Hi all,
I'm very puzzled by the attached spam that appeared in my inbox
last night. I'm running Slackware 9.1, with SpamAssassin-3.0.0,
sendmail-8.12.10, and procmail-3.15.2. I run spamassassin (not
spamd), and invoke it from procmail. I use pine4.58 as my client.
This all runs on a PIII box with 1GB of ram.
When the spam in question arrived, several rules did not appear to
fire; specifically the two RBLs RCVD_IN_BL_SPAMCOP_NET and
RCVD_IN_XBL, as well as URIBL_OB_SURBL. However, when I save the
message and run it through spamassassin -t, the additional rules
fire just fine. The respective hits are listed below. As it
happens, I've also been calling SA in debug mode and have attached
that output also. What am I doing wrong?
Also, on further inspection of the problem spam, I notice there is
no Received: header that indicates receipt by my mail server (the IP
is 12.210.217.184). I realize this isn't a SA issue, but if this is
where my problem lies perhaps some kind soul could help me
understand what I've missed. The lines from my sendmail log are
also included below.
Thanks for any help,
Ted
--
Theodore (Ted) Heise <[EMAIL PROTECTED]> Bloomington, IN, USA
As received:
-----------
X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50,RCVD_IN_SBL,
URIBL_SBL autolearn=no version=3.0.0
Result of spamassassin -t
-------------------------
Content analysis details: (8.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5781]
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?220.175.203.188>]
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[220.175.203.188 listed in sbl-xbl.spamhaus.org]
0.1 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
[220.175.203.188 listed in sbl-xbl.spamhaus.org]
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: popuptales.com]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: popuptales.com]
maillog entries:
---------------
Feb 11 21:02:11 linus sm-mta[10674]: j1C21xw5010674: from=<[EMAIL PROTECTED]>,
size=1291, class=0, nrcpts=2, msgid=<[EMAIL PROTECTED]>, proto=SMTP,
daemon=MTA, relay=[220.175.203.188]
Feb 11 21:02:20 linus sm-mta[10675]: j1C21xw5010674: to=<[EMAIL PROTECTED]>,
delay=00:00:18, xdelay=00:00:09, mailer=local, pri=61443, dsn=2.0.0, stat=Sent
Feb 11 21:02:26 linus sm-mta[10675]: j1C21xw5010674: to=<[EMAIL PROTECTED]>,
delay=00:00:24, xdelay=00:00:06, mailer=local, pri=61443, dsn=2.0.0, stat=Sent
From [EMAIL PROTECTED] Fri Feb 11 21:02:20 2005
Return-Path: <[EMAIL PROTECTED]>
Received: from freereed.net ([220.175.203.188])
by linus.heise.nu (8.12.10/8.12.10) with SMTP id j1C21xw5010674;
Fri, 11 Feb 2005 21:02:02 -0500
Message-ID: <[EMAIL PROTECTED]>
Date: Sat, 12 Feb 2005 11:14:52 +1200
Reply-To: "humberto akins" <[EMAIL PROTECTED]>
From: "humberto akins" <[EMAIL PROTECTED]>
User-Agent: Windows Eudora Pro Version 2.2 (32)
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Efrain Worth" <[EMAIL PROTECTED]>
Subject: For quality ink products at bargain prices, visit us
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on linus.heise.nu
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50,RCVD_IN_SBL,
URIBL_SBL autolearn=no version=3.0.0
Status: R
X-Status:
X-Keywords:
Choose to shop at discount store that offers fast and effective customer
support.
Convenient shipping service -- get orders shipped by USPS priority service.
For orders in the states, it takes 2 to 3 days for the order to be
delivered.
Great chance to save on ink products -- save as much as 80% on the same
brand name products.
The company offers different brands and types of ink products online.
Share our saving tips with you. At discount store, you can get the same
quality ink products at lower prices. So lower the operation expenses from
now on.
http://www.popuptales.com/ta/
diselectrification 5bekerchief 5calctuffdeafness cannibalizes
are probably the most stressful and insecure times in this countrys
history, said Evelyn Hicks,TV!" Melida said into the cell phone that day,
speaking loudly to Brian because of a hovering
procmail: Assigning "INCLUDERC=/home/theo/.procmail/rc.mail"
procmail: No match on "Content-Type: application|Content-Type: audio"
procmail: No match on "^From:.Thaddeus.Computing"
procmail: No match on
"(^((Original-)?(Resent-)?(To|Cc|Bcc)|(X-Envelope|Apparently(-Resent)?)-To):(.*[^a-zA-Z])?)spamassassin"
procmail: No match on "To: aamo2"
procmail: No match on "To: ARAA_Refugees"
procmail: No match on "To: [EMAIL PROTECTED]"
procmail: No match on "To: leafnode"
procmail: No match on "^From:.eff.org"
procmail: No match on "^From:.*plm.org"
procmail: No match on
"(^((Original-)?(Resent-)?(To|Cc|Bcc)|(X-Envelope|Apparently(-Resent)?)-To):(.*[^a-zA-Z])?)plm-l"
procmail: No match on
"(^((Original-)?(Resent-)?(To|Cc|Bcc)|(X-Envelope|Apparently(-Resent)?)-To):(.*[^a-zA-Z])?)plm-call"
procmail: No match on "To:[EMAIL PROTECTED]"
procmail: No match on "^From:[EMAIL PROTECTED]"
procmail: No match on "^From:.*nyx\.net"
procmail: No match on "^To:[EMAIL PROTECTED]"
procmail: No match on "From:.*MAILER-DAEMON"
procmail: No match on "To: [EMAIL PROTECTED]"
procmail: Executing "/usr/bin/spamassassin,-D"
debug: SpamAssassin version 3.0.0
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/home/theo/bin', which doesn't exist, dropping.
