You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Martin G. Diehl" <md...@nac.net> on 2005/04/29 02:05:44 UTC
Message was recognized as SPAM but subject was not tagged
Greetings,
I saw a SPAM message that was not tagged as SPAM
even though SPAMassassin recognized it as SPAM.
I have included all of the headers ... just replaced
the content with '[snip]' ... you'll see those headers
below my name.
Here is my analysis (observations) of what is in the
headers after being processed by SPAMassassin ...
(a) the message has 2 'Subject:' headers
(b) the first subject header is the original unmodified
header from the SPAMmer: 'Subject: Urgent Security Notice'
(c) the second subject header is what SPAMassassin
generated: 'Subject: *****SPAM***** '
(d) the message was recognized as SPAM ... 'X-Spam-Flag: YES'
(e) all of the X-Spam- headers follow the message body
(f) this probably happened because the MIME headers are
intentionally misscoded.
(g) these 3 headers ('X-UIDL:', 'X-Mozilla-Status:', and
'X-Mozilla-Status2:') appear right after the 'FROM - date'
header which is an unusual position as well ...
From - Mon Apr 25 12:36:07 2005
X-UIDL: 1114445011.M327672P25855.mx4.oct
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <xg...@antronomia.com>
My questions ...
(1) has this come up before?
(2) is it possible for this to be a configuration error?
(3) is this a bug that should be passed along to the developers?
--
Martin G. Diehl
~-~-~-~-~-~-~-~-~-~-~-~-[beg_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~
From - Mon Apr 25 12:36:07 2005
X-UIDL: 1114445011.M327672P25855.mx4.oct
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <xg...@antronomia.com>
Delivered-To: mdiehl@nac.net
Received: (qmail 25794 invoked by uid 1005); 25 Apr 2005 16:03:19 -0000
Received: from xgnuxytjltrdq@antronomia.com by mx4.oct by uid 0 with qmail-scanner-1.20rc3
(sophie: 2.14/3.73. spamassassin: 2.60-cvs. Clear:RC:0:.
Processed in 0.95741 secs); 25 Apr 2005 16:03:19 -0000
X-Qmail-Scanner-Mail-From: xgnuxytjltrdq@antronomia.com via mx4.oct
X-Qmail-Scanner-Rcpt-To: mdiehl@nac.net
X-Qmail-Scanner: 1.20rc3 (Clear:RC:0:. Processed in 0.95741 secs)
Received: from unknown (HELO Sue-38) (83.104.159.186)
by rbl-mx4.oct.nac.net with SMTP; 25 Apr 2005 16:03:18 -0000
From: "Charter One BANK" <cu...@charteronebank.com>
To: <md...@nac.net>
Subject: Urgent Security Notice
Date: Mon, 25 Apr 2005 17:03:22 +0100
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: <kf...@Sue-38>
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----fmkdahmjgeazvksmslealhoy"
X-Mailer: WEBMail
X-MimeOLE: Produced By Microsoft MimeOLE V4.00.2600.1106
This is a multi-part message in MIME format.
------fmkdahmjgeazvksmslealhoy
Content-Type: multipart/alternative;
boundary="----vjjqdusbszwilaadlkdvppfa"
------vjjqdusbszwilaadlkdvppfa
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
[snip]
------vjjqdusbszwilaadlkdvppfa
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
[snip]
------vjjqdusbszwilaadlkdvppfa--
------fmkdahmjgeazvksmslealhoy
Content-Type: image/gif;
name="tuzjytembpavuggfvypmopuj.gif"
Content-Transfer-Encoding: base64
Content-ID: <wa...@charterone.com>
Content-Disposition: inline;
filename="tuzjytembpavuggfvypmopuj.gif"
[snip]
------fmkdahmjgeazvksmslealhoy--
X-Qmail-Scanner-Message-ID: <11...@mx4.oct>
Subject: *****SPAM*****
X-Spam-Prev-Subject: (nonexistent)
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd6.oct.nac.net
X-Spam-Level: ******
X-Spam-PrefsFile: nac.net/mdiehl
X-Spam-Status: Yes, score=6.1 required=4.7 tests=FROM_ENDS_IN_NUMS,
FROM_HAS_ULINE_NUMS,MISSING_DATE,MISSING_SUBJECT,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=disabled version=3.0.2
X-Spam-Report:
* 0.5 FROM_ENDS_IN_NUMS From: ends in numbers
* 0.0 MISSING_DATE Missing Date: header
* 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
* [cf: 96]
* 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 1.6 MISSING_SUBJECT Missing Subject: header
* 0.4 FROM_HAS_ULINE_NUMS From: contains an underline and numbers/letters
~-~-~-~-~-~-~-~-~-~-~-~-[end_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~