67.114

X-SpamCop-Disposition: Blocked SpamAssassin=4

The same message, sent to me, passed through with the following X headers:

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4

X-spam-Level:

X-spam-Status: hits=1.0 tests=BAYES_00,CLICK_BELOW,COMPARE_RATES,EARN_MONEY,

HTML_50_60,HTML_FONTCOLOR_RED,HTML_LINK_CLICK_HERE,HTML_MESSAGE,

HTML_WEB_BUGS,REMOVE_PAGE,VACATION_SCAM version=2.63

X-SpamCop-Checked: 192.168.1.101 66.84.24.227 216.39.67.114

So, does this have anything to do with the current "Bayesian experimentation" that's going on? If not, why in the world would identical messages, routed through "cesmail.net" and a "spamcop.net" addresses produce such different results?

[Wazoo]

look at the differences in the results ... for instance, the second shows BAYES_00, where the first one doesn't ... would guess that the differences start there. First one has SAVE_UP_TO, second one doesn't ... so maybe part of it is the "experiment", but there may be some setting differences between the accounts also .. only you can look at those settings.

[DavidT]

No...our settings are identical, the the email messages were identical, and both of them had "save up to" in the body.

The difference is that "blade4" handled one of the messages and "blade1" handled the other. It seems that JT must be running the "Bayes experiment" only on "blade4" currently. The spam scores on all the "blade4" handled mail I've seen are extremely schizophrenic, including negative numbers, so something must be very wrong with the way the way that experiment has been configured, or you wouldn't see the discrepancy I've shown in the two messages above.

I just did a little analysis by downloading my current Held Mail and examining all the headers. Over 90% of them were blocked due to "bl.spamcop.net" listings. Nine of them were blocked due to SpamAssassin scores, but those were all handled either by "blade1" or "blade6" and *not* by "blade4." In other words, even if "blade4" gives a high score to a message, it's *not* winding up in Held Mail. I think I've seen others report this in another thread.

[Wazoo]

That you knew of the testing and the different server conditions, I was only trying to answer the last bit, actually wondering what I was missing, as you'd already described the possibilities ...

[PeterJ]

I concur that bayes does not appear to running on blade1. I am seeing similar headers.

A sidenote: I got a false postive through blade6 because SA assigend it 5 points from two tests it tripped. Since blade6 is not running bayes the message did not trip any "BAYES_*" tests. It would have been interesting to see if the message would have made it through to my inbox on blade4 due to a negative score tacked on from a low bayes test that would have dropped the final score well below 5...

I still say our bayes db is hosed somehow...

[DavidT]

I have another pair of "identical twin" spams to report on, this time processed by "blade6" and "blade4" respectively:

From: "Investor Update" <Ty[at]doteasy.com>

Subject: Monday Stock Alert - ZKID

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level: **

X-spam-Status: hits=3.0 tests=HTML_20_30,HTML_MESSAGE,LINES_OF_YELLING,

LINES_OF_YELLING_2,STOCK_ALERT version=2.63

From: "Investor Update" <jmfrFX[at]rock.com>

Subject: Monday Stock Alert - ZKID

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4

X-spam-Level: *

X-spam-Status: hits=1.8 tests=HTML_MESSAGE,STOCK_ALERT version=2.63

Again, the content of the messages was identical, so "blade4" is being more lenient than "blad6" (and blade1), and is missing obvious elements, such as the lines of yelling.

[PeterJ]

I have noticed that any false negatives received recently by me have come through blade4. Not as scientific as DavidT's information posted, but just something I noticed as generally the case.

I also noticed that bayesian filtering seems to have been turned off on blade4 (this is a separate issue from blade4's other scoring, as the bayes tests were hindering more than helping anyways.)

[PeterJ]

Two spam emails posted in full in .spam newsgroup under "SpamAssassin scoring" and here are the SpamAssassin scores from identical messages (for the most part) that were received trhough blade4 and blade6. This time blade4 comes through with a "14.7" and blade6 assigns a "6", neither are particularly low of course (and they were both held by the SpamCop BL first anyways.) This time blade4 with the higher cumulative score. I do notice that blade6 is not tripping the "RCVD_IN_BL_SPAMCOP_NET" test, while blade4 is...

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4

X-spam-Level: **************

X-spam-Status: hits=14.7 tests=FORGED_YAHOO_RCVD,HTML_20_30,

    HTML_IMAGE_ONLY_06,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET version=2.63

X-SpamCop-Checked: 192.168.1.101 218.11.89.44

X-SpamCop-Disposition: Blocked bl.spamcop.net

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level: ******

X-spam-Status: hits=6.0 tests=FORGED_RCVD_NET_HELO,FORGED_YAHOO_RCVD,

    HTML_20_30,HTML_IMAGE_ONLY_06,HTML_MESSAGE,RCVD_NUMERIC_HELO

    version=2.63

X-SpamCop-Checked: 192.168.1.213 216.154.195.44 218.87.170.119

X-SpamCop-Disposition: Blocked bl.spamcop.net

[Wazoo]

not tripping the "RCVD_IN_BL_SPAMCOP_NET" test, while blade4 is

might that be due to the differing IPs involved?

[PeterJ]

might that be due to the differing IPs involved?

Perhaps, but I did notice that both mails were supposedly held because of the X-SpamCop-Disposition line of "Blocked bl.spamcop.net", so I guess the logical question is: Does the SA test "RCVD_IN_BL_SPAMCOP_NET" equal the SpamCop BL? I assumed it did...

Otherwise maybe it is an example of SpamCop's parsing outperforming SA's with regards to source?

[PeterJ]

I think see what is going on after I checked out what the SA test "RCVD_IN_BL_SPAMCOP_NET" is defined as:

"Received via a relay in bl.spamcop.net"

So, differing IPs, could account for that.

[Wazoo]

218.11.89.44 listed in bl.spamcop.net (127.0.0.2)

It has never been listed

218.87.170.119 listed in bl.spamcop.net (127.0.0.2)

been listed for less than 24 hours

Strange in that the one that 'tripped the "RCVD_IN_BL_SPAMCOP_NET" test' appears to be in the midst of being gathered up into the BL .. so it may ot have been listed when the parse was run ..??

[PeterJ]

That is confusing

[jefft]

I apologize for not being around. A little family emergency here. I've been monitoring stuff, but not posting.

Bayes was turned off first on one server, then the other. It's not running at all now.

I acknowledge that the Bayes db could have been thrown off by the spamcop reporting replies. If we try it again, I'll restart the Bayes db and will try to figure out what we can do about this.

JT