You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Eggleton, Michael" <Mi...@emergis.com> on 2004/10/05 07:21:26 UTC

Spamassassin qmail-scanner hack

Hello All,

  (This is not directly a spamassassin issue, but may be very useful to
anyone using a spamassassin/qmail setup) 

  I have been having an issue with spam sent to my clients and not
quarantined even though the score was way over the limit.  This was
happening because of the following fake spammer line:

X-Spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME
autolearn=no 
	version=2.60-spam20030926a

  I figured this was a header and that qmail-scanner was reading this
header and not the real header:

X-Spam-Status: Yes, hits=9.9 required=5.0
tests=DNS_FROM_RFCI_DSN,HTML_70_80,
	HTML_FONTCOLOR_UNKNOWN,HTML_IMAGE_ONLY_06,HTML_MESSAGE,
	MIME_BOUND_NEXTPART,MIME_MISSING_BOUNDARY,RCVD_IN_DSBL,
	
RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RCVD_NUMERIC_HELO,
	UPPERCASE_25_50 autolearn=no version=2.64

  But as I was told by so many smart people on this mailing list....
Spamassassin rewrites the headers. So how the heck is the bad header
still in the message after it is run through spamc/spamd ??

  Well it's because the header is not a header... It's part of the
message body.  So Spamassassin does not see it as a header and does not
remove or replace it.  Because it is in the message after the message is
spit back out of spamc, qmail-scanner sees this line last, over writes
the real score with this spammers score and lets the message through the
system and does not quarantine it.  

So I hacked qmail-scanner to stop this from happening:

Original lines:
  while (<SIN>) {
       print SOUT;
  }

New lines:
  while (<SIN>) {
  if (/^X-Spam-Status: (Yes|No), (hits|score)=(-?[\d\.]*)
required=([\d\.]*)/) {
       # HACK HACK HACK   
   } 
   else {       
       print SOUT;
   }
  }

Hope this is helpful for anyone who was having this issue.
Thx
Mike

Re: Spamassassin qmail-scanner hack

Posted by Loren Wilton <lw...@earthlink.net>.

Spamassassin qmail-scanner hack  But as I was told by so many smart people
on this mailing list.. Spamassassin rewrites the headers. So how the heck is
the bad header still in the message after it is run through spamc/spamd ??
  Well it's because the header is not a header. It's part of the message
body.  So Spamassassin does

FWIW, you must have gotten some broken spams, or else that is a very new
characteristic.  Looking back thru the last month's spam, every spam that
has that fake header in it (or one of two near variations) actually had the
line in the headers, where it will (unfortunately) get stripped before it
can be analyzed.

Fortunately something over 90% of the spams using that line also have other
very easy to identify characteristics that will not get stripped.  :-)

        Loren