Hello All,
(This is not directly a spamassassin issue, but may be very useful to anyone using a spamassassin/qmail setup)
I have been having an issue with spam sent to my clients and not quarantined even though the score was way over the limit. This was happening because of the following fake spammer line:
X-Spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no
version=2.60-spam20030926a
I figured this was a header and that qmail-scanner was reading this header and not the real header:
X-Spam-Status: Yes, hits=9.9 required=5.0 tests=DNS_FROM_RFCI_DSN,HTML_70_80,
HTML_FONTCOLOR_UNKNOWN,HTML_IMAGE_ONLY_06,HTML_MESSAGE,
MIME_BOUND_NEXTPART,MIME_MISSING_BOUNDARY,RCVD_IN_DSBL,
RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RCVD_NUMERIC_HELO,
UPPERCASE_25_50 autolearn=no version=2.64
But as I was told by so many smart people on this mailing list…. Spamassassin rewrites the headers. So how the heck is the bad header still in the message after it is run through spamc/spamd ??
Well it’s because the header is not a header… It’s part of the message body. So Spamassassin does not see it as a header and does not remove or replace it. Because it is in the message after the message is spit back out of spamc, qmail-scanner sees this line last, over writes the real score with this spammers score and lets the message through the system and does not quarantine it.
So I hacked qmail-scanner to stop this from happening:
Original lines:
while (<SIN>) {
print SOUT;
}
New lines:
while (<SIN>) {
if (/^X-Spam-Status: (Yes|No), (hits|score)=(-?[\d\.]*) required=([\d\.]*)/) {
# HACK HACK HACK
}
else {
print SOUT;
}
}
Hope this is helpful for anyone who was having this issue.
Thx
Mike
