You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by George Breahna <ge...@top-consulting.net> on 2004/12/28 15:37:12 UTC

SpamAssassin Tests problem

Hello guys,

I have a bit of a problem matching some SPAM messages that make their way to
my users mailboxes and then proceed to block Outlook from downloading any
messages whatsoever. My system is FreeBSD 4.9 running SA 3.0 ( standard ).
Below, I will post two examples of these SPAM messages:

Return-Path: <>
Delivered-To: user@domain.com
Received: (qmail 23239 invoked by uid 1010); 27 Dec 2004 21:46:08 -0000
Received: from 172.182.180.35 by cust02.top-consulting.net (envelope-from
<>, uid 89) with G-Filter-1.00 
Received: from unknown (HELO ACB6B423.ipt.aol.com) (172.182.180.35)
  by cust02.top-consulting.net with SMTP; 27 Dec 2004 21:46:03 -0000
Received: from  by 172.182.180.35; Mon, 27 Dec 2004 18:52:15 -0300
Message-ID: <L[20

And

Return-Path: <PX...@didamail.com>
Delivered-To: user@domain.com
Received: (qmail 42592 invoked by uid 1010); 28 Dec 2004 05:22:23 -0000
Received: from 62.150.128.164 by cust02.top-consulting.net (envelope-from
<PX...@didamail.com>, uid 89) with G-Filter-1.00 
Received: from unknown (HELO RECEPTION) (62.150.128.164)
  by cust02.top-consulting.net with SMTP; 28 Dec 2004 05:22:18 -0000
Received: from dns8[1



That's it. No subject, no date, no body..nothing. And I get TONS of these.
My attempts to solve this are the following:

I increased the MISSING_SUBJET test score to 5.0 and I created a test called
EMPTY_BODY which looks like this:

body BODY_EMPTY /^\s*$/
describe BODY_EMPTY     No Body
score BODY_EMPTY 7.0

with this rule, I was able to stop test messages I would send myself from
remote accounts which had no subject and no body. I was thus very glad and I
thought the problem was fixed. Nonetheless, this morning I had yet more
complaints about the problem still happening ( see two messages above ). I
went to see the logs. This is what I saw:

For message #1, the logs show this:

Dec 27 21:46:07 cust02 spamd[97071]: got connection over /var/run/spamd 
Dec 27 21:46:07 cust02 spamd[97071]: checking message <?L[20> for
user@domain.com:0. 
Dec 27 21:46:08 cust02 spamd[97071]: clean message (5.6/8.0) for
user@domain.com:0 in 0.5 seconds, 222 bytes.  
Dec 27 21:46:08 cust02 spamd[97071]: result: .  5 -
MISSING_DATE,MISSING_SUBJECT,RCVD_BY_IP
scantime=0.5,size=222,mid=<?L[20>,autolearn=no

For message #2, the logs show this:

Dec 28 05:22:21 cust02 spamd[41802]: got connection over /var/run/spamd 
Dec 28 05:22:21 cust02 spamd[41802]: checking message (unknown) for
user@domain.com:0.
Dec 28 05:22:23 cust02 spamd[41802]: clean message (5.6/8.0) for
user@domain.com:0 in 1.8 seconds, 148 bytes.  
Dec 28 05:22:23 cust02 spamd[41802]: result: .  5 -
MISSING_DATE,MISSING_SUBJECT
scantime=1.8,size=148,mid=(unknown),autolearn=no


Notice how in both cases the test BODY_EMPTY was not applied. I am not sure
why that's the case. I also tried with having the rule look at the rawbody
but that somehow matches a lot of real messages and fails to match my test
messages with empty body ?

Can anyone point me in a way to stop this kind of messages ?

Thank you!
George