You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lars Ebeling <la...@leopg9.no-ip.org> on 2008/09/09 18:18:45 UTC
Fw: Antigen Notification: Antigen found a message matching a filter
Got this after sending message earlier to this list. Could someone here
explain it?
Regards
Lars Ebeling
----- Original Message -----
From: <An...@leopg9.no-ip.org>
To: <la...@leopg9.no-ip.org>
Sent: Tuesday, September 09, 2008 5:26 PM
Subject: Antigen Notification: Antigen found a message matching a filter
> Microsoft Antigen for SMTP found a message matching a filter. The message
> is currently Purged.
> Message: "Can_t build spamassassin 3.2.4 on HP_UX"
> Filter name: "KEYWORD= spam: porn"
> Sent from: "Lars Ebeling"
> Folder: "SMTP Messages\Inbound"
> Location: "psp/TRACYSV05"
>
>
>
Re: Fw: Antigen Notification: Antigen found a message matching a
filter
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2008-09-09 at 16:17 -0700, Evan Platt wrote:
> Karsten Bräckelmann wrote:
> >
> > What's got HTML to do with that?
>
> I believe mouss was talking about your prior message which likely was
> the trigger:
Wait. That is *not* my post. :)
I never, ever have been posting HTML to a mailing list. And I won't.
Anyway, as I explained before, the trigger (still talking about the
Antigen bounce, aren't we?) is not the HTML, but the occurrence of a
blacklisted word.
Yes, what Antigen does pretty much is everything what SA does not stand
for. *sigh*
> Subject: Can't build spamassassin 3.2.4 on HP-UX
>
> Which was filled with HTML.
>
> HTML shouldn't be posted to this list (or any list, IMHO.)
Agreed, wholeheartedly. :)
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Fw: Antigen Notification: Antigen found a message matching a
filter
Posted by Evan Platt <ev...@espphotography.com>.
Karsten Bräckelmann wrote:
>
> What's got HTML to do with that?
I believe mouss was talking about your prior message which likely was
the trigger:
Subject: Can't build spamassassin 3.2.4 on HP-UX
Which was filled with HTML.
HTML shouldn't be posted to this list (or any list, IMHO.)
Re: Fw: Antigen Notification: Antigen found a message matching a
filter
Posted by John Hardin <jh...@impsec.org>.
On Wed, 10 Sep 2008, Karsten Br�ckelmann wrote:
> It's a lousy, braindead bare-word scanner, run by (or in front of) a
> subscriber to this list. It's known, and has been discussed before. (Too
> lazy to dig out the previous thread.)
Can we get the offender unsubscribed?
Is there a list policy to administratively unsubscribe people like that?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #9: Accuracy is relative: most combat
shooting standards will be more dependent on "pucker factor" than
the inherent accuracy of the gun.
-----------------------------------------------------------------------
8 days until the 221st anniversary of the signing of the U.S. Constitution
Re: Fw: Antigen Notification: Antigen found a message matching a
filter
Posted by mouss <mo...@netoyen.net>.
Karsten Bräckelmann wrote:
> On Tue, 2008-09-09 at 22:59 +0200, mouss wrote:
>> Lars Ebeling wrote:
>>> Got this after sending message earlier to this list. Could someone here
>>> explain it?
>> explain what?
>
> Oh, come on, mouss, had a bad day? :)
>
didn't eat enough headers (or too much?) ;-p
sorry.
>
>> - stop posting html to the list
>> - avoid posting spammy content. instead, use your web server and post
>> the URL here.
>
> What's got HTML to do with that? It's a lousy, braindead bare-word
> scanner, run by (or in front of) a subscriber to this list. It's known,
> and has been discussed before. (Too lazy to dig out the previous
> thread.)
>
> In Lars' case, Antigen triggered on the mere occurrence of the word
> 'porn'. I bet it recursively triggered on his subsequent forwarding to
> this list, too, which effectively resulted in this very thread. :)
>
Ah! that was that. but he has an SA in the path that fired the
PORN_URL_MISC rule (because of 20_porn.cf??). so the word appears twice.
> Just like that Antigen will trigger on this mail, because I mentioned
> the bad, bad word 'porn'. It will bounce this messages as well.
>
let's see.
>
>> even your server (apparently) said: PORN_URL_MISC.
>
> Where did you get that from?
>
The post that supposedly generated the backscatter contains:
X-Old-Spam-Status: No, score=-0.4 required=5.0
tests=ALL_TRUSTED,AWL,BAYES_00,
HTML_MESSAGE,PORN_URL_MISC autolearn=ham version=3.1.0
Re: Fw: Antigen Notification: Antigen found a message matching a
filter
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2008-09-09 at 22:59 +0200, mouss wrote:
> Lars Ebeling wrote:
> > Got this after sending message earlier to this list. Could someone here
> > explain it?
>
> explain what?
Oh, come on, mouss, had a bad day? :)
> - stop posting html to the list
> - avoid posting spammy content. instead, use your web server and post
> the URL here.
What's got HTML to do with that? It's a lousy, braindead bare-word
scanner, run by (or in front of) a subscriber to this list. It's known,
and has been discussed before. (Too lazy to dig out the previous
thread.)
