You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by empiric <na...@gmail.com> on 2009/09/30 18:55:28 UTC
I am getting all external domain emails subject tagged as SpamSpam
1.
Guys I am getting all my external domain emails tagged as SpamSpam
2.
3.
logs are attached.
4.
mail headers
5.
6.
Return-Path: <us...@gmail.com>
7.
Delivered-To: user@domain.com
8.
Received: from localhost (localhost [127.0.0.1])
9.
by mail1.domain.com <http://hades.domain.com/> (Postfix) with ESMTP
id
10.
39B3C12B71D
11.
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:57 +0600 (PKST)
12.
X-Quarantine-ID: <asR-LhZoxUsQ>
13.
X-Amavis-Alert: BAD HEADER Improper folded header field made up
entirely of
14.
whitespace (char 20 hex): Subject: ...?Q?Spam?=3D\n
15.
=3D?utf-8?Q?Spam=3D0D=3D0A=3D20helo123?=3D\n \n
16.
Received: from mail1.domain.com ([127.0.0.1])
17.
by localhost (mail2.domain.com [127.0.0.1]) (amavisd-new, port
10024)
18.
with LMTP id asR-LhZoxUsQ for <us...@domain.com>;
19.
Tue, 29 Sep 2009 10:19:56 +0600 (PKST)
20.
Received: from mail.domain.com (unknown [203.101.170.27])
21.
by mail1.domain.com (Postfix) with ESMTP id C6CF512B701
22.
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:54 +0600 (PKST)
23.
Received: from localhost (localhost [127.0.0.1])
24.
by muses.domain.com (Postfix) with ESMTP id 6982319B322
25.
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:53 +0600 (PKST)
26.
X-Virus-Scanned: Debian amavisd-new at domain.com
27.
Received: from mail.domain.com <http://muses.domain.com/>
([127.0.0.1])
28.
by localhost (mail.domain.com <http://muses.domain.com/>
[127.0.0.1])
29.
(amavisd-new, port 10024)
30.
with LMTP id A1fSGV+XdA-K for <us...@domain.com>;
31.
Tue, 29 Sep 2009 10:19:49 +0600 (PKST)
32.
Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com
33.
[209.85.221.191])
34.
by mail.domain.com (Postfix) with ESMTP id B3AB03BE38
35.
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:44 +0600 (PKST)
36.
Received: by qyk29 with SMTP id 29so3777375qyk.32
37.
for <us...@domain.com>; Mon, 28 Sep 2009 21:19:40 -0700 (PDT)
38.
DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/relaxed;
39.
d=3Dgmail.com; s=3Dgamma;
40.
h=3Ddomainkey-signature:mime-version:received:date:message-id:subjec=
41.
t
42.
:from:to:content-type;
43.
bh=3DWoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=3D;
44.
b=3Dsuj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2eXAz=
45.
hd
46.
/pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2WPPQMR70+77h7Bcfki=
47.
r
48.
IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJs=3D
49.
DomainKey-Signature: a=3Drsa-sha1; c=3Dnofws;
50.
d=3Dgmail.com; s=3Dgamma;
51.
h=3Dmime-version:date:message-id:subject:from:to:content-type;
52.
b=3DmHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZqZUM1KVDv=
53.
6u
54.
dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHERQ0Y6ilLjzoZ7NRf69H3bK=
55.
n
56.
RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBWNP7M8=3D
57.
MIME-Version: 1.0
58.
Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062;
Mon,
59.
28
60.
Sep 2009 21:19:40 -0700 (PDT)
61.
Date: Tue, 29 Sep 2009 10:19:40 +0600
62.
Message-ID:
<a2...@mail.gmail.com>
63.
Subject: =3D?utf-8?Q?Spam?=3D
64.
=3D?utf-8?Q?Spam=3D0D=3D0A=3D20helo123?=3D
65.
66.
67.
68.
spamassassin debug logs
69.
#spamassassin -t -D
72.
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on
mail.domaon.=
73.
com
74.
X-Spam-Level: ****
75.
X-Spam-Status: No, score=3D4.8 required=3D5.0
tests=3DDCC_CHECK,DNS_FROM_RF=
76.
C_ABUSE,
77.
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
78.
SUBJECT_EXCESS_QP autolearn=3Dno version=3D3.1.7-deb
79.
Delivered-To: user@domaon.com
80.
Received: from localhost (localhost [127.0.0.1])
81.
by mail1.domaon.com (Postfix) with ESMTP id C13911B32DB
82.
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
83.
Received: from mail1.domaon.com ([127.0.0.1])
84.
by localhost (mail1.domaon.com [127.0.0.1]) (amavisd-new, port
10024)
85.
with LMTP id p23bnIio88SC for <us...@domaon.com>;
86.
Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
87.
Received: from mail.domaon.com (unknown [203.101.170.27])
88.
by mail1.domaon.com (Postfix) with ESMTP id 22F7D1B32D7
89.
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
90.
Received: from localhost (localhost [127.0.0.1])
91.
by mail.domaon.com (Postfix) with ESMTP id 976D319B330
92.
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
93.
X-Virus-Scanned: Debian amavisd-new at domaon.com
94.
Received: from mail.domaon.com ([127.0.0.1])
95.
by localhost (mail.domaon.com [127.0.0.1]) (amavisd-new, port
10024)
96.
with LMTP id el+R1y6R6iaa for <us...@domaon.com>;
97.
Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
98.
Received: from snt0-omc1-s35.snt0.hotmail.com
99.
(snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
100.
by mail.domaon.com (Postfix) with ESMTP id D14C419B32D
101.
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:52 +0600 (PKST)
102.
Received: from SNT106-W54 ([65.55.90.7]) by
103.
snt0-omc1-s35.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
104.
Wed, 30 Sep 2009 04:03:47 -0700
105.
Message-ID: <SN...@phx.gbl>
106.
Content-Type: multipart/alternative;
107.
boundary=3D"_4abea601-ec42-4378-af03-83675013aef6_"
108.
