I reported a few weeks ago how SA was marking ALL our Exchange-to-Exchange
mail as spam. We run an Exchange network internally, but route the "Exchange
Site Connector" via our Qmail servers so that they can be virus/spam
checked.
These mail messages are used by Exchange to route "non-mail" Exchange server
synchronization data: - i.e they definitely don't have much in common with
"normal" mail, and SA marks them as major spam.
I have currently whitelisted our internal domains to get around this, but
was thinking that this could probably be fixed within SA instead.
An example message follows as an attachment.
SA 2.20 gives it big bad marks for having an empty To: line and "Message
text disguised using base-64 encoding".
The only base64 encoding is of a TNEF attachment - so I don't think that's
right for a start... Looking at the code, it looks like
check_for_base64_enc_text erroneously flows through the initial empty
text/plain attachment and notices the base64 content of the TNEF attachment?
There's one thing about this msg type that make it look pretty uniquely like
an Exchange Site Connector message. The From line would always contain
"/cn=Configuration/cn=Servers/" (maybe language specific - but that would be
all).
I've added the following to our /etc/mail/spamassassin/local.cf which
appears to do a good job.
score EXCHANGE_SITE_CONNECTOR -5.0
describe EXCHANGE_SITE_CONNECTOR Microsoft Exchange Site Connector message
header EXCHANGE_SITE_CONNECTOR From =~ /\/cn=Configuration\/cn=Servers\//
I can't say I've ever seen spam from that type of address, so could we add
that as a permanent rule?
Thanks
--
Cheers
Jason Haar
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
From: /o=Trimble/ou=Our Site/cn=Configuration/cn=Servers/cn=SERVER1/cn=Microsoft
Public MDB
<[EMAIL PROTECTED]>
To:
Subject:
Date: Mon, 11 Mar 2002 16:37:44 -0800
X-MS-TNEF-Correlator: <1C0D666079DED211ADD8009027289B6C2A9ACC@SERVER1>
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C1C95E.20226B80"
X-Spam-Status: Yes, hits=8.0 required=5.0
tests=TO_MALFORMED,TO_EMPTY,FROM_HAS_MIXED_NUMS,MIME_NULL_BLOCK,BASE64_ENC_TEXT
version=2.20
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.20 (devel $Id: SpamAssassin.pm,v 1.72
2002/03/08 20:06:49 hughescr Exp $)
X-Spam-Report: 8 hits, 5 required;
* -0.1 -- To: has a malformed address
* 4.5 -- To: is empty
* 1.2 -- From: contains numbers mixed in with letters
* -0.8 -- BODY: Correct for MIME 'null block'
* 3.2 -- Message text disguised using base-64 encoding
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C1C95E.20226B80
Content-Type: text/plain
------_=_NextPart_000_01C1C95E.20226B80
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64
eJ8+IjIAAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEFgAMADgAAANIHAwALABAA
...
------_=_NextPart_000_01C1C95E.20226B80--
