How come I get different Sa scores from EFA GUI vs SA command line?

[ovizii]

So EFA GUI shows:

Code: Select all

Spam Report:	
Score	Matching Rule	Description
-1.00	ALL_TRUSTED	Passed through trusted hosts only via SMTP
-3.50	BAYES_00	Bayes spam probability is 0 to 1%
-1.50	BAYES_WL	Bayes Whitelist everything up to 4%
-2.50	BAYES_ZERO	Bayes 0 percent SPAM
0.30	C_RFC_WHOIS	Domain with imprecise whois Info
1.10	DCC_CHECK	Detected as bulk mail by DCC (dcc-servers.net)
-0.10	DKIM_SIGNED	Message has a DKIM or DK signature, not necessarily valid
-0.50	HTML_MESSAGE	HTML included in message
0.50	KAM_NUMSUBJECT	Subject ends in numbers
-0.66	TXREP	Score normalizing based on sender's reputation
0.01	T_DKIM_INVALID	DKIM-Signature header exists but is not valid

Testing that message with spamassassin -D -t EsomeIDE.AXYZA shows:

Code: Select all

 Content analysis details:   (-7.7 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.3 C_RFC_WHOIS            Domain with imprecise whois Info
                            [URIs: prehcmservices.de]
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 0.5 KAM_NUMSUBJECT         Subject ends in numbers
-1.5 BAYES_WL               BODY: Bayes Whitelist everything up to 4%
                            [score: 0.0000]
-3.5 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
-2.5 BAYES_ZERO             BODY: Bayes 0 percent SPAM
                            [score: 0.0000]
-0.5 HTML_MESSAGE           BODY: HTML included in message
-0.2 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
 1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
-0.2 DKIM_VALID             Message has at least one valid DKIM or DK signature
-0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 TXREP                  TXREP: Score normalizing based on sender's reputation

The most important question is why does one show a valid DKIM signature and one doesn't? Especially keeping in mind that EFA does the DKIm signing itself so how come it says invalid DKIm signature?
Also, this is an email written from one of my users to another, with a custom subject and content so how come it gets flagged by DCC?
I know I ran the manual SA check as root while EFA probably runs as another user but stil...

[shawniverson]

That's interesting.

I wonder if you executed this what it might reveal. I wonder if a different set of permissions under postfix is causing issues with DKIM.

Code: Select all

sudo su postfix -p -c 'spamassassin -D -t -d -p /etc/MailScanner/spamassassin.conf < EsomeIDE.AXYZA

As for DCC, I have seen various false positives, not sure if that is the real case here.

[ovizii]

Ok so I did a "normal" Test:

Code: Select all

spamassassin -D -t E2BCB10005E.A7EEA &> /tmp/dkimornot

and one like this:

Code: Select all

sudo su postfix -p -c 'spamassassin -D -t -d -p /etc/MailScanner/spamassassin.conf E2BCB10005E.A7EEA &> /tmp/dkimornot-su-postfix'

dkimornot

Code: Select all

Content analysis details:   (-7.7 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.3 C_RFC_ABUSE            Domain without abuse inbox
                            [URIs: bouyguestelecom.fr]
 0.3 C_URIBL_SC_SWINOG      URIs listed in uribl.swinog.ch.
                            [URIs: recipient.tld]
 0.3 C_RFC_POSTMASTER       Domain without postmaster account
                            [URIs: recipient.tld]
 0.3 C_RFC_WHOIS            Domain with imprecise whois Info
                            [URIs: mydomain.tld]
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 0.5 KAM_NUMSUBJECT         Subject ends in numbers
-1.5 BAYES_WL               BODY: Bayes Whitelist everything up to 4%
                            [score: 0.0000]
-3.5 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
-2.5 BAYES_ZERO             BODY: Bayes 0 percent SPAM
                            [score: 0.0000]
-0.5 HTML_MESSAGE           BODY: HTML included in message
-0.2 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
-0.2 DKIM_VALID             Message has at least one valid DKIM or DK signature
-0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.1 TXREP                  TXREP: Score normalizing based on sender's reputation

dkimornot-su-postfix

Code: Select all

Content analysis details:   (-7.7 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 0.3 C_URIBL_SC_SWINOG      URIs listed in uribl.swinog.ch.
                            [URIs: recipient.tld]
 0.5 KAM_NUMSUBJECT         Subject ends in numbers
 0.3 C_RFC_POSTMASTER       Domain without postmaster account
                            [URIs: recipient.tld]
 0.3 C_RFC_WHOIS            Domain with imprecise whois Info
                            [URIs: mydomain.tld]
 0.3 C_RFC_ABUSE            Domain without abuse inbox
                            [URIs: recipient.tld]
-1.5 BAYES_WL               BODY: Bayes Whitelist everything up to 4%
                            [score: 0.0000]
-3.5 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
-2.5 BAYES_ZERO             BODY: Bayes 0 percent SPAM
                            [score: 0.0000]
-0.5 HTML_MESSAGE           BODY: HTML included in message
-0.2 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
-0.2 DKIM_VALID             Message has at least one valid DKIM or DK signature
-0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.1 TXREP                  TXREP: Score normalizing based on sender's reputation

[shawniverson]

Well, this is certainly perplexing, and implies that mailscanner is calling spamassassin differently than we are.

Do you see any issues with spamassassin lint or mailscanner lint tests?

[ovizii]

No, absolutely no issues with --lint for both. The system is working perfectly. I just stumbled upon this by coincidence when I saw that DKIM results varied.

[shawniverson]

Before digging deeper (going to look at the mailscanner code), is your Run As User and Run As Group in mailscanner postfix?

[ovizii]

Run As User = postfix
Run As Group = postfix

[shawniverson]

I looked over the mailscanner code, and I am still at a loss so far...the only major difference I have noticed overall is that mailscanner calls spamassassin directly via its perl module instead via command line, but it does a lot of other things that I wonder might be causing this, and it might depend on which path it is taking in its code during the spamassassin tests (for example, is it possible that message is hitting the spamassassin results cache instead of running a fresh test?)

Are you able to trigger the invalid DKIM via the GUI again? And if you can, can you give me the output of the /var/log/maillog as this happens? The output will help me to walk through the exact parts of the mailscanner code that are executing.

[ovizii]

I found an email via EFA GUI with invalid DKIM and will PM you the excerpt from the log file in case it helps.