X-Originating-IP: [125.209.118.102]
109.
From: mohsin alizai <mo...@hotmail.com>
110.
To: <us...@domaon.com>
111.
Subject: =3D?utf-8?Q?Spam?=3D
112.
=3D?utf-8?Q?Spam=3D0D=3D0A=3D20test?=3D
113.
Date: Wed, 30 Sep 2009 11:03:47 +0000
114.
Importance: Normal
115.
MIME-Version: 1.0
116.
X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
117.
FILETIME=3D[AF55A350:01CA41BD]
118.
X-SpamInfo: return-email, failed to obtain DNS record for domain
hotmail.co=
119.
m
120.
X-SpamInfo: return-email, failed to obtain DNS record for domain
hotmail.co=
121.
m
122.
123.
--_4abea601-ec42-4378-af03-83675013aef6_
124.
Content-Type: text/plain; charset=3D"Windows-1252"
125.
Content-Transfer-Encoding: quoted-printable
126.
127.
128.
test =3D0A=3D
129.
_________________________________________________________________=3D0A=3D
130.
Lauren found her dream laptop. Find the PC that=3D92s right for
131.
you.=3D0A=3Dhttp://www.microsoft.com/windows/choosepc/?ocid=3D3Dftp_val_wl_=
132.
290=3D
133.
134.
--_4abea601-ec42-4378-af03-83675013aef6_
135.
Content-Type: text/html; charset=3D"Windows-1252"
136.
Content-Transfer-Encoding: quoted-printable
137.
138.
<html>
139.
<head>
140.
<style><!--
141.
.hmmessage P
142.
{
143.
margin:0px=3D3B
144.
padding:0px
145.
}
146.
body.hmmessage
147.
{
148.
font-size: 10pt=3D3B
149.
font-family:Verdana
150.
}
151.
--></style>
152.
</head>
153.
154.
<body class=3D3D'hmmessage'>
155.
test <br /><hr />Lauren found her
dream laptop. 3D3D'htt= Find the PC that=3D92s right for you. </body>
160.
</html>=3D
161.
162.
--_4abea601-ec42-4378-af03-83675013aef6_--
163.
164.
Spam detection software, running on the system "mail.domaon.com", has
165.
identified this incoming email as possible spam. The original message
166.
has been attached to this so you can view it (if it isn't spam) or
label
167.
similar future email. If you have any questions, see
168.
the administrator of that system for details.
169.
170.
Content preview: test Lauren found her dream laptop. Find the PC
that=92s
171.
right for you.
172.
http://www.microsoft.com/windows/choosepc/?ocid=3Dftp_val_wl_290 test
173.
[...]
174.
175.
Content analysis details: (4.8 points, 5.0 required)
176.
177.
pts rule name description
178.
---- ----------------------
-----------------------------------------------=
179.
---
180.
1.5 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice
181.
0.0 HTML_MESSAGE BODY: HTML included in message
182.
1.4 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dc=
183.
c/)
184.
0.5 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
abuse.rfc-ignorant.org
185.
1.4 DNS_FROM_RFC_POST RBL: Envelope sender in
186.
postmaster.rfc-ignorant.org
187.
0.0 SUBJECT_EXCESS_QP Subject: quoted-printable encoded
unnecessarily
188.
189.
190.
191.
--=20
192.
Regards
193.
194.
--00235447101489b72c0474cae3e3
195.
Content-Type: text/html; charset=windows-1252
196.
Content-Transfer-Encoding: quoted-printable
197.
198.
Guys=A0<div>I am getting all my external domain=A0emails=A0tagged=A0as
Spam=
199.
Spam<br clear=3D"all"><br></div><div>logs are attached.</div><div>mail
head=
200.
ers</div><div><br></div><div>R=
202.
eturn-Path: < 3D"mailto:user@gmail.com" user@gmail.com ><br>
204.
Delivered-To:=A0 3D"mailto:user@domain.com" user@domain.com
<br>Received: from localh=
206.
ost (localhost [127.0.0.1])<br>=A0 =A0by=A0mail1 3D"http://hades.dom=
.domain.com=
208.
=A0(Postfix) with ESMTP id 39B3C12B71D<br>
209.
=A0 =A0for < 3D"mailto:user@domain.com" user@domain.com >; Tue,
29 Sep 2009 10=
211.
:19:57 +0600 (PKST)<br>X-Quarantine-ID:
<asR-LhZoxUsQ><br>X-Amavis-Al=
212.
ert: BAD HEADER Improper folded header field made up entirely of<br>
213.
=A0 =A0whitespace (char 20 hex): Subject: ...?Q?Spam?=3D\n<br>=A0
=A0=3D?ut=
214.
f-8?Q?Spam=3D0D=3D0A=3D20helo123?=3D\n \n<br>Received: from=A0 3D"ht=
mail1.domain.com =A0([127.0.0.1])<br>
217.
=A0 =A0by localhost ( 3D"http://mail2.domain.com/" mail2.domain.com
=A0[127.0.0.1]) (a=
219.
mavisd-new, port 10024)<br>=A0 =A0with LMTP id asR-LhZoxUsQ for <
220. user@domain.com >;<br>
222.
=A0 =A0Tue, 29 Sep 2009 10:19:56 +0600 (PKST)<br>Received: from=A0
223. mail.domain.com =A0(unknown [203.101.170.27])<br>=A0 =A0by=A0
3D"http://mail1.domain.com/" mail1.domain.com =A0(Postfix) with ESMTP id
C6CF512B701<br>
227.
=A0 =A0for < 3D"mailto:user@domain.com" user@domain.com >; Tue,
29 Sep 2009 10=
229.
:19:54 +0600 (PKST)<br>Received: from localhost (localhost
[127.0.0.1])<br>=
230.
=A0 =A0by=A0 3D"http://muses.domain.com/" muses.domain.com
=A0(Postfix) with ESMTP id =
232.
6982319B322<br>
233.
=A0 =A0for < 3D"mailto:user@domain.com" user@domain.com >; Tue,
29 Sep 2009 10=
235.
