You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Evan Platt <ev...@espphotography.com> on 2009/09/30 18:58:55 UTC
Re: I am getting all external domain emails subject tagged as
SpamSpam
At 09:55 AM 9/30/2009, you wrote:
> 1.
> Guys I am getting all my external domain emails tagged as SpamSpam
> 2.
>
> 3.
> logs are attached.
> 4.
> mail headers
Please make this post more readable. No HTML, Plain Text only, any
large attachments should be on Pastebin or such, and... I don't even
know what's up with the line numbering.
I read as far as:
X-Spam-Status: No
and stopped there.
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> Guys I am getting all my external domain emails tagged as SpamSpam
>
> X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
> whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
> =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
...
> Subject: =?utf-8?Q?Spam?=
> =?utf-8?Q?Spam=0D=0A=20helo123?=
> spamassassin debug logs
> #spamassassin -t -D <email that i receive
>
> X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on mail.domaon.com
Your SA is quite old, can you upgrade to 3.2.5?
> X-Spam-Level: ****
> X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
> DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
> SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb
SA doesn't think it's spam.
> Subject: =?utf-8?Q?Spam?=
> =?utf-8?Q?Spam=0D=0A=20test?=
Amavis is apparently doing something bad to your email. Is it your amavis,
or somebody else's?
I'd look at your upstream MTA (mail.domain.com? Did you obfuscate that?
Please note best practice is to obfuscate using "example.com", it's
intended for that purpose and people will recognize what you're doing) as
well. See if you can capture a message in its raw form before any of your
local tools have had an opportunity to modify it. Review your tool chain,
to see if it's being scanned twice somehow.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Think Microsoft cares about your needs at all?
"A company wanted to hold off on upgrading Microsoft Office for a
year in order to do other projects. So Microsoft gave a 'free' copy
of the new Office to the CEO -- a copy that of course generated
errors for anyone else in the firm reading his documents. The CEO
got tired of getting the 'please re-send in XX format' so he
ordered other projects put on hold and the Office upgrade to be top
priority." -- Cringely, 4/8/2004
-----------------------------------------------------------------------
Approximately 9021060 firearms legally purchased in the U.S. this year
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Nauman Yousuf <na...@gmail.com>.
what you mean dns not found. overloaded with ham means?
On Thu, Oct 1, 2009 at 12:01 AM, Benny Pedersen <me...@junc.org> wrote:
> On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote
>
>> So - what am I missing without wading through all the HTML?
>>
>
> dns is not found ?, overloaded with ham so it cant detect spam ?
>
> --
> xpoint
>
>
--
Regards
Nauman Yousuf
0312-2201455
E-Eager, N-Noble, G-Genuine, I-Intelligent, N-Natural, E-Enthusiastic,
E-Energetic, R-Resourcefull --- ENGINEER
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Benny Pedersen <me...@junc.org>.
On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote
> So - what am I missing without wading through all the HTML?
dns is not found ?, overloaded with ham so it cant detect spam ?
--
xpoint
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Evan Platt <ev...@espphotography.com>.
At 10:02 AM 9/30/2009, you wrote:
>Guys
>I am getting all my external domain emails tagged as SpamSpam
>logs are attached.
>mail headers
Once again, please don't post in HTML.
X-Spam-Status: No
So - what am I missing without wading through all the HTML?
Re: [sa] Re: I am getting all external domain emails subject tagged as SpamSpam
Posted by Mark Martinec <Ma...@ijs.si>.
On Wednesday 30 September 2009 19:25:52 Charles Gregory wrote:
> On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> > Guys I am getting all my external domain emails tagged as SpamSpam
> > mail headers
> > X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely
> > of whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
> > =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
>
> Well, according to this, amavis doesn't like the fact that the 'Subject'
> header is made up of many spaces. Looks like the original subject was
> 'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but
> AMAVIS considers this suspicious. Question would be, how did all those
> spaces get in there in the first place? Are you running the message
> through some sort of pre-process before sending it to SA?
>
> There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
> This suggests again, something is trying to encapsulate your subject
> before it gets to spamassassin. If this is happening on ALL your mail,
> then it is something in your front end.
You missed the point, it's not about 'many spaces' or 'trailing spaces',
but there was an illegal all-whitespace line in the header section,
just following the Subject, as reported:
Subject: ...?Q?Spam?=\n =?utf-8?Q?Spam=0D=0A=20h\
elo123?=\n \n
^^^^^
Mark
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Charles Gregory <cg...@hwcn.org>.
Firstly, PLEASE DIRECT ALL REPLIES TO LIST, not my personal email.
On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> i dont know , how subject is filled with spaces , what i need to check
> am clue less this is happening from last 3 days
First question of troubleshooting: What changed?
If it worked 4 days ago, and didn't work 3 days ago, something changed
between 3 and 4 days to make it stop working. Isolate the time it stopped
working, and check for ALL changes to the server at that time. Files,
permissions, disk full, anything.....
