Not spam but already in class spam: probability 100.00%

296 views
Skip to first unread message

Patrick Pichon

unread,
Aug 10, 2016, 6:05:10 AM8/10/16
to rspamd
Hello,


I'm trying to understand why such situation occured

'm getting Spam in my Mailbox , without classified as a Spam. However if I do a rspamc training then I get the following answer (error)
Aug 10 11:53:11 xxxxxxxxxxx rspamd[29708]: <f2b896>; task; rspamd_task_process: learn error: <1694091...@exec-u-net-mail.com> is skipped for bayes classifier: already in class spam; probability 100.00%


Here after are the headers part of the mail, looks like only the greylist part has been done .

Any way to force the bayes check ?

Return-Path: <bou...@exec-u-net-mail.com>
Delivered-To: xxxxxxxxxxx@xxxxxxxxxxxxxxx
Received: from xxxxxxxxxxxxxxxx
	by xxxxxxxxxxxxxx (Dovecot) with LMTP id zKnMB8z3qlcucwAAl8GKEQ
	for <xxxxxx@xxxxxxxxxxxx>; Wed, 10 Aug 2016 11:45:48 +0200
Received: from app02.exec-u-net-mail.com (app02.exec-u-net-mail.com [216.150.139.232])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by xxxxxxxxxxxx (Postfix) with ESMTPS id 596EAE119C
	for <xxxxxxxxxxxxxx>; Wed, 10 Aug 2016 11:45:47 +0200 (CEST)
X-Destination-ID: xxxxxxxxxxxxxxxx
X-SMFBL: cGF0cmlja0BwaXBpY2hlLm5ldA==
Received: from app02.exec-u-net-mail.com ([192.168.55.24])
	by app02.exec-u-net-mail.com (-); Wed, 10 Aug 2016 05:30:34 -0400
X-VirtualServer: default, app02.exec-u-net-mail.com, 192.168.55.24
X-VirtualServerGroup: default
X-MailingID: 16940915::3011560::618610::654659::1_19417::19417_168767_0__67326
X-SMHeaderMap: mid="X-MailingID"
DomainKey-Signature: a=rsa-sha1;
 c=nofws;
 s=customer;
 d=exec-u-net-mail.com;
 q=dns;
 b=Nc3FwIRnRfDwqBVjFYHxcml+usiji7UM5dbhOCLUvixyombEOERwqrmPrAPz2pSBuWMAkYgP+bLqOVGay1Qpa0hqwco1x1WDYrZelQYMDc0tusv1j0oXrJbcdQ/M0kQQ+cdU03yQwHJhY9yoCfel6HTLJriJHE6bernPBb+Yx8Q=
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=exec-u-net-mail.com;
	s=customer; l=10278; t=1470821434; i=@exec-u-net-mail.com; h=Content-Transfer-Encoding:
	Content-Type:List-Unsubscribe:X-Errors-To:MIME-Version:
	Message-ID:X-ReportingKey:Subject:Date:To:Reply-To:From; bh=K2rC
	P9icUIoqjWfPcKod+ggVFdc=; b=3Yf3HkkFu7FeJjKRmtKEuByrJQiF4pRkQA+i
	SyyGFN/ah+03SXq0wTip7KTgZJ6x1b8EMWIJQ+t+HO35WvggqHFXmhCAitmiG1cp
	g+slLDeFqW87znAKLhlHkabj27XPajQKhjatDcsYhE00G6Xu7LUFcUCdpqSLwYCV
	7o2e1hI=
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
	boundary="----=_NextPart_495_9B43_7EC41113.7F365085"
List-Unsubscribe: <mailto:unsub...@exec-u-net-mail.com>
X-Errors-To: <mailto:bou...@exec-u-net-mail.com>,
MIME-Version: 1.0
Message-ID: <1694091...@exec-u-net-mail.com>
X-ReportingKey: MJ14215M5088X4E3BRKK14G8XJJ2FE_J15B9S9F9S::xxxxxxxxxxxxxxxxxxxx::1_19417
Subject: Patrick, New recommended Consulting jobs
Date: Wed, 10 Aug 2016 05:30:27 -0400
To: xxxxxxxxxxxxxxx
Reply-To: Robin.T...@execunet.com
From: "Robin Thongkham, ExecuNet" <Robin.T...@exec-u-net-mail.com>
X-Rmilter-Greylist: Greylisted for 909 seconds, whitelisted till 2016-08-13 11:30:39, type: data hash

Patrick Pichon

unread,
Aug 10, 2016, 6:16:01 AM8/10/16
to rspamd
Here after is the same behavior, while I have a bit more information (as I added extended_header flag)