:19:53 +0600 (PKST)<br>X-Virus-Scanned: Debian amavisd-new at=A0 3D"=
d=
237.
omain.com <br>
238.
Received: from=A0mail 3D"http://muses.domain.com/" .domain.com
=A0([127.0.0.1])<br>=A0=
240.
=A0by localhost (mail 3D"http://muses.domain.com/" .domain.com
=A0[127.0.0.1]) (amavi=
242.
sd-new, port 10024)<br>
243.
=A0 =A0with LMTP id A1fSGV+XdA-K for < 3D"mailto:user@domain.com"=
user@domain.com &=
245.
gt;;<br>=A0 =A0Tue, 29 Sep 2009 10:19:49 +0600 (PKST)<br>Received:
from=A0<=
246.
a href=3D"http://mail-qy0-f191.google.com/" target=3D"_blank"
style=3D"colo=
247.
r: rgb(42, 93, 176); ">mail-qy0-f191.google.com =A0( 3D"http://ma=
mail-qy0-f191.google.com =A0[209.85.221.191])<br>
250.
=A0 =A0by=A0 3D"http://mail.domain.com/" mail.domain.com =A0(Postfix)
with ESMTP id B3=
252.
AB03BE38<br>=A0 =A0for < 3D"mailto:user@domain.com" user@domain.com
>; Tue, 29 S=
254.
ep 2009 10:19:44 +0600 (PKST)<br>
255.
Received: by qyk29 with SMTP id 29so3777375qyk.32<br>=A0 =A0 =A0
=A0for <=
256.
; 3D"mailto:user@domain.com" user@domain.com >; Mon, 28 Sep 2009
21:19:40 -0700 (PD=
258.
T)<br>DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/relaxed;<br>
259.
=A0 =A0 =A0 =A0d=3D 3D"http://gmail.com/" gmail.com ;
s=3Dgamma;<br>=A0 =A0 =A0 =A0h=
261.
=3Ddomainkey-signature:mime-version:received:date:message-id:subject<br>=A0=
262.
=A0 =A0 =A0 :from:to:content-type;<br>
263.
=A0 =A0 =A0
=A0bh=3DWoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=3D;<br>=A0 =
264.
=A0 =A0
=A0b=3Dsuj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2=
265.
eXAzhd<br>=A0 =A0 =A0 =A0
/pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2=
266.
WPPQMR70+77h7Bcfkir<br>=A0 =A0 =A0 =A0
IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJ=
267.
s=3D<br>
268.
DomainKey-Signature: a=3Drsa-sha1; c=3Dnofws;<br>=A0 =A0 =A0 =A0d=3D
269. gmail.com ; s=3Dgamma;<br>=A0 =A0 =A0 =A0h=3Dmime-version:date:message=
271.
-id:subject:from:to:content-type;<br>
272.
=A0 =A0 =A0
=A0b=3DmHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZq=
273.
ZUM1KVDv6u<br>=A0 =A0 =A0 =A0
dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHE=
274.
RQ0Y6ilLjzoZ7NRf69H3bKn<br>=A0 =A0 =A0 =A0
RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBW=
275.
NP7M8=3D<br>MIME-Version: 1.0<br>
276.
Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062;
Mon, =
277.
28<br>=A0 =A0Sep 2009 21:19:40 -0700 (PDT)<br>Date: Tue, 29 Sep 2009
10:19:=
278.
40 +0600<br>Message-ID: < 3D"mailto:a2649fac0909282119l2140bf18od=
a2649fac0909282119l2140bf18odaf14d74bab76bef@mail.gmail.com &=
281.
gt;<br>
282.
Subject:
=3D?utf-8?Q?Spam?=3D<br>=A0=3D?utf-8?Q?Spam=3D0D=3D0A=3D20helo123?=
283.
=3D<br></div><div><br></div>
286.
<div><br></fo=
288.
nt></div><div><=
289.
span class=3D"Apple-style-span" style=3D"border-collapse:
collapse;"><br>
290.
</div><div>spamassassin debug logs</div><div>#spamassassin -t -D
<email that i=A0rec=
295.
eive=A0</div>
296.
<div><pre style=3D"word-wrap: break-word; white-space: pre-wra=
299.
p; ">Return-Path: < 3D"mailto:mohsinalizai1@hotmail.com" mohsinal=
300.
izai1@hotmail.com >
301.
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on 3D"h=
mail.domaon.com
303.
X-Spam-Level: ****
304.
X-Spam-Status: No, score=3D4.8 required=3D5.0
tests=3DDCC_CHECK,DNS_FROM_RF=
305.
C_ABUSE,
306.
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
307.
SUBJECT_EXCESS_QP autolearn=3Dno version=3D3.1.7-deb
308.
Delivered-To: 3D"mailto:user@domaon.com" user@domaon.com
309.
Received: from localhost (localhost [127.0.0.1])
310.
by 3D"http://mail1.domaon.com" mail1.domaon.com (Postfix)
with=
311.
ESMTP id C13911B32DB
312.
for < 3D"mailto:user@domaon.com" user@domaon.com >; Wed,
3=
313.
0 Sep 2009 17:03:54 +0600 (PKST)
314.
Received: from 3D"http://mail1.domaon.com" mail1.domaon.com ([1=
315.
27.0.0.1])
316.
by localhost ( 3D"http://mail1.domaon.com" mail1.domaon.com
[12=
317.
7.0.0.1]) (amavisd-new, port 10024)
318.
with LMTP id p23bnIio88SC for < 3D"mailto:user@domaon.com"
user@=
319.
domaon.com >;
320.
Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
321.
Received: from 3D"http://mail.domaon.com" mail.domaon.com (unkn=
322.
own [203.101.170.27])
323.
by 3D"http://mail1.domaon.com" mail1.domaon.com (Postfix)
with=
324.
ESMTP id 22F7D1B32D7
325.
for < 3D"mailto:user@domaon.com" user@domaon.com >; Wed,
3=
326.
