You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rejaine Monteiro <re...@bhz.jamef.com.br> on 2008/09/03 14:18:53 UTC
spam bypass spamassassin
Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??
(clamdscan: 0.93/8144. spamassassin: 3.2.5.
Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
X-Spam-Status: Yes, score=5.1 required=5.0
X-Spam-Level: +++++
Re: spam bypass spamassassin
Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.
maybe the problem is qmail-scanner and not spamassassin
my sa_quarantine_over is 0.1 (my $sa_quarantine_over='0.1';)
and qmail-scanner have a line like this:
<snip>
if ($sa_quarantine_over > 0 && ($sa_score - $sa_required_hits) >=
$sa_quarantine_over) {
&debug("SA: seriously spammy - quarantine and don't deliver");
$destring="SPAM";
$quarantine_description="SPAM content refused by this network
($sa_score/$sa_required_hits)";
$quarantine_spam="SA:SPAM-QUARANTINED";
$description .= "\n---spamassassin results ---\n$destring
'$quarantine_description'\n ($sa_comment) found in message $ENV{'TMPDIR'}";
<snip>
5.1 - 5.0 = 0.1
And 0.1 >= $sa_quarantine_over , so don't deliver and quarantine, but
message *was* delivered ..
Maybe this a bug on qmail-scanner (and not spamassasin)...
Rejaine Monteiro escreveu:
>
>
> Matus UHLAR - fantomas escreveu:
>> Why do you think it bypassed spamassassin? The whole fact the spam was
>> tagged means it did NOT bypass it, don't you think?
>>
>>
> Because I received this email in my mailbox (and many others like
> this) , so the spam was not blocked by spamassasin, although to
> receive score 5.1 (required 5.0)
>
>> I see no X-Spam-Version, maybe it was scored by SA on other machine.
>> But, always, it's not spamassassin question why some mail are not
>> passsed
>> through it...
>>
> I did not send the complete header of the message, therefore it did
> not appear the SA version.
>
> My intention was to only show that the message had score enough to be
> blocked, however it was delivered (not blocked)
>
> He follows all header below (I modified some confidential information) :
>
> Received: (qmail 4400 invoked by alias); 3 Sep 2008 08:32:21 -0300
> Delivered-To: user@mydomain
> Received: (qmail 4371 invoked by uid 368); 3 Sep 2008 08:32:21 -0300
> Received: from 209.85.217.31 by server1 (envelope-from
> <us...@gmail.com>, uid 365) with qmail-scanner-2.01
> (clamdscan: 0.93/8144. spamassassin: 3.2.5.
> Clear:RC:0(209.85.217.31):SA:1(5.1/5.0):.
> Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
> X-Spam-Status: Yes, score=5.1 required=5.0
> X-Spam-Level: +++++
> Received: from mail-gx0-f31.google.com (209.85.217.31)
> by mailserver.mydomain.com with SMTP; 3 Sep 2008 08:32:19 -0300
> Received-SPF: pass (mailserver.mydomain.com: SPF record at
> _spf.google.com designates 209.85.217.31 as permitted sender)
> Received: by gxk12 with SMTP id 12so2889720gxk.18
> for <us...@mydomain.com>; Wed, 03 Sep 2008 04:32:16 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=gmail.com; s=gamma;
> h=domainkey-signature:received:received:message-id:date:from:to
> :subject:in-reply-to:mime-version:content-type:references;
> bh=coZ1EmMjtIS0cmUKIQXRvZC31Xpo+lwlfWJOdLjsVZQ=;
>
> b=NmZuyJkV18ruiec999Su1vuQO5NH4xGJRK2VOF9gYqb1pH4oGTPBvr14AYHiI13f8v
>
> wEIeh140B1OfNKMDe2129sClZVdGtOhZPtf7SATI1/79AxBQ2b/vYb+DAuekl/N04xie
> cyobOumkw0kMyGiusVZcmtiBvAuJ51TsGtgCQ=
> DomainKey-Signature: a=rsa-sha1; c=nofws;
> d=gmail.com; s=gamma;
> h=message-id:date:from:to:subject:in-reply-to:mime-version
> :content-type:references;
>
> b=hyah72fhk0lmrwpOG9cXDT2K93HGA02C5vy7GKaLjnlCcBmOiRYi9tbttKQ3qt/hKf
>
> c7YAjfUmM7p9UYgqt7YY9ePmK334WNilEo34H8hY10bSe/LwGaXU1N5D6xzWvU07kL6u
> 10qNGdhMCUjrd+MD5lWg7kbRX1c/ZJW3hOZNw=
> Received: by 10.142.180.11 with SMTP id
> c11mr2999448wff.113.1220440859878;
> Wed, 03 Sep 2008 04:20:59 -0700 (PDT)
> Received: by 10.142.154.1 with HTTP; Wed, 3 Sep 2008 04:20:59 -0700 (PDT)
> Message-ID: <58...@mail.gmail.com>
> Date: Wed, 3 Sep 2008 08:20:59 -0300
> From: "User Sender" <us...@gmail.com>
> To: user@mydomain.com
> Subject: Nova modalidade de FURTO DE DIESEL!
