Spam scores and troubleshooting guide

[gotkimchi]

Once in awhile, we get a support call or an email, "Why did this email get x.x score?" Typically, these are really tough to answer. With the latest version, you do have the option to enable the "add email headers". It is under the SPAM blocker settings, advanced SMTP configuration. If you enable this, each email will have the header with the breakdown of the score.

If you right click on the email, options, under the Internet headers (i am using outlook), you will see something like this:
X-spam-status: No, score=3.1 required=4.3 tests=EXTRA_MPART_TYPE,DATE_IN_FUTURE_06_12,HTML_M ESSAGE,CTASD_SPAM_UNKNOWN
X-Spam-Flag: NO

As you can see, it received a score of 3.1 with the breakdown of the score.
Here is the link to the rules like "EXTRA_MPART_TYPE,DATE_IN_FUTURE_06_12,HTML_MESSAG E,CTASD_SPAM_UNKNOWN"
http://spamassassin.apache.org/tests_3_2_x.html

Advanced Users could also do this for the auto whitelist.
If you want to delete the auto whitelist and start over, you can run this command on the Untangle SSH.

rm /home/spamc/.spamassassin/auto-whitelist

This will reset the box back to when it was first installed with the auto-whitelist, but will not affecting the 'bayes' scores.

[johnsonx42]

on 8.1 I'm finding that e-mails that got quarantined and then released have no X-Spam lines added to the header... only e-mails that were passed or marked get the X-Spam headers.

not very useful for troubleshooting.

[johnsonx42]

any chance this issue is going to get resolved some time? I made a bugzilla report awhile ago: http://bugzilla.untangle.com/show_bug.cgi?id=8775, but it doesn't look like it's gotten any attention and there's no change 9.0.1.

I had a customer ask me yesterday why a particular e-mail got quarantined, and all I could offer was some guesses since there's no scoring detail in quarantined e-mails.

[dmorris]

Doubtful.

[johnsonx42]

Is there some technical reason this can't be done? It would seem just as desirable to identify why a given e-mail was scored as spam as it is to indentify why a given e-mail was scored good, yet we only have scoring detail for the good e-mail.

[johnsonx42]

still tearing my hair out over this... can't do any troubleshooting on false-positives, as UT won't reveal the scoring detail.

[mrunkel]

The reason is less technical than a question of developer bandwidth and user demand.

So far the user demand seems pretty low and developer bandwidth is pretty scarce, so we try to tackle the stuff that lots of people are asking for.

The reason dmorris said "doubtful" is because the bug is in the planned state and hasn't been nominated for fixing by anyone inside Untangle.

If you want to increase the chances of this bug getting fixed, you have to get other users to vote on it, or you can check out the code and fix it yourself. Spamblocker is 100% open source. http://wiki.untangle.com/index.php/Building_the_Code

Lastly, there is some additional information in /var/log/mail.info. So you can always look there for the score and the tests that caused the score.

[johnsonx42]

ok, thanks, I'll have a look at /var/log/mail.info next time this comes up. presumably the usual technique of piping it to grep will help me find what I need.

as to looking at the code myself, I estimate it would take weeks to get my head sufficiently 'into' the code to make a change like that... we're not talking about just changing a text string or output format somewhere, but an actual change to the code path being followed during the quarantine process. there's a LOT I'd have to understand about how Untangle works before doing that... knowledge your devs already have.

that said, maybe I will have to setup a dev environment and take a hard look at the code sometime. there's a couple of things about Untangle that drive me crazy, and so far neither asking nicely nor outright complaining have gotten them changed.