You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Martin G. Diehl" <md...@nac.net> on 2005/05/10 23:24:59 UTC
[Fwd: Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org]
Sorry if you see a double post ... it was my bad to forget to
remove the ** spam ** flags in the subject.
-------- Original Message --------
Subject: Re: *****SPAM***** SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Date: Tue, 10 May 2005 16:58:00 -0400
From: Martin G. Diehl <md...@nac.net>
To: Martin G. Diehl <md...@nac.net>
CC: SPAMassassin Users <us...@spamassassin.apache.org>
References: <42...@nac.net>
Martin G. Diehl wrote:
Thanks to everyone who responded ... you helped me think it through.
> Greetings,
>
> I am seeing some SpamAssassin eMail messages flagged as SPAM.
>
> That's probably not unusual, given the nature of our discussions and
> especially because we quote actual SPAM examples within our messages.
OTOH, try to visualize the congress critters trying (and failing) to
discuss 'int3rn3t p0rn' <g> without using any 'bad words' (TM). LOL
> I know that someone is going to say, "whitelist" ...
>
> The settings for my profile include
>
> Allowed Email Addresses
>
> users@spamassassin.apache.org
> dev@spamassassin.apache.org
I even added *@spamassassin.apache.org and I am still seeing whitelist
eMail giving false positives in SPAMassassin.
> For the most part, that works ... with only ~ 1% getting flagged as SPAM.
>
> I don't know exactly which package is doing the whitelist filtering, nor
> how that is integrated with the SpamAssassin scanning.
I was able to reach the eMail+QA administrator and discuss this issue ...
using one of today's misfires ... it seemed to be caused by the SPAMassassin
address being the 2nd address in the 'To:' not being checked against my
whitelist. ... will be refereed to their programmer.
> In the example quoted in this here, I think these are the applicable
> headers ...
>
> Return-Path:
> <us...@spamassassin.apache.org>
>
> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>
> From: "martin smith" <ma...@ntlworld.com>
> To: "'Rakesh'" <ra...@netcore.co.in>,
> "Spamassassin" <us...@spamassassin.apache.org>
>
> My 4 questions ...
[snip]
(1) and (2) seemed not to be a factor.
> (3) could the whitelist failure be caused by
>
> "Spamassassin" <us...@spamassassin.apache.org>
>
> appearing as the _second_ 'To:' address?
Seems to be this form of addresses and how they are checking.
> Something else that troubles me about this eMail example ...
>
> X-Spam-Report:
> * 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
>
> ... even though this looks OK ...
>
> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>
> OTOH, 209.237.227.199 resolves to mail.apache.org ... and
> spamassassin.apache.org resolves to 209.237.227.199
>
> (4) could that cause the whitelist failure?
will ask them again in a few days.
> Anything else I should consider?
>
> Thanks for listening.
>
> Here are all of the headers and the message text ...
>
>> From - Sat May 07 08:28:31 2005
>> X-UIDL: 1115462268.M554851P37120.mx3.oct
>> X-Mozilla-Status: 0001
>> X-Mozilla-Status2: 00000000
>> Return-Path: <us...@spamassassin.apache.org>
>> Delivered-To: mdiehl@nac.net
>> Received: (qmail 37070 invoked by uid 0); 7 May 2005 10:37:36 -0000
>> Received: from 209.237.227.199 by mx3.oct (envelope-from
>> <us...@spamassassin.apache.org>, uid 0)
>> with qmail-scanner-1.25 (uvscan: v4.2.40/v4295. sophie: 2.14/3.73.
>> f-prot: 4.1.1/3.13.4. spamassassin: 2.60-cvs.