0 Sep 2009 17:03:53 +0600 (PKST)
327.
Received: from localhost (localhost [127.0.0.1])
328.
by 3D"http://mail.domaon.com" mail.domaon.com (Postfix) with
E=
329.
SMTP id 976D319B330
330.
for < 3D"mailto:user@domaon.com" user@domaon.com >; Wed,
3=
331.
0 Sep 2009 17:03:53 +0600 (PKST)
332.
X-Virus-Scanned: Debian amavisd-new at 3D"http://domaon.com" domaon=
333.
.com
334.
Received: from 3D"http://mail.domaon.com" mail.domaon.com ([127=
335.
.0.0.1])
336.
by localhost ( 3D"http://mail.domaon.com" mail.domaon.com
[127.=
337.
0.0.1]) (amavisd-new, port 10024)
338.
with LMTP id el+R1y6R6iaa for < 3D"mailto:user@domaon.com"
user@=
339.
domaon.com >;
340.
Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
341.
Received: from 3D"http://snt0-omc1-s35.snt0.hotmail.com" snt0-omc1-=
342.
s35.snt0.hotmail.com ( 3D"http://snt0-omc1-s35.snt0.hotmail.com"=
snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
344.
by 3D"http://mail.domaon.com" mail.domaon.com (Postfix) with
E=
345.
SMTP id D14C419B32D
346.
for < 3D"mailto:user@domaon.com" user@domaon.com >; Wed,
3=
347.
0 Sep 2009 17:03:52 +0600 (PKST)
348.
Received: from SNT106-W54 ([65.55.90.7]) by 3D"http://snt0-omc1-s35=
snt0-omc1-s35.snt0.hotmail.com with Microsoft SMTPSV=
350.
C(6.0.3790.3959);
351.
Wed, 30 Sep 2009 04:03:47 -0700
352.
Message-ID: <SNT106-W548AE03FAF450123DBC928F6D40@phx.gbl>
353.
Content-Type: multipart/alternative;
354.
boundary=3D"_4abea601-ec42-4378-af03-83675013aef6_"
355.
X-Originating-IP: [125.209.118.102]
356.
From: mohsin alizai < 3D"mailto:mohsinalizai1@hotmail.com" mohsin=
357.
alizai1@hotmail.com >
358.
To: < 3D"mailto:user@domaon.com" user@domaon.com >
359.
Subject: =3D?utf-8?Q?Spam?=3D
360.
=3D?utf-8?Q?Spam=3D0D=3D0A=3D20test?=3D=20
361.
Date: Wed, 30 Sep 2009 11:03:47 +0000
362.
Importance: Normal
363.
MIME-Version: 1.0
364.
X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
FILETIME=3D[AF55A350=
365.
:01CA41BD]
366.
X-SpamInfo: return-email, failed to obtain DNS record for domain 3D=
hotmail.com
368.
X-SpamInfo: return-email, failed to obtain DNS record for domain 3D=
hotmail.com
370.
371.
--_4abea601-ec42-4378-af03-83675013aef6_
372.
Content-Type: text/plain; charset=3D"Windows-1252"
373.
Content-Transfer-Encoding: quoted-printable
374.
375.
376.
test =3D0A=3D
377.
_________________________________________________________________=3D0A=3D
378.
Lauren found her dream laptop. Find the PC that=3D92s right for
you.=3D0A=
379.
=3D
380.
3D"http://www.microsoft.com/windows/choosepc/?ocid=3D3Dftp_val_wl_2=
http://www.microsoft.com/windows/choosepc/?ocid=3D3Dftp_val_wl_290=
382.
=3D
383.
384.
--_4abea601-ec42-4378-af03-83675013aef6_
385.
Content-Type: text/html; charset=3D"Windows-1252"
386.
Content-Transfer-Encoding: quoted-printable
387.
388.
<html>
389.
<head>
390.
<style><!--
391.
.hmmessage P
392.
{
393.
margin:0px=3D3B
394.
padding:0px
395.
}
396.
body.hmmessage
397.
{
398.
font-size: 10pt=3D3B
399.
font-family:Verdana
400.
}
401.
--></style>
402.
</head>
403.
404.
<body class=3D3D'hmmessage'>
405.
test <br /><hr
/>Lauren found her dream laptop. <=
406.
a href=3D3D'http:=3D
407.
// 3D"http://www.microsoft.com/windows/choosepc/?ocid=3D3Dftp_val_wl=
www.microsoft.com/windows/choosepc/?ocid=3D3Dftp_val_wl_290 ' =
409.
target=3D3D'_new=3D
410.
'>Find the PC that=3D92s right for you.</a></body>
411.
</html>=3D
412.
413.
--_4abea601-ec42-4378-af03-83675013aef6_--
414.
415.
Spam detection software, running on the system " 3D"http://mail=
mail.domaon.com ", has
417.
identified this incoming email as possible spam. The original message
418.
has been attached to this so you can view it (if it isn't spam) or
labe=
419.
l
420.
similar future email. If you have any questions, see
421.
the administrator of that system for details.
422.
423.
Content preview: test Lauren found her dream laptop. Find the PC
that=92s
424.
right for you.
425.
3D"http://www.microsoft.com/windows/choosepc/?ocid=3Dftp_val_wl_2=
http://www.microsoft.com/windows/choosepc/?ocid=3Dftp_val_wl_290 te=
427.
st
428.
[...]=20
429.
430.
Content analysis details: (4.8 points, 5.0 required)
431.
432.
pts rule name description
433.
---- ----------------------
-----------------------------------------------=
434.
---
435.
1.5 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice
436.
0.0 HTML_MESSAGE BODY: HTML included in message
437.
1.4 DCC_CHECK Listed in DCC ( 3D"http://rhyolite.com/a=
http://rhyolite.com/anti-spam/dcc/ )
439.
0.5 DNS_FROM_RFC_ABUSE RBL: Envelope sender in 3D"http://abuse=
abuse.rfc-ignorant.org
441.
