You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Martin G. Diehl" <md...@nac.net> on 2005/05/22 22:02:49 UTC

Something odd

Greetings,

I have been noticing some incomplete SPAM messages.

This one is missing the 'From:', 'Date:', 'Subject:', 'Message-Id:',
and even the message body; ... and has a forged HELO ...

How could something that badly formatted get a SPAMassassin
score as low as 3.1? ... well below my threshold of 4.7.

 > From - Sun May 22 15:40:15 2005
 > X-UIDL: 1116736213.M040449P42380.mx5.oct
 > X-Mozilla-Status: 0000
 > X-Mozilla-Status2: 00000000
 > Return-Path: <je...@yahoo.com>
 > Delivered-To: mdiehl@nac.net
 > Received: (qmail 42347 invoked by uid 0); 22 May 2005 04:30:01 -0000
 > Received: from 61.50.227.191 by mx5.oct
 > (envelope-from <je...@yahoo.com>, uid 0) with qmail-scanner-1.25
 >  (clamuko: 0.72.
 >  Clear:RC:0(61.50.227.191):.
 >  Processed in 0.314645 secs); 22 May 2005 04:30:01 -0000
 > X-Qmail-Scanner-Mail-From: jepujorkua@yahoo.com via mx5.oct
 > X-Qmail-Scanner: 1.25 (Clear:RC:0(61.50.227.191):. Processed in 0.314645 secs)
 > Received: from unknown (HELO 61.50.227.191) (61.50.227.191)
 >   by rbl-mx5.oct.nac.net with SMTP; 22 May 2005 04:30:01 -0000
 > X-Qmail-Scanner-Message-ID: <11...@mx5.oct>
 > X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd3.oct
 > X-Spam-Level: ***
 > X-Spam-PrefsFile: nac.net/mdiehl
 > X-Spam-Status: No, score=3.1 required=4.7 tests=MISSING_DATE,MISSING_SUBJECT,
 > 	RCVD_NUMERIC_HELO autolearn=disabled version=3.0.2

My guess is that many of the usual SPAMassassin tests didn't run at all
because of the missing headers ... as though it became whitelisted.

--
Martin G. Diehl

Re: Something odd

Posted by Loren Wilton <lw...@earthlink.net>.

> This one is missing the 'From:', 'Date:', 'Subject:', 'Message-Id:',
> and even the message body; ... and has a forged HELO ...
>
> How could something that badly formatted get a SPAMassassin
> score as low as 3.1? ... well below my threshold of 4.7.

Simple - SA scores based on what it finds in the message, not what it
doesn't find, for the most part.  In this case there is nothing to find, so
there isn't much score.

This is a typical result of a clueless spammer that can't set up their
spamware correctly.  SARE has at least one rule that is pretty good at
catching these messages.  You might want to investigate some of the add-on
rulesets that can be found at rulesemporium.com and exit0.us.

        Loren