[exim] Exim 4.68 and Spam Assassin 3.2.3 mistagging email

Top Page
Delete this message
Reply to this message
Author: Norton, Ian
Date:  
To: exim-users
Subject: [exim] Exim 4.68 and Spam Assassin 3.2.3 mistagging email
Hi All,

First of all, I'm sorry if this issue has already been addressed but a
large amount of searching didn't find anything.

I've recently installed a new machine to act as a hub for the institution
and have been hit by something that I just can't explain. I thought I'd
post here to see if anyone has experienced this or has any ideas. After
staring at it for nearly three days, I'm still no further on to
understanding what happened.

We're using spam assassin 3.2.3 and exim 4.68 and have had a large number
of messages reported as clean by spam assassin but tagged as spam by exim.
I have a solid example of a message with the additional spam headers that
I can track down in the spam assassin logs to a "clean message" response.

Here's the relevant snippet of ACL from the configuration:

  # Put headers in all messages (no matter if spam or not)
  warn  spam       = nobody:true
        add_header = X-Spam-Score: $spam_score ($spam_bar)


  warn  spam       = nobody:true
        add_header = X-Spam-Report: $spam_report


  # Add X-Spam-Flag and a *SPAM* marker in the Subject header when message is over threshold
  warn  spam       = nobody
        add_header = X-ISS-Subject: *ISS-Detected SPAM* $h_Subject
  warn  spam       = nobody
        add_header = X-ISS-Detected-SPAM: YES


  # Reject spam at high scores - value is an INTEGER!!!!
  deny  message     = This message scored $spam_score spam points.
        log_message = exceeded spam threshold with $spam_score points.
        spam        = nobody:true
        condition   = ${if >{$spam_score_int}{250}{1}{0}}


We're using the system filter to rewrite the subject line to the contents
of the X-ISS-Subject header if it's set.

This is all well and good and seems to work fine when we did assorted
testing, however we then started to see messages that were matching rules
three and four above even when spam assassin logs them as clean. The
affected messages all have the X-Spam-Score header set to
"X-Spam-Score: ()" but the report header is fine.

I then noticed that messages being rejected by rule five had the same
problem, the X-Spam-Score header was effectively blank, but rule five
shows the spam score in the log message.

Here's a sample of a rejected header (with addresses removed and report
trimmed):

2007-11-26 00:00:21 1IwROY-00065M-1Y H=(sloanled.com) [88.238.64.178] F=<jradzinski@???> rejected after DATA: exceeded spam threshold with 27.6 points.
Envelope-from: <jradzinski@???>
Envelope-to: <an.address@???>
P Received: from [88.238.64.178] (helo=sloanled.com)
        by whobblebury.lancs.ac.uk with smtp (Exim 4.68)
        (envelope-from <jradzinski@???>)
        id 1IwROY-00065M-1Y
        for an.address@???; Mon, 26 Nov 2007 00:00:15 +0000
* Return-Path: <Gay@???>
P Received: from 161.58.18.5 (HELO mail-fwd.sbc-webhosting.com)
     by lancaster.ac.uk with esmtp (XPYOHBGAWDO JFZGWY)
     id NFeim9-s06iU2-iG
     for an.address@???; Mon, 26 Nov 2007 02:00:20 +0200
I Message-ID: <41e101c82fbf$55bf0460$c0a80102@Gay>
F From: "Gay D. Mcnally" <Gay@???>
T To: "A Person" <an.address@???>
  Subject: Witness a miracle of pen!s enlargement with your own eyes!
  Date: Mon, 26 Nov 2007 02:00:20 +0200
  MIME-Version: 1.0
  Content-Type: multipart/alternative;
        boundary="----=_NextPart_16863_4249_01C82FD0.194A4560"
  X-Priority: 3
  X-MSMail-Priority: Normal
  X-Mailer: Microsoft Outlook Express 6.00.2800.1106
  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
  X-Spam-Score:  ()
  X-Spam-Report: Spam detection software, running on the system
        "whobblebury.lancs.ac.uk", has processed this message.
        The results are shown below.
        Content analysis details:   (27.6 points, 4.5 required)
        pts rule name              description
        ---- ---------------------- --------------------------------------------------
        3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
        [score: 1.0000]
  X-ISS-Subject: *ISS-Detected SPAM* Witness a miracle of pen!s enlargement with your own eyes!
  X-ISS-Detected-SPAM: YES


As you can see, the very first line of the log states "exceeded spam
threshold with 27.6 points" so how can the X-Spam-Score be blank in rule
one but not when the same variable is used in the log line of rule five?

I've checked over my ACL lines several times now and other than the
redundancy of specifying rules one and two and then three and four as
separate calls to the spam check, I can't see anything obviously wrong.

I'm unable to duplicate the problem on demand and I haven't been able to
replicate it since we pulled the machine from service on Monday afternoon.

At this point I'm happy to hear any suggestions!

Thanks in advance, Ian.
--
Ian Norton
Postmaster & Systems Support
University of Lancaster