In Lars' case, Antigen triggered on the mere occurrence of the word
'porn'. I bet it recursively triggered on his subsequent forwarding to
this list, too, which effectively resulted in this very thread. :)
Just like that Antigen will trigger on this mail, because I mentioned
the bad, bad word 'porn'. It will bounce this messages as well.
> even your server (apparently) said: PORN_URL_MISC.
Where did you get that from?
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Fw: Antigen Notification: Antigen found a message matching a
filter)
Posted by mouss <mo...@netoyen.net>.
Lars Ebeling wrote:
> So my mail was considered as Spam only and only because of it contained
> "opy/20_porn.cf" of this M$ Antigen.
>
or maybe also because it contained PORN_URL_MISC in the headers.
but whether it considered it spam is less problematic than bouncing it
to you. bounces should be sent to the envelope sender, which is the list
address. if it bounces to the From header address, then it's borked.
but it's more broken than that. It shouldn't bounce in the first place
(spam generally uses forged addresses, so bouncing to the "sender" is
bad unless you can guarantee that he really sent it). and even if it
bounces, it should bounce to the envelope sender, which is the list
address, and not to the From header address.
If you post the headers of the bounce (under outllok, you need to find
the "options" option), we could find more infos.
Re: Fw: Antigen Notification: Antigen found a message matching a filter)
Posted by Lars Ebeling <la...@leopg9.no-ip.org>.
So my mail was considered as Spam only and only because of it contained
"opy/20_porn.cf" of this M$ Antigen.
Lars
Re: Fw: Antigen Notification: Antigen found a message matching
a filter)
Posted by SM <sm...@resistor.net>.
At 21:20 09-09-2008, Lars Ebeling wrote:
>I am sorry for being such a bad person. I am using Outlook Express
>as mailclient and was not aware of the HTML code. Why is it such a
>big problem? However after looking around in the mailclients setup I
>have changed it.
Other mailing list subscribers may be using mail clients that only
supports plain text messages. HTML formatted messages are larger in
size. HTML formatted messages might not rendered correctly when
quoting a part to provide context. Some mailing lists are available
in a digest version. Using such a format makes it difficult to read.
HTML formatted messages are ideally suited for phishing as the actual
URLs can be obfuscated. The only advantage of a HTML formatted
message is that it looks pretty to the sender.
Coming back to the original question, the following line was in the
email you sent to the mailing list:
<BR>[24097] dbg: config: read file
/extra/Mail-SpamAssassin-3.2.4/t/log/test_rules_c<BR>opy/20_porn.cf
A server security product called Microsoft Antigen flagged it as spam
as it contains the "porn" and sent a bounce message to the author of
that message.
Regards,
-sm
Re: Fw: Antigen Notification: Antigen found a message matching a filter
Posted by Lars Ebeling <la...@leopg9.no-ip.org>.
I am sorry for being such a bad person. I am using Outlook Express as
mailclient and was not aware of the HTML code. Why is it such a big problem?
However after looking around in the mailclients setup I have changed it.
My background: I started to study computers about 1973. It was specialized
on Numerical analysis. I was programming in Algol and Cobol. Then we were
using Saab D21 and later IBM 360 mainframes. My first job was
cobolprogramming on Univac 1100 (1976) using TTY. After that databus (DB/C)
on Datapoint minicomputers. I have never worked with C and know nothing
about it.
After advancing to technical responsible for Unix coumputers (Motorola and
HP) (OS, Oracledatabases and SAP), I lost my job when the company moved.
Then I got 2 obsolete HP-server with me home (D370 and D380). I am using the
D380 running HP-UX 11.11 . There I have installed some software: Postfix,
Apache, Qpopper, Clamav, Awstats, Hobbit, Spamassassin .....
Most installations have been without problems. But if I had any problems I
got answers on the mailingslists.
--
Regards
Lars Ebeling
http://leopg9.no-ip.org
Hobbithobbyist
"It is better to keep your mouth shut and appear stupid than to open it and
remove all doubt."
-- Mark Twain
----- Original Message -----
From: "mouss" <mo...@netoyen.net>
Cc: <us...@spamassassin.apache.org>
Sent: Tuesday, September 09, 2008 10:59 PM
Subject: Re: Fw: Antigen Notification: Antigen found a message matching a
filter
> Lars Ebeling wrote:
>> Got this after sending message earlier to this list. Could someone here
>> explain it?
>
> explain what?
>
> - stop posting html to the list
> - avoid posting spammy content. instead, use your web server and post the
> URL here.
>
> even your server (apparently) said: PORN_URL_MISC.
>
> anyway, when you post mail, show FULL HEADERS.
>
>
Re: Fw: Antigen Notification: Antigen found a message matching a
filter
Posted by mouss <mo...@netoyen.net>.
Lars Ebeling wrote:
> Got this after sending message earlier to this list. Could someone here
> explain it?
explain what?
- stop posting html to the list
- avoid posting spammy content. instead, use your web server and post
the URL here.
even your server (apparently) said: PORN_URL_MISC.
anyway, when you post mail, show FULL HEADERS.
Re: Fw: Antigen Notification: Antigen found a message matching a
filter
Posted by Jack Pepper <pe...@autoshun.org>.
Quoting Lars Ebeling <la...@leopg9.no-ip.org>:
> Got this after sending message earlier to this list. Could someone
> here explain it?
The most apparent explanation would be that Antigen is being stupid.
jp
--
Simple compliance is a hacker's best friend
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com