1.4 DNS_FROM_RFC_POST RBL: Envelope sender in
442.
3D"http://postmaster.rfc-ignorant.org" =
443.
postmaster.rfc-ignorant.org
444.
0.0 SUBJECT_EXCESS_QP Subject: quoted-printable encoded
unnecessarily
445.
</pre><div><br></=
447.
div></div><div><br>-- <br>Regards<br><br><br>
448.
</div>
--
View this message in context: http://www.nabble.com/I-am-getting-all-external-domain-emails-subject-tagged-as-SpamSpam-tp25685055p25685055.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Benny Pedersen <me...@junc.org>.
On ons 30 sep 2009 18:55:28 CEST, empiric wrote
> Guys I am getting all my external domain emails tagged as SpamSpam
next time dont repost contense from a pastebin, give the link to it
--
xpoint
Re: I am getting all external domain emails subject tagged as SpamSpam
Posted by John Hardin <jh...@impsec.org>.
On Thu, 1 Oct 2009, empiric wrote:
> Oct 1 13:22:39 mail postfix/smtp[17579]: E0EAD19B349:
> to=<us...@example.com>, relay=mail.example.com[10.65.200.72]:25, delay=7.1,
> delays=0.09/0/0.01/7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 3DD1212B701)
None of that really logs useful information to troubleshoot this problem.
You should try to see what the Subject: header is at each step of
processing, including how it's coming into your MTA from outside.
Can you set up a sniffer on port 25 and send in a message from the
Internet and see what the Subject: header says in the packet capture?
What programs is Amavis calling to process the message prior to SA?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You cannot bring about prosperity by discouraging thrift. You
cannot help small men by tearing down big men. You cannot
strengthen the weak by weakening the strong. You cannot lift the
wage-earner by pulling down the wage-payer. You cannot help the
poor man by destroying the rich. You cannot keep out of trouble by
spending more than your income. You cannot further the brotherhood
of man by inciting class hatred. You cannot establish security on
borrowed money. You cannot build character and courage by taking
away men's initiative and independence. You cannot help men
permanently by doing for them what they could and should do for
themselves. -- William J. H. Boetcker
-----------------------------------------------------------------------
Approximately 9081780 firearms legally purchased in the U.S. this year
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by empiric <na...@gmail.com>.
more logs
Oct 1 13:22:20 mail amavis[17226]: (17226-02) LMTP< RCPT
TO:<us...@example.com> ORCPT=rfc822;user@example.com\r\n
Oct 1 13:22:20 mail amavis[17226]: (17226-02) LMTP> 250 2.1.5 Recipient
user@example.com OK
Oct 1 13:22:20 mail amavis[17226]: (17226-02) LMTP::10024
/var/lib/amavis/tmp/amavis-20091001T131825-17226:
<mo...@hotmail.com> -> <mo...@example.com>
SIZE=1911 Received: from mail.example.com ([127.0.0.1]) by localhost
(mail.example.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP; Thu, 1
Oct 2009 13:22:20 +0600 (PKST)
Oct 1 13:22:20 mail amavis[17226]: (17226-02) Checking: k-6-c3dQQGNL
<mo...@hotmail.com> -> <mo...@example.com>
Oct 1 13:22:20 mail amavis[17226]: (17226-02) query_keys: user@example.com,
user@, example.com, .example.com, .com.pk, .pk, .
Oct 1 13:22:20 mail amavis[17226]: (17226-02)
lookup_hash(user@example.com), no matches
Oct 1 13:22:20 mail amavis[17226]: (17226-02) lookup (bypass_virus_checks)
=> undef, "user@example.com" does not match
Oct 1 13:22:20 mail amavis[17226]: (17226-02) lookup (bypass_header_checks)
=> true, "user@example.com" matches, result="1",
matching_key="(constant:1)"
Oct 1 13:22:20 mail amavis[17226]: (17226-02) query_keys: user@example.com,
user@, example.com, .example.com, .com.pk, .pk, .
Oct 1 13:22:20 mail amavis[17226]: (17226-02)
lookup_hash(user@example.com), no matches
Oct 1 13:22:20 mail amavis[17226]: (17226-02) lookup (bypass_banned_checks)
=> undef, "user@example.com" does not match
Oct 1 13:22:20 mail amavis[17226]: (17226-02) lookup (banned_filename), 1
matches for "user@example.com", results: "(constant:DEFAULT)"=>"DEFAULT"
Oct 1 13:22:20 mail amavis[17226]: (17226-02) collect banned table[0]:
user@example.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x8c680e8)
Oct 1 13:22:20 mail amavis[17226]: (17226-02) skip banned check for
user@example.com, same tables as previous, result =>
Oct 1 13:22:20 mail amavis[17226]: (17226-02) p.path user@example.com:
"P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=txt"
Oct 1 13:22:20 mail amavis[17226]: (17226-02) skip banned check for
user@example.com, same tables as previous, result =>
Oct 1 13:22:20 mail amavis[17226]: (17226-02) p.path user@example.com:
"P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
Oct 1 13:22:31 mail amavis[17226]: (17226-02) query_keys: user@example.com,
user@, example.com, .example.com, .com.pk, .pk, .
Oct 1 13:22:31 mail amavis[17226]: (17226-02)
lookup_hash(user@example.com), no matches
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup (bypass_virus_checks)
=> undef, "user@example.com" does not match
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup (spam_tag2_level) =>
true, "user@example.com" matches, result="4.31",
matching_key="(constant:4.31)"
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup (spam_tag3_level) =>
undef, "user@example.com" does not match
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup (spam_kill_level) =>
true, "user@example.com" matches, result="4.31",
matching_key="(constant:4.31)"
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup (bypass_spam_checks)
=> true, "user@example.com" matches, result="1",
matching_key="(constant:1)"
Oct 1 13:22:31 mail amavis[17226]: (17226-02) final_destiny PASS, recip
user@example.com
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup (clean_quarantine_to)
=> true, "user@example.com" matches, result="clean-quarantine",
matching_key="(constant:clean-quarantine)"
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup => undef,
"user@example.com", no lookup tables
Oct 1 13:22:31 mail amavis[17226]: (17226-02) query_keys: user@example.com,
user@, example.com, .example.com, .com.pk, .pk, .
