You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Martin G. Diehl" <md...@nac.net> on 2005/05/10 22:58:00 UTC

Re: *****SPAM***** SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org

Martin G. Diehl wrote:

Thanks to everyone who responded ... you helped me think it through.

> Greetings,
> 
> I am seeing some SpamAssassin eMail messages flagged as SPAM.
> 
> That's probably not unusual, given the nature of our discussions and
> especially because we quote actual SPAM examples within our messages.

OTOH, try to visualize the congress critters trying (and failing) to
discuss 'int3rn3t p0rn' <g> without using any 'bad words' (TM).  LOL

> I know that someone is going to say, "whitelist" ...
> 
> The settings for my profile include
> 
>     Allowed Email Addresses
> 
>     users@spamassassin.apache.org
>     dev@spamassassin.apache.org

I even added *@spamassassin.apache.org and I am still seeing whitelist
eMail giving false positives in SPAMassassin.

> For the most part, that works ... with only ~ 1% getting flagged as SPAM.
> 
> I don't know exactly which package is doing the whitelist filtering, nor
> how that is integrated with the SpamAssassin scanning.

I was able to reach the eMail+QA administrator and discuss this issue ...
using one of today's misfires ... it seemed to be caused by the SPAMassassin
address being the 2nd address in the 'To:' not being checked against my
whitelist.  ... will be refereed to their programmer.

> In the example quoted in this here, I think these are the applicable 
> headers ...
> 
>     Return-Path: 
> <us...@spamassassin.apache.org>
> 
>     Received: from unknown (HELO mail.apache.org) (209.237.227.199)
>       by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
> 
>     From: "martin smith" <ma...@ntlworld.com>
>     To: "'Rakesh'" <ra...@netcore.co.in>,
>        "Spamassassin" <us...@spamassassin.apache.org>
> 
> My 4 questions ...

[snip]

(1) and (2) seemed not to be a factor.

> (3) could the whitelist failure be caused by
> 
>     "Spamassassin" <us...@spamassassin.apache.org>
> 
>     appearing as the _second_ 'To:' address?

Seems to be this form of addresses and how they are checking.

> Something else that troubles me about this eMail example ...
> 
>     X-Spam-Report:
>           *  1.1 FORGED_RCVD_HELO Received: contains a forged HELO
> 
> ... even though this looks OK ...
> 
>     Received: from unknown (HELO mail.apache.org) (209.237.227.199)
>       by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
> 
> OTOH, 209.237.227.199 resolves to mail.apache.org ... and
>       spamassassin.apache.org resolves to 209.237.227.199
> 
> (4) could that cause the whitelist failure?

will ask them again in a few days.

