I have a mail server set up using iRedMail, which uses postfix, mysql for virtual domains, amavis-new, spamassassin, and a few other tools.
There is a lot of spam that is getting through the spam filter, but when I run the message through spamassassin manually, it gets marked as spam.
Based on the final spam score, the two tests URIBL_DBL_SPAM and RCVD_IN_SBL_CSS which account for 5.8 points, make up the discrepancy.
Headers from mail delivered by postfix through amavis:
X-Spam-Flag: NO
X-Spam-Score: 1.592
X-Spam-Level: *
X-Spam-Status: No, score=1.592 tagged_above=-15 required=6.31
tests=[BAYES_50=0.8, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Headers running the same message through spamassassin in the command line:
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.4 required=5.0 tests=BAYES_50,RCVD_IN_SBL_CSS,
RDNS_NONE,SPF_HELO_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no
autolearn_force=no version=3.4.0
X-Spam-Report:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
* See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: understandbrainhealth.top]
* 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
* [URIs: understandbrainhealth.top]
* 3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [173.242.114.32 listed in zen.spamhaus.org]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5409]
* 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
I have ensured that network tests are not disabled:
amavis/conf.d/20-debian_defaults: $sa_local_tests_only = 0;
Edit:
I searched through delivered mail and found that URIBL_DBL_SPAM and RCVD_IN_SBL_CSS are sometimes listed on spam reports for delivered mail. I understand that some of these tests are real-time and a message might not appear on the blacklist at the time it's delivered, but then appears later when the test is run manually. But I have noticed that a single IP address will be caught many times, and messages will continue to be delivered again afterwards.
Best Answer
I recommend enabling verbose logging for Amavis in order to see precisely what SpamAssassin tests it's doing and what results it's coming up with.
I see you are using Debian, so edit /etc/amavis/conf.d/50-user to have:
Restart Amavis and look at your mail logging output (/var/log/mail.log here) and you will see a load of information. For instance, on my system, when it does the Spamhaus Zen check (which will include SBLCSS) you should see lines like:
Hopefully, you'll be able to confirm whether this check is being done correctly, and whether it's getting a correct response (127.0.x.y if it's on a list, NXDOMAIN if it isn't).