Oct 1 13:22:31 mail amavis[17226]: (17226-02)
lookup_hash(user@example.com), no matches
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup_acl(user@example.com)
matches key "example.com", result=1
Oct 1 13:22:31 mail amavis[17226]: (17226-02) lookup (local_domains) =>
true, "user@example.com" matches, result="1", matching_key="example.com"
Oct 1 13:22:31 mail amavis[17226]: (17226-02) headers CLUSTERING:
<us...@example.com> joining cluster
Oct 1 13:22:31 mail amavis[17226]: (17226-02) (about to connect to
[127.0.0.1]:10025) FWD via SMTP: <mo...@hotmail.com> ->
<mo...@example.com>
Oct 1 13:22:31 mail amavis[17226]: (17226-02) sending RCPT
TO:<us...@example.com>
Oct 1 13:22:31 mail amavis[17226]: (17226-02) response to RCPT TO for
<us...@example.com>: "250 2.1.5 Ok"
Oct 1 13:22:32 mail amavis[17226]: (17226-02) FWD via SMTP:
<mo...@hotmail.com> -> <mo...@example.com>, 250
2.6.0 Ok, id=17226-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
E0EAD19B349
Oct 1 13:22:32 mail amavis[17226]: (17226-02) dsn: from MTA 250 Clean
<mo...@hotmail.com> -> <us...@example.com>: on_succ=0, on_dly=1,
on_fail=1, never=0, warn_sender=, DSN_passed_on=1
Oct 1 13:22:32 mail amavis[17226]: (17226-02) DSN: SUCC from MTA 250 Clean,
no DSN requested: <mo...@hotmail.com> -> <us...@example.com>
Oct 1 13:22:32 mail amavis[17226]: (17226-02) Passed CLEAN, [65.55.90.7]
<mo...@hotmail.com> -> <mo...@example.com>,
Message-ID: <SN...@phx.gbl>, mail_id:
k-6-c3dQQGNL, Hits: -, queued_as: E0EAD19B349, 11559 ms
Oct 1 13:22:32 mail amavis[17226]: (17226-02) sending LMTP response for
<us...@example.com>: "250 2.6.0 Ok, id=17226-02, from MTA([127.0.0.1]:10025):
250 2.0.0 Ok: queued as E0EAD19B349"
Oct 1 13:22:32 mail postfix/lmtp[17620]: C364719B337:
to=<us...@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=15,
delays=3.7/0/0/12, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=17226-02, from
MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E0EAD19B349)
Oct 1 13:22:39 mail postfix/smtp[17579]: E0EAD19B349:
to=<us...@example.com>, relay=mail.example.com[10.65.200.72]:25, delay=7.1,
delays=0.09/0/0.01/7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
3DD1212B701)
empiric wrote:
>
> Guys
> I am getting all my external domain emails tagged as SpamSpam
>
> logs are attached.
> mail headers
>
> Return-Path: <us...@gmail.com>
> Delivered-To: user@domain.com
> Received: from localhost (localhost [127.0.0.1])
> by mail1.domain.com (Postfix) with ESMTP id 39B3C12B71D
> for <us...@domain.com>; Tue, 29 Sep 2009 10:19:57 +0600 (PKST)
> X-Quarantine-ID: <asR-LhZoxUsQ>
> X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely
> of
> whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
> =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
> Received: from mail1.domain.com ([127.0.0.1])
> by localhost (mail2.domain.com [127.0.0.1]) (amavisd-new, port 10024)
> with LMTP id asR-LhZoxUsQ for <us...@domain.com>;
> Tue, 29 Sep 2009 10:19:56 +0600 (PKST)
> Received: from mail.domain.com (unknown [203.101.170.27])
> by mail1.domain.com (Postfix) with ESMTP id C6CF512B701
> for <us...@domain.com>; Tue, 29 Sep 2009 10:19:54 +0600 (PKST)
> Received: from localhost (localhost [127.0.0.1])
> by muses.domain.com (Postfix) with ESMTP id 6982319B322
> for <us...@domain.com>; Tue, 29 Sep 2009 10:19:53 +0600 (PKST)
> X-Virus-Scanned: Debian amavisd-new at domain.com
> Received: from mail.domain.com ([127.0.0.1])
> by localhost (mail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
> with LMTP id A1fSGV+XdA-K for <us...@domain.com>;
> Tue, 29 Sep 2009 10:19:49 +0600 (PKST)
> Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com
> [209.85.221.191])
> by mail.domain.com (Postfix) with ESMTP id B3AB03BE38
> for <us...@domain.com>; Tue, 29 Sep 2009 10:19:44 +0600 (PKST)
> Received: by qyk29 with SMTP id 29so3777375qyk.32
> for <us...@domain.com>; Mon, 28 Sep 2009 21:19:40 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=gmail.com; s=gamma;
> h=domainkey-signature:mime-version:received:date:message-id:subject
> :from:to:content-type;
> bh=WoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=;
>
> b=suj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2eXAzhd
>
> /pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2WPPQMR70+77h7Bcfkir
> IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJs=
> DomainKey-Signature: a=rsa-sha1; c=nofws;
> d=gmail.com; s=gamma;
> h=mime-version:date:message-id:subject:from:to:content-type;
>
> b=mHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZqZUM1KVDv6u
>
> dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHERQ0Y6ilLjzoZ7NRf69H3bKn
> RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBWNP7M8=
> MIME-Version: 1.0
> Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062; Mon,
> 28
> Sep 2009 21:19:40 -0700 (PDT)
> Date: Tue, 29 Sep 2009 10:19:40 +0600
> Message-ID: <a2...@mail.gmail.com>
> Subject: =?utf-8?Q?Spam?=
> =?utf-8?Q?Spam=0D=0A=20helo123?=
>
>
>
> spamassassin debug logs
> #spamassassin -t -D
> X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on
> mail.domaon.com
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.8 required=5.0
> tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
> DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
> SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb
> Delivered-To: user@domaon.com
> Received: from localhost (localhost [127.0.0.1])
> by mail1.domaon.com (Postfix) with ESMTP id C13911B32DB
> for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
> Received: from mail1.domaon.com ([127.0.0.1])
> by localhost (mail1.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
> with LMTP id p23bnIio88SC for <us...@domaon.com>;
> Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
> Received: from mail.domaon.com (unknown [203.101.170.27])
> by mail1.domaon.com (Postfix) with ESMTP id 22F7D1B32D7