> Anything else I should consider?
> 
> Thanks for listening.
> 
> Here are all of the headers and the message text ...
> 
>> From - Sat May 07 08:28:31 2005
>> X-UIDL: 1115462268.M554851P37120.mx3.oct
>> X-Mozilla-Status: 0001
>> X-Mozilla-Status2: 00000000
>> Return-Path: <us...@spamassassin.apache.org>
>> Delivered-To: mdiehl@nac.net
>> Received: (qmail 37070 invoked by uid 0); 7 May 2005 10:37:36 -0000
>> Received: from 209.237.227.199 by mx3.oct (envelope-from 
>> <us...@spamassassin.apache.org>, uid 0) 
>> with qmail-scanner-1.25  (uvscan: v4.2.40/v4295. sophie: 2.14/3.73. 
>> f-prot: 4.1.1/3.13.4. spamassassin: 2.60-cvs.  
>>  Clear:RC:0(209.237.227.199):.  Processed in 0.188536 secs); 07 May 
>> 2005 10:37:36 -0000
>> X-Qmail-Scanner-Mail-From: 
>> users-return-26818-mdiehl=nac.net@spamassassin.apache.org via mx3.oct
>> X-Qmail-Scanner: 1.25 (Clear:RC:0(209.237.227.199):. Processed in 
>> 0.188536 secs)
>> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
>>   by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>> Received: (qmail 61841 invoked by uid 500); 7 May 2005 10:40:04 -0000
>> Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
>> Precedence: bulk
>> list-help: <ma...@spamassassin.apache.org>
>> list-unsubscribe: <ma...@spamassassin.apache.org>
>> List-Post: <ma...@spamassassin.apache.org>
>> List-Id: <users.spamassassin.apache.org>
>> Delivered-To: mailing list users@spamassassin.apache.org
>> Received: (qmail 61826 invoked by uid 99); 7 May 2005 10:40:04 -0000
>> X-ASF-Spam-Status: No, hits=0.0 required=10.0
>>     tests=
>> Received-SPF: pass (hermes.apache.org: domain of marti@ntlworld.com 
>> designates 212.250.162.17 as permitted sender)
>> Received: from smtpout17.mailhost.ntl.com (HELO 
>> mta09-winn.mailhost.ntl.com) (212.250.162.17)
>>   by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 07 May 2005 03:40:04 
>> -0700
>> Received: from aamta04-winn.mailhost.ntl.com ([212.250.162.8])
>>           by mta09-winn.mailhost.ntl.com with ESMTP
>>           id 
>> <20...@aamta04-winn.mailhost.ntl.com> 
>>
>>           for <us...@spamassassin.apache.org>;
>>           Sat, 7 May 2005 11:37:05 +0100
>> Received: from marti.mine.nu ([81.106.206.105])
>>           by aamta04-winn.mailhost.ntl.com with ESMTP
>>           id 
>> <20...@marti.mine.nu>
>>           for <us...@spamassassin.apache.org>;
>>           Sat, 7 May 2005 11:37:05 +0100
>> Received: from p42000 (martin [192.168.1.98])
>>     by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id 
>> j47AawRY014071;
>>     Sat, 7 May 2005 11:36:58 +0100
>> From: "martin smith" <ma...@ntlworld.com>
>> To: "'Rakesh'" <ra...@netcore.co.in>,
>>    "Spamassassin" <us...@spamassassin.apache.org>
>> Subject: *****SPAM***** RE: Way to evade URI checks
>> Date: Sat, 7 May 2005 11:37:00 +0100
>> Message-ID: 
>> <!~...@ntlworld.com> 
>>
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>>     charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>> Thread-Index: AcVS0HY4PWTqQht5TSKWb96NwD4Y8QAH9gAg
>> In-Reply-To: <42...@netcore.co.in>
>> X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
>> X-Virus-Checked: Checked
>> X-Spam-Prev-Subject: RE: Way to evade URI checks
>> X-Spam-Flag: YES
>> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd1.oct
>> X-Spam-Level: ************
>> X-Spam-PrefsFile: nac.net/mdiehl
>> X-Spam-Status: Yes, score=12.7 required=4.7 tests=FORGED_RCVD_HELO,
>>     RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_OB_SURBL,URIBL_SBL,
>>     URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.0.2
>> X-Spam-Report:     *  1.1 FORGED_RCVD_HELO Received: contains a forged 
>> HELO
>>     *  2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level 
>> above 50%
>>     *      [cf: 100]
>>     *  1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
>>     *  1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
>>     *      [URIs: coolestrxever.com]
>>     *  0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL 
>> blocklist
>>     *      [URIs: coolestrxever.com]
>>     *  2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL 
>> blocklist
>>     *      [URIs: coolestrxever.com]
>>     *  3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL 
>> blocklist
>>     *      [URIs: coolestrxever.com]
>>
>> M>-----Original Message-----
>> M>From: Rakesh [mailto:rakesh@netcore.co.in] M>Sent: 07 May 2005 07:41
>> M>To: zones@lists.surbl.org; users@spamassassin.apache.org
>> M>Subject: Way to evade URI checks
>> M>
>> M>Seems Spammers have found a way to evade the URI checks
>> M>
>> M>the domain coolestrxever.com is listed in multi.surbl.org. M>But the 
>> spammers managed to to evade the URI checks by M>appending special 
>> charaters at the end of the url which are M>happily allowed by the 
>> browsers.
>> M>
>> M>The spam that I recieved had
>> M>
>> M>http://www.coolestrxever.com: (aa colon at the end of the url)
>> M>
>> M>After a bit of R&D I found the other options for spammers to M>carry 
>> this techinque
>> M>
>> M>http://www.coolestrxever.com; (a semicolon) 
>> M>http://www.coolestrxever.com, (a comma) 
>> M>http://www.coolestrxever.com. (a fullstop) 
>> M>http://www.coolestrxever.com? (a question mark)
>> M>
>> M>With all these special characters at the end of url, URI M>checks 
>> tries to make lookup as
>> M>
>> M>debug: querying for coolestrxever.com:.sc.surbl.org
>> M>
>> M>End result, passed the promising URI checks.
>> M>
>> M>I am seeing the first of its kind of spam. If any version of 
>> M>Spamassassin fixes this in its URI retrieval program please M>let me 
>> know
>> M>
>> M>--
>> There is a fix for these in the bugzilla, came in correctly caught by 
>> SURBL here, using 3.0.2.
>> There is two fixes I have applied and seems to catch the URL split over
>> lines too, not sure if these are included in 3.0.3, I suspect this one 
>> is.
>>
>> Martin

--
Martin G. Diehl