> In-Reply-To:
> <58...@mail.gmail.com>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_Part_25106_5226581.1220440859861"
> References: <58...@mail.gmail.com>
> <58...@mail.gmail.com>
>
>
Re: spam bypass spamassassin
Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.
correct..
my problem have name:qmail-scanner-queue.pl
;o)
thanks !
Evan Platt escreveu:
> Rejaine Monteiro wrote:
>> Because I received this email in my mailbox (and many others like
>> this) , so the spam was not blocked by spamassasin, although to
>> receive score 5.1 (required 5.0)
> Spamassassin doesn't "block" mails. You will still see messages with
> every score in your mailbox, unless you have some other device on your
> system saying "do not put messages with a score higher than X in my
> inbox."
Re: spam bypass spamassassin
Posted by Evan Platt <ev...@espphotography.com>.
Rejaine Monteiro wrote:
> Because I received this email in my mailbox (and many others like
> this) , so the spam was not blocked by spamassasin, although to
> receive score 5.1 (required 5.0)
Spamassassin doesn't "block" mails. You will still see messages with
every score in your mailbox, unless you have some other device on your
system saying "do not put messages with a score higher than X in my inbox."
Re: spam bypass spamassassin
Posted by mouss <mo...@netoyen.net>.
Rejaine Monteiro wrote:
>
> was I sayed before,
>
> my problem was detected.. it a qmail-scanner-queue issue.. not
> spamassin problem !
>
> in addition, my bad English helped to get worse the things.
>
> I use it program sufficient the time, but really I made confusion
> involving qmail-scanner and I expressed myself badly.
>
> forgives me if I seemed ignorant!
> forgives me by *stupid* question!
>
> peace!
peace? you'll have to wait for the next century :) for now, it's all war
around...
sorry if I sounded $(bad). but we see many posts asking why SA didn't
block/quarantne/folder/...
>
> mouss escreveu:
what? are you insulting me? I am not an escreveu :)
ok, let's get to more serious stuff (email isn't serious, don't you think?).
Re: spam bypass spamassassin
Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.
was I sayed before,
my problem was detected.. it a qmail-scanner-queue issue.. not
spamassin problem !
in addition, my bad English helped to get worse the things.
I use it program sufficient the time, but really I made confusion
involving qmail-scanner and I expressed myself badly.
forgives me if I seemed ignorant!
forgives me by *stupid* question!
peace!
mouss escreveu:
>
> let's all get up and dance to a song that was hit before your mailer
> was born...
>
> SA does not block mail
> SA does not put mail in folders
> SA does not prepare dinner
> SA does not vote
>
>
Re: spam bypass spamassassin
Posted by mouss <mo...@netoyen.net>.
Rejaine Monteiro wrote:
>
>
> Matus UHLAR - fantomas escreveu:
>> Why do you think it bypassed spamassassin? The whole fact the spam was
>> tagged means it did NOT bypass it, don't you think?
>>
>>
> Because I received this email in my mailbox (and many others like this)
> , so the spam was not blocked by spamassasin,
so you installed spamassassin but you don't know what it does?
> although to receive
> score 5.1 (required 5.0)
let's all get up and dance to a song that was hit before your mailer was
born...
SA does not block mail
SA does not put mail in folders
SA does not prepare dinner
SA does not vote
Re: spam bypass spamassassin
Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.
Matus UHLAR - fantomas escreveu:
> Why do you think it bypassed spamassassin? The whole fact the spam was
> tagged means it did NOT bypass it, don't you think?
