You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Martin G. Diehl" <md...@nac.net> on 2005/04/29 02:05:44 UTC

Message was recognized as SPAM but subject was not tagged

Greetings,

I saw a SPAM message that was not tagged as SPAM
even though SPAMassassin recognized it as SPAM.

I have included all of the headers ... just replaced
the content with '[snip]' ... you'll see those headers
below my name.

Here is my analysis (observations) of what is in the
headers after being processed by SPAMassassin ...

(a) the message has 2 'Subject:' headers

(b) the first subject header is the original unmodified
     header from the SPAMmer: 'Subject: Urgent Security Notice'

(c) the second subject header is what SPAMassassin
     generated: 'Subject: *****SPAM***** '

(d) the message was recognized as SPAM ... 'X-Spam-Flag: YES'

(e) all of the X-Spam- headers follow the message body

(f) this probably happened because the MIME headers are
     intentionally misscoded.

(g) these 3 headers ('X-UIDL:', 'X-Mozilla-Status:', and
     'X-Mozilla-Status2:') appear right after the 'FROM - date'
     header which is an unusual position as well ...

     From - Mon Apr 25 12:36:07 2005
     X-UIDL: 1114445011.M327672P25855.mx4.oct
     X-Mozilla-Status: 0000
     X-Mozilla-Status2: 00000000
     Return-Path: <xg...@antronomia.com>

My questions ...

(1) has this come up before?

(2) is it possible for this to be a configuration error?

(3) is this a bug that should be passed along to the developers?

--
Martin G. Diehl

~-~-~-~-~-~-~-~-~-~-~-~-[beg_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~
     From - Mon Apr 25 12:36:07 2005
     X-UIDL: 1114445011.M327672P25855.mx4.oct
     X-Mozilla-Status: 0000
     X-Mozilla-Status2: 00000000
     Return-Path: <xg...@antronomia.com>
     Delivered-To: mdiehl@nac.net
     Received: (qmail 25794 invoked by uid 1005); 25 Apr 2005 16:03:19 -0000
     Received: from xgnuxytjltrdq@antronomia.com by mx4.oct by uid 0 with qmail-scanner-1.20rc3
      (sophie: 2.14/3.73. spamassassin: 2.60-cvs.  Clear:RC:0:.
      Processed in 0.95741 secs); 25 Apr 2005 16:03:19 -0000
     X-Qmail-Scanner-Mail-From: xgnuxytjltrdq@antronomia.com via mx4.oct
     X-Qmail-Scanner-Rcpt-To: mdiehl@nac.net
     X-Qmail-Scanner: 1.20rc3 (Clear:RC:0:. Processed in 0.95741 secs)
     Received: from unknown (HELO Sue-38) (83.104.159.186)
       by rbl-mx4.oct.nac.net with SMTP; 25 Apr 2005 16:03:18 -0000
     From: "Charter One BANK" <cu...@charteronebank.com>
     To: <md...@nac.net>
     Subject: Urgent Security Notice
     Date: Mon, 25 Apr 2005 17:03:22 +0100
     X-Priority: 3
     X-MSMail-Priority: Normal
     Message-ID: <kf...@Sue-38>
     MIME-Version: 1.0
     Content-Type: multipart/related;
     	type="multipart/alternative";
     	boundary="----fmkdahmjgeazvksmslealhoy"
     X-Mailer: WEBMail
     X-MimeOLE: Produced By Microsoft MimeOLE V4.00.2600.1106
     This is a multi-part message in MIME format.
     ------fmkdahmjgeazvksmslealhoy
     Content-Type: multipart/alternative;
     	boundary="----vjjqdusbszwilaadlkdvppfa"
     ------vjjqdusbszwilaadlkdvppfa
     Content-Type: text/plain;
     	charset="us-ascii"
     Content-Transfer-Encoding: quoted-printable
     [snip]
     ------vjjqdusbszwilaadlkdvppfa
     Content-Type: text/html;
     	charset="us-ascii"
     Content-Transfer-Encoding: quoted-printable
     [snip]
     ------vjjqdusbszwilaadlkdvppfa--
     ------fmkdahmjgeazvksmslealhoy
     Content-Type: image/gif;
     	name="tuzjytembpavuggfvypmopuj.gif"
     Content-Transfer-Encoding: base64
     Content-ID: <wa...@charterone.com>
     Content-Disposition: inline;
      filename="tuzjytembpavuggfvypmopuj.gif"
     [snip]
     ------fmkdahmjgeazvksmslealhoy--
     X-Qmail-Scanner-Message-ID: <11...@mx4.oct>
     Subject: *****SPAM*****
     X-Spam-Prev-Subject: (nonexistent)
     X-Spam-Flag: YES
     X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd6.oct.nac.net
     X-Spam-Level: ******
     X-Spam-PrefsFile: nac.net/mdiehl
     X-Spam-Status: Yes, score=6.1 required=4.7 tests=FROM_ENDS_IN_NUMS,
     	FROM_HAS_ULINE_NUMS,MISSING_DATE,MISSING_SUBJECT,
     	RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=disabled version=3.0.2
     X-Spam-Report:
     	*  0.5 FROM_ENDS_IN_NUMS From: ends in numbers
     	*  0.0 MISSING_DATE Missing Date: header
     	*  2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
     	*      [cf:  96]
     	*  1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
     	*  1.6 MISSING_SUBJECT Missing Subject: header
     	*  0.4 FROM_HAS_ULINE_NUMS From: contains an underline and numbers/letters
~-~-~-~-~-~-~-~-~-~-~-~-[end_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~