You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Margrit Lottmann <ma...@ovgu.de> on 2011/03/08 16:45:38 UTC

prpblem with headers

Already sometimes we've had problems with
     false positives

Mails get spam scores > 5 ...internal mails with normal content...

The spam report says

X-Spam-Score: 5.5 (+++++)
X-Spam-Report: ---- Start SpamAssassin results
	Content analysis details:   (5.5 points, 5.0 required)
	pts rule name              description
	---- ---------------------- 
--------------------------------------------------
	-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
	1.0 MISSING_HEADERS        Missing To: header
	0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
	[score: 0.5000]
	0.5 MISSING_MID            Missing Message-Id: header
	1.8 MISSING_SUBJECT        Missing Subject: header
	-0.0 NO_RECEIVED            Informational: message has no Received headers
	1.4 MISSING_DATE           Missing Date: header
	0.0 NO_HEADERS_MESSAGE     Message appears to be missing most RFC-822 
headers

but the headers are present...

1 admin said to me ... that eventually there is a blanc line bevor 
headers...that means   end of headers ???

???
-- 

MfG Margrit Lottmann

Otto-von-Guericke-Universitaet Magdeburg
Abt. Kommunikation und Netze

Tel.: 0391 67 58572  Fax:  0391 67 11134

Re: prpblem with headers

Posted by Kris Deugau <kd...@vianet.ca>.

Margrit Lottmann wrote:
> -0.0 NO_RELAYS Informational: message was not relayed via SMTP
> 1.0 MISSING_HEADERS Missing To: header
> 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.5000]
> 0.5 MISSING_MID Missing Message-Id: header
> 1.8 MISSING_SUBJECT Missing Subject: header
> -0.0 NO_RECEIVED Informational: message has no Received headers
> 1.4 MISSING_DATE Missing Date: header
> 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers
>
> but the headers are present...
>
> 1 admin said to me ... that eventually there is a blanc line bevor
> headers...that means end of headers ???

RFC822 email messages consist of a group of headers separated from the 
message body by one or more blank lines.

If a blank line somehow ends up in between some of the headers, any 
headers after that line will be treated as part of the body.  If a blank 
line gets added at the very beginning, before all of the headers, all of 
them will be treated as part of the message body.

You'll have to check into how these messages are being passed into the 
mail system, and watch what happens at all of the processing stages in 
order to find out where that leading blank line is getting added.  If 
you don't see similar issues with general incoming Internet email, 
compare the path a message takes for Internet email vs local mail.

Based on NO_HEADERS_MESSAGE and NO_RECEIVED, it's most likely being 
added by whatever glue layer is calling SpamAssassin, because otherwise 
you'd at least have a Received: header, and likely a Message-ID: and 
possibly Date: added by the last MTA in the chain...  but without 
knowing more about how mail moves through your system, and how SA is 
called, that's just a guess.

John Hardin's comment about not passing internal mail to SA at all is 
also a good place to work around this.

-kgd

Re: prpblem with headers

Posted by John Hardin <jh...@impsec.org>.

On Tue, 8 Mar 2011, Michael Scheidell wrote:

> On 3/8/11 10:45 AM, Margrit Lottmann wrote:
>>  Already sometimes we've had problems with
>>      false positives
>>
>>  Mails get spam scores > 5 ...internal mails with normal content...
> you need to correctly set internal and trusted networks.
>
> if that is correct, you need to fix your MTA.
>
> use wirewhark to watch what is actually being sent to SA.. they fix your MTA

You may also want to figure out how to tell your MTA to not pass 
purely-internal emails to SA at all.

If you'll provide some details abound what your MTA is, how SA is glued 
on, and wht your internal network topology looks like (broadly) we may be 
able to offer some advice.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Failure to plan ahead on someone else's part does not constitute
   an emergency on my part.                 -- David W. Barts in a.s.r
-----------------------------------------------------------------------
  5 days until Daylight Saving Time begins in U.S. - Spring Forward

Re: prpblem with headers

Posted by Michael Scheidell <mi...@secnap.com>.

On 3/8/11 10:45 AM, Margrit Lottmann wrote:
> Already sometimes we've had problems with
>     false positives
>
> Mails get spam scores > 5 ...internal mails with normal content...
you need to correctly set internal and trusted networks.

if that is correct, you need to fix your MTA.

use wirewhark to watch what is actually being sent to SA.. they fix your MTA

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________