>
>
Because I received this email in my mailbox (and many others like this)
, so the spam was not blocked by spamassasin, although to receive
score 5.1 (required 5.0)
> I see no X-Spam-Version, maybe it was scored by SA on other machine.
> But, always, it's not spamassassin question why some mail are not passsed
> through it...
>
I did not send the complete header of the message, therefore it did not
appear the SA version.
My intention was to only show that the message had score enough to be
blocked, however it was delivered (not blocked)
He follows all header below (I modified some confidential information) :
Received: (qmail 4400 invoked by alias); 3 Sep 2008 08:32:21 -0300
Delivered-To: user@mydomain
Received: (qmail 4371 invoked by uid 368); 3 Sep 2008 08:32:21 -0300
Received: from 209.85.217.31 by server1 (envelope-from <us...@gmail.com>,
uid 365) with qmail-scanner-2.01
(clamdscan: 0.93/8144. spamassassin: 3.2.5.
Clear:RC:0(209.85.217.31):SA:1(5.1/5.0):.
Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
X-Spam-Status: Yes, score=5.1 required=5.0
X-Spam-Level: +++++
Received: from mail-gx0-f31.google.com (209.85.217.31)
by mailserver.mydomain.com with SMTP; 3 Sep 2008 08:32:19 -0300
Received-SPF: pass (mailserver.mydomain.com: SPF record at
_spf.google.com designates 209.85.217.31 as permitted sender)
Received: by gxk12 with SMTP id 12so2889720gxk.18
for <us...@mydomain.com>; Wed, 03 Sep 2008 04:32:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to
:subject:in-reply-to:mime-version:content-type:references;
bh=coZ1EmMjtIS0cmUKIQXRvZC31Xpo+lwlfWJOdLjsVZQ=;
b=NmZuyJkV18ruiec999Su1vuQO5NH4xGJRK2VOF9gYqb1pH4oGTPBvr14AYHiI13f8v
wEIeh140B1OfNKMDe2129sClZVdGtOhZPtf7SATI1/79AxBQ2b/vYb+DAuekl/N04xie
cyobOumkw0kMyGiusVZcmtiBvAuJ51TsGtgCQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:in-reply-to:mime-version
:content-type:references;
b=hyah72fhk0lmrwpOG9cXDT2K93HGA02C5vy7GKaLjnlCcBmOiRYi9tbttKQ3qt/hKf
c7YAjfUmM7p9UYgqt7YY9ePmK334WNilEo34H8hY10bSe/LwGaXU1N5D6xzWvU07kL6u
10qNGdhMCUjrd+MD5lWg7kbRX1c/ZJW3hOZNw=
Received: by 10.142.180.11 with SMTP id c11mr2999448wff.113.1220440859878;
Wed, 03 Sep 2008 04:20:59 -0700 (PDT)
Received: by 10.142.154.1 with HTTP; Wed, 3 Sep 2008 04:20:59 -0700 (PDT)
Message-ID: <58...@mail.gmail.com>
Date: Wed, 3 Sep 2008 08:20:59 -0300
From: "User Sender" <us...@gmail.com>
To: user@mydomain.com
Subject: Nova modalidade de FURTO DE DIESEL!
In-Reply-To: <58...@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_25106_5226581.1220440859861"
References: <58...@mail.gmail.com>
<58...@mail.gmail.com>
Re: spam bypass spamassassin
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 03.09.08 09:18, Rejaine Monteiro wrote:
> Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??
Why do you think it bypassed spamassassin? The whole fact the spam was
tagged means it did NOT bypass it, don't you think?
> (clamdscan: 0.93/8144. spamassassin: 3.2.5.
> Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
> Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
> X-Spam-Status: Yes, score=5.1 required=5.0
> X-Spam-Level: +++++
I see no X-Spam-Version, maybe it was scored by SA on other machine.
But, always, it's not spamassassin question why some mail are not passsed
through it...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
Re: spam bypass spamassassin
Posted by Johann Spies <js...@sun.ac.za>.
On Wed, Sep 03, 2008 at 09:18:53AM -0300, Rejaine Monteiro wrote:
>
> Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??
>
> (clamdscan: 0.93/8144. spamassassin: 3.2.5.
> Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
> Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
> X-Spam-Status: Yes, score=5.1 required=5.0
> X-Spam-Level: +++++
It did not bypass Spamassassin. Spamassassin did it's job by
classifying the message as spam. The rest is up to your mta.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"And he said unto his disciples, Therefore I say unto
you, Take no thought for your life, what ye shall eat:
neither for the body, what ye shall put on. The life
is more than meat, and the body is more than raiment.
Consider the ravens: for they neither sow nor reap;
which neither have storehouse nor barn; and God
feedeth them: how much more are ye better than the fowls!
Consider the lilies, how they grow: they toil
not, they spin not; and yet I say unto you, that
Solomon in all his glory was not arrayed like one of
these. If then God so clothe the grass, which is to
day in the field, and to morrow is cast into the oven;
how much more will he clothe you, O ye of little
faith? And seek not what ye shall eat, or what ye
shall drink, neither be ye of doubtful mind.
But rather seek ye the kingdom of God; and all these
things shall be added unto you."
Luke 12:22-24; 27-29; 31.
Re: spam bypass spamassassin
Posted by mouss <mo...@netoyen.net>.
Jason Esman wrote:
>
>> -----Original Message-----
>> From: Rejaine Monteiro [mailto:rejaine@bhz.jamef.com.br]
>> Sent: Wednesday, September 03, 2008 7:19 AM
>> To: users@spamassassin.apache.org
>> Subject: spam bypass spamassassin
>>
>>
>> Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??
>>
>> (clamdscan: 0.93/8144. spamassassin: 3.2.5.
>> Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
>> Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
>> X-Spam-Status: Yes, score=5.1 required=5.0
>> X-Spam-Level: +++++
>
> I'm also seeing this, it is not that it bypass Spamassassin but that it is not adding the Subject. I've lately been getting a lot of spam that score 5.1 the spam threshold is 5.0 but at 5.1 it does not change the subject.
>
> An example:
>
> Subject: Aaca aaiiuo
> Date: Mon, 1 Sep 2008 06:18:26 -0500
> Message-ID: <ap...@post.book>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0018_01C90D17.8D566C70"
> X-Mailer: Microsoft Office Outlook 11
> Thread-Index: AckMJHQQXzDI+JlySi+ENdpaQUGHHQAAAAM+
> content-class: urn:content-classes:dsn
> x-originalarrivaltime: 01 Sep 2008 11:18:25.0639 (UTC) FILETIME=[73B55770:01C90C24]
> x-spam-level: +++++
> x-spam-status: Yes, score=5.1 required=5.0
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
> x-dsncontext: 7ce717b1 - 1391 - 00000002 - C00402D1
>
> This is a multi-part message in MIME format.
>
>
> Notice the subject does not say *****SPAM***** which is what we have rewrite subject set to.
>
How do you call SA? if you call SA from a program that adds its own
header (notice the case in the x-spam-* headers. here, they are
X-Spam-...), then the same program is probably responsible for changing
the subject. in which case, this is not an SA issue.
RE: spam bypass spamassassin
Posted by Jason Esman <ja...@venturenet.net>.
> -----Original Message-----
> From: Rejaine Monteiro [mailto:rejaine@bhz.jamef.com.br]
> Sent: Wednesday, September 03, 2008 7:19 AM
> To: users@spamassassin.apache.org
> Subject: spam bypass spamassassin
>
>
> Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??
>
> (clamdscan: 0.93/8144. spamassassin: 3.2.5.
> Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
> Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
> X-Spam-Status: Yes, score=5.1 required=5.0
> X-Spam-Level: +++++
I'm also seeing this, it is not that it bypass Spamassassin but that it is not adding the Subject. I've lately been getting a lot of spam that score 5.1 the spam threshold is 5.0 but at 5.1 it does not change the subject.
An example:
Subject: Aaca aaiiuo
Date: Mon, 1 Sep 2008 06:18:26 -0500
Message-ID: <ap...@post.book>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0018_01C90D17.8D566C70"
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AckMJHQQXzDI+JlySi+ENdpaQUGHHQAAAAM+
content-class: urn:content-classes:dsn
x-originalarrivaltime: 01 Sep 2008 11:18:25.0639 (UTC) FILETIME=[73B55770:01C90C24]
x-spam-level: +++++
x-spam-status: Yes, score=5.1 required=5.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
x-dsncontext: 7ce717b1 - 1391 - 00000002 - C00402D1
This is a multi-part message in MIME format.
Notice the subject does not say *****SPAM***** which is what we have rewrite subject set to.
J