Anonymous mail passing spamchecks

["Sven Juergensen (KielNET)" <s....@kielnet.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear list,

apologies in advance if I am lacking
something trivial or conceptual here.

I'm running SpamAssassin 3.1.7
on a debian etch box. Spamassassin
is doing queries against a MySQL-
backend, which basically defined
a global required_hits value of 10000
and a per user setting of 5, which is
supposed to 'enable' spamchecking on
an individual user basis.

Also, I put in a domain-based "user"
(%domain.com, preference,value, prefid)
in order to assign a score to every
mail directed to %domain.com.

This works as long as I don't do a
telnet smtp dialogue, which includes
just the ehlo, from and rcpt using an
empty body. What then happens is, that
for some reason the $GLOBAL value is
used and no tagging takes place.

This is annoying, since spammers use
"that" to 'anonymize' themselves. There
must be something which mailclients do
differently than a plain telnet to
port 25 does.

What exactly does spamassassin process
to apply tags to an email? Is it the
envelope, the body or something in
between?

Thanks for any clues.

Best regards,

Sven Juergensen


Mit freundlichen Gruessen

i. A. Sven Juergensen

- --
Fachbereich
Informationstechnologie

KielNET GmbH
Gesellschaft fuer Kommunikation
Preusserstr. 1-9, 24105 Kiel

Telefon : 0431 / 2219-053
Telefax : 0431 / 2219-005
E-Mail  : s.juergensen@kielnet.de
Internet: http://www.kielnet.de

AS# 25295
Key fingerprint:
65B6 90FC 010A 39CE DCA5  336D 9C45 3B7A B02D E132

Geschaeftsfuehrer Eberhard Schmidt
HRB 4499 (Amtsgericht Kiel)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHS+vlnEU7erAt4TIRAnSeAKCJbmG2VU0+/keFfRP9DncUmWUeXwCgteia
SmEC3ZxmbW/zfiX2mFxU0jE=
=6lsh
-----END PGP SIGNATURE-----

Re: Anonymous mail passing spamchecks

[Matt Kettler <mk...@verizon.net>]

Matt Kettler wrote:
>
>> This works as long as I don't do a
>> telnet smtp dialogue, which includes
>> just the ehlo, from and rcpt using an
>> empty body. What then happens is, that
>> for some reason the $GLOBAL value is
>> used and no tagging takes place.
>>     
> That's particularly odd. How do you call spamassassin on your mail system?
>   
Side note:

The reason I'm asking about how you call SA is that it appears the wrong
user_prefs is being used. SpamAssassin itself does NOT try to figure out
what user_prefs to use. What user to act on behalf of is either implied
based on the user-id that executed the spamassassin process, or
explicitly specified by passing it after the -u parameter to spamc.

So, how you call SA is actually quite key to this problem, as that's
what decides what user_prefs will be used, not anything internal to SA.

Re: Anonymous mail passing spamchecks

[Matt Kettler <mk...@verizon.net>]

Sven Juergensen (KielNET) wrote:
> Dear list,
>
> apologies in advance if I am lacking
> something trivial or conceptual here.
>
> I'm running SpamAssassin 3.1.7
> on a debian etch box. Spamassassin
> is doing queries against a MySQL-
> backend, which basically defined
> a global required_hits value of 10000
> and a per user setting of 5, which is
> supposed to 'enable' spamchecking on
> an individual user basis.
>
> Also, I put in a domain-based "user"
> (%domain.com, preference,value, prefid)
> in order to assign a score to every
> mail directed to %domain.com.
>
> This works as long as I don't do a
> telnet smtp dialogue, which includes
> just the ehlo, from and rcpt using an
> empty body. What then happens is, that
> for some reason the $GLOBAL value is
> used and no tagging takes place.
That's particularly odd. How do you call spamassassin on your mail system?
>
> This is annoying, since spammers use
> "that" to 'anonymize' themselves. There
> must be something which mailclients do
> differently than a plain telnet to
> port 25 does.
Eh? Do what to anonymize themselves? Use a telnet client? Hardly. They
use botnets.
>
> What exactly does spamassassin process
> to apply tags to an email? Is it the
> envelope, the body or something in
> between?
The full body, including all headers, but none of the envelope.

Depending on where you call SA in your mailchain, the envelope may or
may not affect how SA runs.