> for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
> Received: from localhost (localhost [127.0.0.1])
> by mail.domaon.com (Postfix) with ESMTP id 976D319B330
> for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
> X-Virus-Scanned: Debian amavisd-new at domaon.com
> Received: from mail.domaon.com ([127.0.0.1])
> by localhost (mail.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
> with LMTP id el+R1y6R6iaa for <us...@domaon.com>;
> Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
> Received: from snt0-omc1-s35.snt0.hotmail.com
> (snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
> by mail.domaon.com (Postfix) with ESMTP id D14C419B32D
> for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:52 +0600 (PKST)
> Received: from SNT106-W54 ([65.55.90.7]) by snt0-omc1-s35.snt0.hotmail.com
> with Microsoft SMTPSVC(6.0.3790.3959);
> Wed, 30 Sep 2009 04:03:47 -0700
> Message-ID: <SN...@phx.gbl>
> Content-Type: multipart/alternative;
> boundary="_4abea601-ec42-4378-af03-83675013aef6_"
> X-Originating-IP: [125.209.118.102]
> From: mohsin alizai <mo...@hotmail.com>
> To: <us...@domaon.com>
> Subject: =?utf-8?Q?Spam?=
> =?utf-8?Q?Spam=0D=0A=20test?=
> Date: Wed, 30 Sep 2009 11:03:47 +0000
> Importance: Normal
> MIME-Version: 1.0
> X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
> FILETIME=[AF55A350:01CA41BD]
> X-SpamInfo: return-email, failed to obtain DNS record for domain
> hotmail.com
> X-SpamInfo: return-email, failed to obtain DNS record for domain
> hotmail.com
>
> --_4abea601-ec42-4378-af03-83675013aef6_
> Content-Type: text/plain; charset="Windows-1252"
> Content-Transfer-Encoding: quoted-printable
>
>
> test =0A=
>
>
--
View this message in context: http://www.nabble.com/I-am-getting-all-external-domain-emails-subject-tagged-as-SpamSpam-tp25685055p25693451.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> Guys I am getting all my external domain emails tagged as SpamSpam
>
> X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
> whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
> =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
...
> Subject: =?utf-8?Q?Spam?=
> =?utf-8?Q?Spam=0D=0A=20helo123?=
> spamassassin debug logs
> #spamassassin -t -D <email that i receive
>
> X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on mail.domaon.com
Your SA is quite old, can you upgrade to 3.2.5?
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
> DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
> SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb
SA doesn't think it's spam.
> Subject: =?utf-8?Q?Spam?=
> =?utf-8?Q?Spam=0D=0A=20test?=
Amavis is apparently doing something bad to your email. Is it your amavis,
or somebody else's?
I'd look at your upstream MTA (mail.domain.com? Did you obfuscate that?
Please note best practice is to obfuscate using "example.com", it's
intended for that purpose and people will recognize what you're doing) as
well. See if you can capture a message in its raw form before any of your
local tools have had an opportunity to modify it. Review your tool chain,
to see if it's being scanned twice somehow.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Think Microsoft cares about your needs at all?
"A company wanted to hold off on upgrading Microsoft Office for a
year in order to do other projects. So Microsoft gave a 'free' copy
of the new Office to the CEO -- a copy that of course generated
errors for anyone else in the firm reading his documents. The CEO
got tired of getting the 'please re-send in XX format' so he
ordered other projects put on hold and the Office upgrade to be top
priority." -- Cringely, 4/8/2004
-----------------------------------------------------------------------
Approximately 9021060 firearms legally purchased in the U.S. this year
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Nauman Yousuf <na...@gmail.com>.
what you mean dns not found. overloaded with ham means?
On Thu, Oct 1, 2009 at 12:01 AM, Benny Pedersen <me...@junc.org> wrote:
> On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote
>
>> So - what am I missing without wading through all the HTML?
>>
>
> dns is not found ?, overloaded with ham so it cant detect spam ?
>
> --
> xpoint
>
>
--
Regards
Nauman Yousuf
0312-2201455
E-Eager, N-Noble, G-Genuine, I-Intelligent, N-Natural, E-Enthusiastic,
E-Energetic, R-Resourcefull --- ENGINEER
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Benny Pedersen <me...@junc.org>.
On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote
> So - what am I missing without wading through all the HTML?
dns is not found ?, overloaded with ham so it cant detect spam ?
--
xpoint
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Evan Platt <ev...@espphotography.com>.
At 10:02 AM 9/30/2009, you wrote:
>Guys
>I am getting all my external domain emails tagged as SpamSpam
>logs are attached.
>mail headers
Once again, please don't post in HTML.
X-Spam-Status: No
So - what am I missing without wading through all the HTML?
Re: [sa] Re: I am getting all external domain emails subject tagged as SpamSpam
Posted by Mark Martinec <Ma...@ijs.si>.
On Wednesday 30 September 2009 19:25:52 Charles Gregory wrote:
> On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> > Guys I am getting all my external domain emails tagged as SpamSpam
> > mail headers
> > X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely
> > of whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
> > =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
>
> Well, according to this, amavis doesn't like the fact that the 'Subject'
> header is made up of many spaces. Looks like the original subject was
> 'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but
> AMAVIS considers this suspicious. Question would be, how did all those
> spaces get in there in the first place? Are you running the message
> through some sort of pre-process before sending it to SA?