- C
Re: [sa] Re: I am getting all external domain emails subject tagged
as SpamSpam
Posted by Charles Gregory <cg...@hwcn.org>.
On Wed, 30 Sep 2009, Nauman Yousuf wrote:
> Guys I am getting all my external domain emails tagged as SpamSpam
> mail headers
> X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
> whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
> =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
Well, according to this, amavis doesn't like the fact that the 'Subject'
header is made up of many spaces. Looks like the original subject was
'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but
AMAVIS considers this suspicious. Question would be, how did all those
spaces get in there in the first place? Are you running the message
through some sort of pre-process before sending it to SA?
There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
This suggests again, something is trying to encapsulate your subject
before it gets to spamassassin. If this is happening on ALL your mail,
then it is something in your front end.
- C
Re: I am getting all external domain emails subject tagged as
SpamSpam
Posted by Nauman Yousuf <na...@gmail.com>.
Guys I am getting all my external domain emails tagged as SpamSpam
logs are attached.
mail headers
Return-Path: <us...@gmail.com>
Delivered-To: user@domain.com
Received: from localhost (localhost [127.0.0.1])
by mail1.domain.com <http://hades.domain.com/> (Postfix) with ESMTP id
39B3C12B71D
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:57 +0600 (PKST)
X-Quarantine-ID: <asR-LhZoxUsQ>
X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
=?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
Received: from mail1.domain.com ([127.0.0.1])
by localhost (mail2.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id asR-LhZoxUsQ for <us...@domain.com>;
Tue, 29 Sep 2009 10:19:56 +0600 (PKST)
Received: from mail.domain.com (unknown [203.101.170.27])
by mail1.domain.com (Postfix) with ESMTP id C6CF512B701
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:54 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
by muses.domain.com (Postfix) with ESMTP id 6982319B322
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domain.com
Received: from mail.domain.com <http://muses.domain.com/> ([127.0.0.1])
by localhost (mail.domain.com <http://muses.domain.com/> [127.0.0.1])
(amavisd-new, port 10024)
with LMTP id A1fSGV+XdA-K for <us...@domain.com>;
Tue, 29 Sep 2009 10:19:49 +0600 (PKST)
Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com
[209.85.221.191])
by mail.domain.com (Postfix) with ESMTP id B3AB03BE38
for <us...@domain.com>; Tue, 29 Sep 2009 10:19:44 +0600 (PKST)
Received: by qyk29 with SMTP id 29so3777375qyk.32
for <us...@domain.com>; Mon, 28 Sep 2009 21:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:message-id:subject
:from:to:content-type;
bh=WoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=;
b=suj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2eXAzhd
/pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2WPPQMR70+77h7Bcfkir
IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=mHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZqZUM1KVDv6u
dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHERQ0Y6ilLjzoZ7NRf69H3bKn
RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBWNP7M8=
MIME-Version: 1.0
Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062; Mon,
28
Sep 2009 21:19:40 -0700 (PDT)
Date: Tue, 29 Sep 2009 10:19:40 +0600
Message-ID: <a2...@mail.gmail.com>
Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20helo123?=
spamassassin debug logs
#spamassassin -t -D <email that i receive
Return-Path: <mo...@hotmail.com>
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on mail.domaon.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb
Delivered-To: user@domaon.com
Received: from localhost (localhost [127.0.0.1])
by mail1.domaon.com (Postfix) with ESMTP id C13911B32DB
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail1.domaon.com ([127.0.0.1])
by localhost (mail1.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id p23bnIio88SC for <us...@domaon.com>;
Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail.domaon.com (unknown [203.101.170.27])
by mail1.domaon.com (Postfix) with ESMTP id 22F7D1B32D7
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
by mail.domaon.com (Postfix) with ESMTP id 976D319B330
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domaon.com
Received: from mail.domaon.com ([127.0.0.1])
by localhost (mail.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id el+R1y6R6iaa for <us...@domaon.com>;
Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from snt0-omc1-s35.snt0.hotmail.com
(snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
by mail.domaon.com (Postfix) with ESMTP id D14C419B32D
for <us...@domaon.com>; Wed, 30 Sep 2009 17:03:52 +0600 (PKST)
Received: from SNT106-W54 ([65.55.90.7]) by
snt0-omc1-s35.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 30 Sep 2009 04:03:47 -0700
Message-ID: <SN...@phx.gbl>
Content-Type: multipart/alternative;
boundary="_4abea601-ec42-4378-af03-83675013aef6_"
X-Originating-IP: [125.209.118.102]
From: mohsin alizai <mo...@hotmail.com>
To: <us...@domaon.com>
Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20test?=
Date: Wed, 30 Sep 2009 11:03:47 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
FILETIME=[AF55A350:01CA41BD]
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com
--_4abea601-ec42-4378-af03-83675013aef6_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
test =0A=