Here is what I happen when I'm trying to learn via rspamc

<ff3637>; bayes; inv_chi_square: exp overflow
 <ff3637>; task; rspamd_task_process: learn error: <TDGX02X002X1V00200...@news.directeo.fr> is skipped for bayes classifier: already in class spam; probability 100.00%

And here after are the X-Spam and X-Rspamd headers
X-Spamd-Result: default: False [4.10 / 15.00]
 BAYES_SPAM(4.00)[100.00%]
 HTML_SHORT_LINK_IMG_1(3.00)[]
 R_SPF_ALLOW(-1.50)[ip4:195.62.74.0/23]
 URIBL_BLOCKED(0.00)[directeo.fr.multi.uribl.com]
 MIME_GOOD(-0.10)[multipart/alternative, text/plain]
 DMARC_POLICY_ALLOW(-0.50)[news.directeo.fr]
 R_DKIM_ALLOW(-1.10)[news.directeo.fr]
 RWL_MAILSPIKE_GOOD(0.00)[]
 FORGED_SENDER(0.30)[]
X-Rspamd-Server: localhost
X-Rspamd-Scan-Time: 0.31
X-Rspamd-Queue-ID: 92E90E1198
X-Rmilter-Greylist: Greylisted for 481 seconds, whitelisted till 2016-08-13 12:00:58, type: data hash

Andrew Lewis

unread,
Aug 10, 2016, 11:55:50 AM8/10/16
to rsp...@googlegroups.com
Hi Patrick,

> X-Spamd-Result: default: False [4.10 / 15.00]
> BAYES_SPAM(4.00)[100.00%]

So it has 100% bayes spam probability (which is why learn_spam refuses
to process it) but total score is still under spam threshold (so it is
considered ham).

If you wanted to you could raise score for BAYES_SPAM in metrics, or
force an action for this symbol in a postfilter, for example by adding
the following to /etc/rspamd/lua/rspamd.local.lua:

rspamd_config:register_symbol({
name = 'BAYES_REJECT',
type = 'postfilter',
callback = function(task)
local bs = task:get_symbol('BAYES_SPAM')
if bs and bs[1] and bs[1]['options'] and bs[1]['options'][1] then
local score = bs[1]['options'][1]
score = string.sub(score, 1, -2)
score = tonumber(score)
if not score then return end
if score > 98 then
task:set_pre_result('reject', 'Rejected due to BAYES_SPAM
probability')
end
end
end
})

Best,
-AL.

Patrick Pichon

unread,
Aug 11, 2016, 3:04:14 AM8/11/16
to rspamd
AL,

Thanks for the advice. I'll try the LUA approach.
In the suggested exemple, what is the outcome of the 'reject' ? Will it be tagged as a SPAM or will it be fully rejected and the mail will never be delivered ?

Regards
Patrick

Andrew Lewis

unread,
Aug 11, 2016, 4:38:13 AM8/11/16
to rsp...@googlegroups.com

Hi Patrick,

> Thanks for the advice. I'll try the LUA approach.
> In the suggested exemple, what is the outcome of the 'reject' ? Will it be
> tagged as a SPAM or will it be fully rejected and the mail will never be
> delivered ?

`reject` here corresponds to some action in metric and typically
implies an actual rejection happens- you could substitute `add header`
to suggest tag-and-deliver.

Best,
-AL.

Patrick Pichon

unread,
Aug 11, 2016, 4:45:09 AM8/11/16
to rspamd
Thanks for all of the informations and the pointers.

I never tried the LUA scripting, but with your hints this looks very interesting.

Thanks

Andrew Lewis

unread,
Aug 11, 2016, 6:26:42 AM8/11/16
to rsp...@googlegroups.com
Hi Patrick,

This is probably a better example (which would not force 'add header'
action on mail which would otherwise be rejected):

rspamd_config:register_symbol({
name = 'BAYES_FORCE_ACTION',
type = 'postfilter',
callback = function(task)
local action = task:get_metric_action('default')
-- Action is already 'add header' or 'reject' so do nothing
if action == 'add header' or action == 'reject' then return end
local bs = task:get_symbol('BAYES_SPAM')
if bs and bs[1] and bs[1]['options'] and bs[1]['options'][1] then
local score = bs[1]['options'][1]
-- Remove trailing %
score = string.sub(score, 1, -2)
score = tonumber(score)
if not score then return end
-- If BAYES_SPAM has > 98.0% probability...
if score > 98 then
task:set_pre_result('add header', 'Forced add header due to
Reply all
Reply to author
Forward
0 new messages