>
> There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
> This suggests again, something is trying to encapsulate your subject
> before it gets to spamassassin. If this is happening on ALL your mail,
> then it is something in your front end.
You missed the point, it's not about 'many spaces' or 'trailing spaces',
but there was an illegal all-whitespace line in the header section,
just following the Subject, as reported:
Subject: ...?Q?Spam?=\n =?utf-8?Q?Spam=0D=0A=20h\
elo123?=\n \n
^^^^^
Mark
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Charles Gregory <cg...@hwcn.org>.
Firstly, PLEASE DIRECT ALL REPLIES TO LIST, not my personal email.
On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> i dont know , how subject is filled with spaces , what i need to check
> am clue less this is happening from last 3 days
First question of troubleshooting: What changed?
If it worked 4 days ago, and didn't work 3 days ago, something changed
between 3 and 4 days to make it stop working. Isolate the time it stopped
working, and check for ALL changes to the server at that time. Files,
permissions, disk full, anything.....
- C
Re: [sa] Re: I am getting all external domain emails subject tagged
as SpamSpam
Posted by Charles Gregory <cg...@hwcn.org>.
On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> Guys I am getting all my external domain emails tagged as SpamSpam
> mail headers
> X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
> whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
> =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
Well, according to this, amavis doesn't like the fact that the 'Subject'
header is made up of many spaces. Looks like the original subject was
'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but
AMAVIS considers this suspicious. Question would be, how did all those
spaces get in there in the first place? Are you running the message
through some sort of pre-process before sending it to SA?
There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
This suggests again, something is trying to encapsulate your subject
before it gets to spamassassin. If this is happening on ALL your mail,
then it is something in your front end.
- C
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Nauman Yousuf <na...@gmail.com>.
Guys I am getting all my external domain emails tagged as SpamSpam
logs are attached.
mail headers
Return-Path: <us...@gmail.com>
Delivered-To: user@domain.com
Received: from localhost (localhost [127.0.0.1])
by mail1.domain.com <http://hades.domain.com/> (Postfix) with ESMTP id
39B3C12B71D
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:57 +0600 (PKST)
X-Quarantine-ID: <asR-LhZoxUsQ>
X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
=?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
Received: from mail1.domain.com ([127.0.0.1])
by localhost (mail2.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id asR-LhZoxUsQ for <us...@domain.com>;
Tue, 29 Sep 2009 10:19:56 +0600 (PKST)
Received: from mail.domain.com (unknown [203.101.170.27])
by mail1.domain.com (Postfix) with ESMTP id C6CF512B701
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:54 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
by muses.domain.com (Postfix) with ESMTP id 6982319B322
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domain.com
Received: from mail.domain.com <http://muses.domain.com/> ([127.0.0.1])
by localhost (mail.domain.com <http://muses.domain.com/> [127.0.0.1])
(amavisd-new, port 10024)
with LMTP id A1fSGV+XdA-K for <us...@domain.com>;
Tue, 29 Sep 2009 10:19:49 +0600 (PKST)
Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com
[209.85.221.191])
by mail.domain.com (Postfix) with ESMTP id B3AB03BE38
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:44 +0600 (PKST)
Received: by qyk29 with SMTP id 29so3777375qyk.32
for <us...@domain.com>; Mon, 28 Sep 2009 21:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:message-id:subject
:from:to:content-type;
bh=WoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=;
b=suj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2eXAzhd
/pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2WPPQMR70+77h7Bcfkir
IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=mHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZqZUM1KVDv6u
dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHERQ0Y6ilLjzoZ7NRf69H3bKn
RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBWNP7M8=
MIME-Version: 1.0
Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062; Mon,
28
Sep 2009 21:19:40 -0700 (PDT)
Date: Tue, 29 Sep 2009 10:19:40 +0600
Message-ID: <a2...@mail.gmail.com>
Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20helo123?=
spamassassin debug logs
#spamassassin -t -D <email that i receive
Return-Path: <mo...@hotmail.com>
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on mail.domaon.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb
Delivered-To: user@domaon.com
Received: from localhost (localhost [127.0.0.1])
by mail1.domaon.com (Postfix) with ESMTP id C13911B32DB
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail1.domaon.com ([127.0.0.1])
by localhost (mail1.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id p23bnIio88SC for <us...@domaon.com>;
Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail.domaon.com (unknown [203.101.170.27])
by mail1.domaon.com (Postfix) with ESMTP id 22F7D1B32D7
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
by mail.domaon.com (Postfix) with ESMTP id 976D319B330
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domaon.com
Received: from mail.domaon.com ([127.0.0.1])
by localhost (mail.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id el+R1y6R6iaa for <us...@domaon.com>;
Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from snt0-omc1-s35.snt0.hotmail.com
(snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
by mail.domaon.com (Postfix) with ESMTP id D14C419B32D
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:52 +0600 (PKST)
Received: from SNT106-W54 ([65.55.90.7]) by
snt0-omc1-s35.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 30 Sep 2009 04:03:47 -0700
Message-ID: <SN...@phx.gbl>
Content-Type: multipart/alternative;
boundary="_4abea601-ec42-4378-af03-83675013aef6_"
X-Originating-IP: [125.209.118.102]
From: mohsin alizai <mo...@hotmail.com>
To: <us...@domaon.com>
Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20test?=
Date: Wed, 30 Sep 2009 11:03:47 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
FILETIME=[AF55A350:01CA41BD]
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com
--_4abea601-ec42-4378-af03-83675013aef6_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
test =0A=
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Evan Platt <ev...@espphotography.com>.
At 09:55 AM 9/30/2009, you wrote:
> 1.
> Guys I am getting all my external domain emails tagged as SpamSpam
> 2.
>
> 3.
> logs are attached.
> 4.
> mail headers
Please make this post more readable. No HTML, Plain Text only, any
large attachments should be on Pastebin or such, and... I don't even
know what's up with the line numbering.
I read as far as:
X-Spam-Status: No
and stopped there.