mattch wrote: Sat Nov 08, 2025 6:09 pm
I'm super impressed! I think I'm missing the overall concept or flow.
On the All Emails screen, spam score, I assumed red box means flagged as spam/quarantined, where green means clean. A lot are coming with a score of 5.0 (red color). Some of these are delivered to my inbox, some are not. I'm not sure how to interpret what's going on. The Spam Score Breakdown section is empty which is my usual go to check in mailwatch.
Is there anything to know about category, analyzed/spam/clean. I start wondering if maybe the system is waiting for me to do something (enable something, train more?).
Great question! Let me clarify how the scoring system works, and I'll also mention that the
upcoming release will address some of these visibility issues.
---
Understanding OpenEFA Spam Scoring:
The Threshold:
- OpenEFA's default spam threshold is 10.0
- Emails with scores >= 10.0 are quarantined
- Emails with scores < 10.0 are delivered to your inbox
- This threshold is configurable via the SPACY_SPAM_THRESHOLD environment variable
Color Coding:
- Green (Clean): Score < 5.0
- Yellow/Orange (Suspicious): Score 5.0 - 9.9
- Red (Spam): Score >= 10.0
So if you're seeing emails with a 5.0 score being delivered - that's correct behavior!
They're below the 10.0 quarantine threshold. The yellow/orange color is just indicating
"somewhat suspicious" but not bad enough to block.
Why are some delivered and some not?
If you're seeing different outcomes for similar scores, there could be a few reasons:
1. Thread Awareness - Legitimate replies in ongoing conversations get a pass
2. Conversation Learning - Known sender patterns reduce effective threshold
3. Disposition overrides - User actions (whitelist/blacklist) can override scores
4. Trust adjustments - Thread trust can adjust the effective threshold by 15-30%
Categories Explained:
- analyzed - Email has been processed and scored
- spam - Score >= threshold OR flagged by modules (phishing/BEC/virus)
- clean - Score well below threshold with no threats detected
- quarantined - Currently held in quarantine (not delivered)
---
About the Empty Spam Score Breakdown:
You're absolutely right to miss this - it's like the MailWatch score breakdown! The system
IS generating detailed module scores from all 12 analysis modules (DNS, RBL, Behavioral,
BEC, Phishing, URL, etc.), but there's currently an issue with displaying them.
The breakdown section looks for special headers in the email (X-Spam-Score-ModuleName), and
these might not be getting saved properly to the database in all cases.
Good news: The upcoming stable release includes:
-
Improved score breakdown visibility - Better display of individual module
contributions
-
Score interpretation tooltips - Explanations of what each score means
-
Better threshold visualization - Clear indication of where the quarantine line is
-
Enhanced logging - More detailed scoring information in the database
-
Module scoring consistency - All 12 modules contributing properly
---
Do you need to train or enable anything?
No training required! OpenEFA learns automatically as you use it, however:
- Release emails → System learns "this is legitimate"
- Mark as safe (not spam) --> the system reaches its peak learning per email by seeing it 3 times or similar emails 3 times.
So to speed the learning, you can identify it as not spam 3 times and it has reached it optimum learning from the text, the sender and receiver relationship.
- Mark as spam → System learns "this is bad"
- Whitelist senders → Automatic trust boost for future emails
- Conversation learning → Automatically detects and trusts ongoing threads
The system is working, but the visibility of what it's doing needs improvement - which is
exactly what the new release addresses!
---
Quick Tip for Testing:
Want to see detailed module scoring right now? Click into an individual email's detail page
- the "Spam Score Breakdown" section should show you which modules contributed what scores
(if the raw email data is available).
If it's still empty, that's the bug we've fixed in the upcoming release - the headers are
being generated but not always persisted correctly to the database.
---
The stable release dropping in the next few days will make all of this much clearer with
better visual indicators, tooltips explaining each score, and a working module breakdown.
Stay tuned!
Improved score breakdown visibility - Better display of individual module