[TAG] John Karns's post tripped some spam filters

Mon Aug 14 11:56:47 MSD 2006

Hmm, John's post got held by Mailman, claiming that SpamAssassin had
marked it as "possible spam".  Let's have a look at what got into
Mailman and SpamAssassin's tiny little brains:

Date: Sun, 13 Aug 2006 15:07:01 -0500 (COT)
From: John Karns <jkarns at etb.net.co>
To: TAG <tag at lists.linuxgazette.net>
To: jeff at jeffroot.us
cc: tag at lists.linuxgazette.net
In-Reply-To: <17630.47578.208478.397536 at localhost.localdomain>
Message-ID: <Pine.LNX.4.61.0608131345520.21008 at localhost.localdomain>
References: <17621.16287.466717.206264 at localhost.localdomain>
 <20060806022547.GA3848 at linuxgazette.net> <17621.34053.297464.620391 at localhost.localdomain>
 <20060807030821.GA3903 at linuxgazette.net> <Pine.LNX.4.61.0608091621130.12020 at localhost.localdomain>
 <20060809214806.GA4892 at linuxgazette.net> <Pine.LNX.4.61.0608121407330.836 at localhost.localdomain>
 <17630.47578.208478.397536 at localhost.localdomain>
MIME-Version: 1.0
Subject: Re: [TAG] LG 127 Wifi
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

The weird thing is, it was Mailman that objected to your message and
held it for my manual approval, claiming that SpamAssassin had flagged
it as "possible spam" -- yet, as you can see, SA's score was 3.5, well
below the 4.0 spamicity threshold I set in SpamAssassin.  I'm not sure
what's going on _there_.

In any event, spamicity = 3.5 is eyebrow-raising enough in itself, so
let's see what all those failed tests in the X-Spam-Status line are:[1]

AWL:  Auto-WhiteList.  This is a simple "address or IP that has been
heard from in the somewhat recent past" database, giving ones _not_
heard from recently a small boost to the maybe-distrust-this spamicity
score.

BAYES_00:  A "Bayesian" statistical test on the body text.  The "BAYES_00" 
result means that the Bayesian estimate of probability is that there's 
only a 0-1% likelihood of your post being spam, and that result actually
_reduces_ the post's spamicity score.

FORGED_RCVD_HELO:  This means that the hosthame your delivering SMTP 
process reported to mine during the delivery conversation, right at the
beginning in the SMTP "HELO" command, has been detected to be provably
wrong (which SpamAssassin rather cynically classifies as a forgery).  
And _that_, in turn, is because your MTA said (as indicated in the first 
Received line) that its hostname was "localhost.localdomain".  In other
words, you badly need to use a valid FQDN (fully qualified domain name) 
when sending e-mail on the Internetl.  Here's an analysis posted to
someone else with a similar symptom:
http://linuxfromscratch.org/pipermail/lfs-chat/2005-July/026693.html

RCVD_IN_DSBL:  Means that the mail was received from an IP address
listed in the dsbl.org blocklist "list.dsbl.org" as some sort of open 
single-stage relay (at least at some point in the past).  
See:  http://dsbl.org/faq

RCVD_IN_DYNABLOCK:  Means that the mail was received from an IP address
that was detected to be part of a dial-up or dynamic-IP pool.  For
reasons that would take a while to explain, most of the Internet now
attempts to avoid accepting SMTP mail sent directly dynamic IPs.  (The
reasons are compelling.  I just don't want to get into them right now.)
People on dynamic IPs should strongly consider relaying their outbound
mail via their ISPs' SMTP mail servers.

RCVD_IN_SORBS:  A very small boost to spamicity from your IP address
being in the SORBS blocklist.

RCVD_IN_SORBS_DUL:  A slightly larger boost from your IP address being
in the SORS Dial Up List.  (See comments about dial-up and dynamic-IP
address pools.)

Anyhow, the bottom line is:  The rather devil-may-care way you're just
hurling mail out onto the 'Net (using dynamic IP for SMTP, and not
_even_ using a real hostname) is very, very likely to cause you
problems.  I've just attempted to whitelist your sending address, which
should help you with TAG mail -- but leaves some hundred thousand other
SMTP servers not so inclined.

[1] See also:  http://spamassassin.apache.org/tests_3_1_x.html