You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jonn R Taylor <jo...@taylortelephone.com> on 2005/12/27 14:48:39 UTC

spamer spoofing SA headers

How can I make this go thourgh SA when it thinks it 
allready has????

Jonn

X-Virus-Scanned: by taylortelephone.com
Return-Path: <so...@universia.net.mx>
Received: from webmail.universia.net.mx ([201.134.119.23] 
verified)
   by taylortelephone.com (CommuniGate Pro SMTP 5.0.2)
   with ESMTP id 36949 for jonnt@taylortelephone.com; Tue, 
27 Dec 2005 05:23:25 -0600
Received: from 127.0.0.1 (localhost [127.0.0.1])
	by reinject.domain.com (Postfix) with SMTP
	id 6185134950; Tue, 27 Dec 2005 05:13:00 -0600 (CST)
Received: from universia.net.mx (localhost [127.0.0.1])
	by webmail.universia.net.mx (Postfix) with ESMTP
	id 3C99634924; Tue, 27 Dec 2005 05:12:47 -0600 (CST)
Received: from [196.3.62.4] by webmail.universia.net.mx 
(mshttpd); Tue,
  27 Dec 2005 03:12:47 -0800
From: <so...@universia.net.mx>
Reply-To: drsolomonrichards@yahoo.com.hk
Message-ID: <6f...@universia.net.mx>
Date: Tue, 27 Dec 2005 03:12:47 -0800
X-Mailer: iPlanet Messenger Express 5.2 Patch 1 (built Aug 
19 2002)
MIME-Version: 1.0
Content-Language: af
Subject: From The Desk Of Dr Solomon Richards
X-Accept-Language: af
Priority: normal
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
To: undisclosed-recipients: ;
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
	webmail.universia.net.mx
X-Spam-Level:
X-Spam-Status: No, score=-1.3 required=3.9 
tests=AWL,BAYES_00,NO_REAL_NAME,
	UNDISC_RECIPS autolearn=no version=3.0.2

Re: spamer spoofing SA headers

Posted by Pollywog <li...@shadypond.com>.

On 12/27/2005 08:10 pm, Matt Kettler wrote:

> Why bother? SA isn't confused by them. No sane spamassassin setup would
> ever have this problem. Period.
>
> The problem lies in a user intentionally trying to bypass SA for already
> scanned mail. The fix lies in not doing something so foolish in the first
> place.

Oh okay, I misunderstood and thought it was a problem caused by what the 
spammer had done, though I don't recall ever having the problem myself.

8)

Re: spamer spoofing SA headers

Posted by Matt Kettler <mk...@evi-inc.com>.

Pollywog wrote:
> On 12/27/2005 02:56 pm, Matt Kettler wrote:
> 
>>At 08:48 AM 12/27/2005, Jonn R Taylor wrote:
>>
>>>How can I make this go thourgh SA when it thinks it allready has????
>>
>>Why wouldn't it go through SA?
>>
>>SA doesn't have any built-in behaviors that will prevent it from
>>re-scanning a message.
> 
> 
> I had a similar problem with clamassassin headers, so I had Postfix remove 
> them so that my Maildrop filters would not be confused.  I just set the 
> clamassassin headers to IGNORE in Postfix's header_checks, IIRC.
> 
> Could something like this be done for Spamassassin's headers, by the MTA and 
> would it solve the problem?

Why bother? SA isn't confused by them. No sane spamassassin setup would ever
have this problem. Period.

The problem lies in a user intentionally trying to bypass SA for already scanned
mail. The fix lies in not doing something so foolish in the first place.

Fix the problem in the implementation, don't cover it up by modifying the input
data to hide the existence of this problem.

Re: spamer spoofing SA headers

Posted by Pollywog <li...@shadypond.com>.

On 12/27/2005 02:56 pm, Matt Kettler wrote:
> At 08:48 AM 12/27/2005, Jonn R Taylor wrote:
> >How can I make this go thourgh SA when it thinks it allready has????
>
> Why wouldn't it go through SA?
>
> SA doesn't have any built-in behaviors that will prevent it from
> re-scanning a message.

I had a similar problem with clamassassin headers, so I had Postfix remove 
them so that my Maildrop filters would not be confused.  I just set the 
clamassassin headers to IGNORE in Postfix's header_checks, IIRC.

Could something like this be done for Spamassassin's headers, by the MTA and 
would it solve the problem?

8)

Re: spamer spoofing SA headers

Posted by Matt Kettler <mk...@comcast.net>.

At 08:48 AM 12/27/2005, Jonn R Taylor wrote:
>How can I make this go thourgh SA when it thinks it allready has????

Why wouldn't it go through SA?

SA doesn't have any built-in behaviors that will prevent it from 
re-scanning a message.

Did you do something in your procmailrc to cause procmail to skip SA if an 
X-Spam-Status header exists?

This is generally a bad idea.
Anyone can forge a SA header, but in this case it's more likely the message 
went through a real version of SA on the sender's side. However, the 
sender's own SA is likely configured to consider his/her own mail as not spam.

You can only safely skip messages with an X-Spam-Status: that reads "yes", 
due to the fact that you can't trust it. Of course, spammers can always 
forge a X-Spam-Status: on themselves that declares the message to be spam, 
but if they do.. more power to em..