>> Clear:RC:0(209.237.227.199):. Processed in 0.188536 secs); 07 May
>> 2005 10:37:36 -0000
>> X-Qmail-Scanner-Mail-From:
>> users-return-26818-mdiehl=nac.net@spamassassin.apache.org via mx3.oct
>> X-Qmail-Scanner: 1.25 (Clear:RC:0(209.237.227.199):. Processed in
>> 0.188536 secs)
>> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
>> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>> Received: (qmail 61841 invoked by uid 500); 7 May 2005 10:40:04 -0000
>> Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
>> Precedence: bulk
>> list-help: <ma...@spamassassin.apache.org>
>> list-unsubscribe: <ma...@spamassassin.apache.org>
>> List-Post: <ma...@spamassassin.apache.org>
>> List-Id: <users.spamassassin.apache.org>
>> Delivered-To: mailing list users@spamassassin.apache.org
>> Received: (qmail 61826 invoked by uid 99); 7 May 2005 10:40:04 -0000
>> X-ASF-Spam-Status: No, hits=0.0 required=10.0
>> tests=
>> Received-SPF: pass (hermes.apache.org: domain of marti@ntlworld.com
>> designates 212.250.162.17 as permitted sender)
>> Received: from smtpout17.mailhost.ntl.com (HELO
>> mta09-winn.mailhost.ntl.com) (212.250.162.17)
>> by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 07 May 2005 03:40:04
>> -0700
>> Received: from aamta04-winn.mailhost.ntl.com ([212.250.162.8])
>> by mta09-winn.mailhost.ntl.com with ESMTP
>> id
>> <20...@aamta04-winn.mailhost.ntl.com>
>>
>> for <us...@spamassassin.apache.org>;
>> Sat, 7 May 2005 11:37:05 +0100
>> Received: from marti.mine.nu ([81.106.206.105])
>> by aamta04-winn.mailhost.ntl.com with ESMTP
>> id
>> <20...@marti.mine.nu>
>> for <us...@spamassassin.apache.org>;
>> Sat, 7 May 2005 11:37:05 +0100
>> Received: from p42000 (martin [192.168.1.98])
>> by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
>> j47AawRY014071;
>> Sat, 7 May 2005 11:36:58 +0100
>> From: "martin smith" <ma...@ntlworld.com>
>> To: "'Rakesh'" <ra...@netcore.co.in>,
>> "Spamassassin" <us...@spamassassin.apache.org>
>> Subject: *****SPAM***** RE: Way to evade URI checks
>> Date: Sat, 7 May 2005 11:37:00 +0100
>> Message-ID:
>> <!~...@ntlworld.com>
>>
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>> charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>> Thread-Index: AcVS0HY4PWTqQht5TSKWb96NwD4Y8QAH9gAg
>> In-Reply-To: <42...@netcore.co.in>
>> X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
>> X-Virus-Checked: Checked
>> X-Spam-Prev-Subject: RE: Way to evade URI checks
>> X-Spam-Flag: YES
>> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd1.oct
>> X-Spam-Level: ************
>> X-Spam-PrefsFile: nac.net/mdiehl
>> X-Spam-Status: Yes, score=12.7 required=4.7 tests=FORGED_RCVD_HELO,
>> RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_OB_SURBL,URIBL_SBL,
>> URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.0.2
>> X-Spam-Report: * 1.1 FORGED_RCVD_HELO Received: contains a forged
>> HELO
>> * 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level
>> above 50%
>> * [cf: 100]
>> * 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
>> * 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
>> * [URIs: coolestrxever.com]
>> * 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
>> blocklist
>> * [URIs: coolestrxever.com]
>> * 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
>> blocklist
>> * [URIs: coolestrxever.com]
>> * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
>> blocklist
>> * [URIs: coolestrxever.com]
>>
>> M>-----Original Message-----
>> M>From: Rakesh [mailto:rakesh@netcore.co.in] M>Sent: 07 May 2005 07:41
>> M>To: zones@lists.surbl.org; users@spamassassin.apache.org
>> M>Subject: Way to evade URI checks
>> M>
>> M>Seems Spammers have found a way to evade the URI checks
>> M>
>> M>the domain coolestrxever.com is listed in multi.surbl.org. M>But the
>> spammers managed to to evade the URI checks by M>appending special
>> charaters at the end of the url which are M>happily allowed by the
>> browsers.
>> M>
>> M>The spam that I recieved had
>> M>
>> M>http://www.coolestrxever.com: (aa colon at the end of the url)
>> M>
>> M>After a bit of R&D I found the other options for spammers to M>carry
>> this techinque
>> M>
>> M>http://www.coolestrxever.com; (a semicolon)
>> M>http://www.coolestrxever.com, (a comma)
>> M>http://www.coolestrxever.com. (a fullstop)
>> M>http://www.coolestrxever.com? (a question mark)
>> M>
>> M>With all these special characters at the end of url, URI M>checks
>> tries to make lookup as
>> M>
>> M>debug: querying for coolestrxever.com:.sc.surbl.org
>> M>
>> M>End result, passed the promising URI checks.
>> M>
>> M>I am seeing the first of its kind of spam. If any version of
>> M>Spamassassin fixes this in its URI retrieval program please M>let me
>> know
>> M>
>> M>--
>> There is a fix for these in the bugzilla, came in correctly caught by
>> SURBL here, using 3.0.2.
>> There is two fixes I have applied and seems to catch the URL split over
>> lines too, not sure if these are included in 3.0.3, I suspect this one
>> is.
>>
>> Martin
--
Martin G. Diehl