debug: PATH included '/bin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/usr/bin/X11', keeping.
debug: Final PATH set to: /bin:/usr/bin:/usr/local/bin:/usr/bin/X11
debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
debug: config: read file /etc/mail/spamassassin/init.pre
debug: using "/usr/share/spamassassin" for default rules dir
debug: config: read file /usr/share/spamassassin/10_misc.cf
debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
debug: config: read file /usr/share/spamassassin/20_body_tests.cf
debug: config: read file /usr/share/spamassassin/20_compensate.cf
debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /usr/share/spamassassin/20_drugs.cf
debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /usr/share/spamassassin/20_head_tests.cf
debug: config: read file /usr/share/spamassassin/20_html_tests.cf
debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
debug: config: read file /usr/share/spamassassin/20_phrases.cf
debug: config: read file /usr/share/spamassassin/20_porn.cf
debug: config: read file /usr/share/spamassassin/20_ratware.cf
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/23_bayes.cf
debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
debug: config: read file /usr/share/spamassassin/25_hashcash.cf
debug: config: read file /usr/share/spamassassin/25_spf.cf
debug: config: read file /usr/share/spamassassin/25_uribl.cf
debug: config: read file /usr/share/spamassassin/30_text_de.cf
debug: config: read file /usr/share/spamassassin/30_text_fr.cf
debug: config: read file /usr/share/spamassassin/30_text_nl.cf
debug: config: read file /usr/share/spamassassin/30_text_pl.cf
debug: config: read file /usr/share/spamassassin/50_scores.cf
debug: config: read file /usr/share/spamassassin/60_whitelist.cf
debug: using "/etc/mail/spamassassin" for site rules dir
debug: config: read file /etc/mail/spamassassin/70_sare_uri.cf
debug: config: read file /etc/mail/spamassassin/evilnumbers.cf
debug: config: read file /etc/mail/spamassassin/local.cf
debug: config: read file /etc/mail/spamassassin/surbl.cf
debug: using "/home/theo/.spamassassin" for user state dir
debug: using "/home/theo/.spamassassin/user_prefs" for user prefs file
debug: config: read file /home/theo/.spamassassin/user_prefs
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8a71cdc)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8a4e5a8)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) implements
'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8a71cdc) implements
'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) inhibited
further callbacks
debug: using "/home/theo/.spamassassin" for user state dir
debug: bayes: 10681 tie-ing to DB file R/O /home/theo/.spamassassin/bayes_toks
debug: bayes: 10681 tie-ing to DB file R/O /home/theo/.spamassassin/bayes_seen
debug: bayes: found bayes db version 3
debug: using "/home/theo/.spamassassin" for user state dir
debug: Score set 3 chosen.
debug: received-header: parsed as [ ip=220.175.203.188 rdns=freereed.net
helo=freereed.net by=linus.heise.nu ident= envfrom= intl=0 id=j1C21xw5010674 ]
debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: trying (3) motorola.com...
debug: looking up NS for 'motorola.com'
debug: NS lookup of motorola.com succeeded => Dns available (set dns_available
to hardcode)
debug: is DNS available? 1
debug: looking up A records for 'linus.heise.nu'
debug: A records for 'linus.heise.nu':
debug: looking up A records for 'linus.heise.nu'
debug: A records for 'linus.heise.nu':
debug: received-header: relay 220.175.203.188 trusted? no internal? no
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted: [ ip=220.175.203.188
rdns=freereed.net helo=freereed.net by=linus.heise.nu ident= envfrom= intl=0
id=j1C21xw5010674 ]
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) implements
'parsed_metadata'
debug: ---- MIME PARSER START ----
debug: main message type: text/plain
debug: parsing normal part
debug: added part, type: text/plain
debug: ---- MIME PARSER END ----
debug: decoding: other encoding type (7bit), ignoring
debug: uri found: http://www.popuptales.com/ta/
debug: URIDNSBL: domains to query: popuptales.com
debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: all '*From' addrs: [EMAIL PROTECTED]
debug: Running tests for priority: 0
debug: running header regexp tests; score so far=0
debug: registering glue method for check_uridnsbl
(Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764))
debug: registering glue method for check_hashcash_double_spend
(Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8a71cdc))
debug: registering glue method for check_for_spf_helo_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8a4e5a8))
debug: SPF: checking HELO (helo=freereed.net, ip=220.175.203.188)
debug: SPF: trimmed HELO down to 'freereed.net'
debug: SPF: cannot load or create Mail::SPF::Query module
debug: registering glue method for check_hashcash_value
(Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8a71cdc))
debug: all '*To' addrs: [EMAIL PROTECTED]
debug: registering glue method for check_for_spf_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8a4e5a8))
debug: SPF: checking EnvelopeFrom (helo=freereed.net, ip=220.175.203.188,
[EMAIL PROTECTED])
debug: SPF: cannot load or create Mail::SPF::Query module
debug: registering glue method for check_for_spf_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8a4e5a8))
debug: registering glue method for check_for_spf_helo_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8a4e5a8))
debug: forged-HELO: from=freereed.net helo=freereed.net by=linus.heise.nu
debug: registering glue method for check_for_spf_fail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8a4e5a8))
debug: registering glue method for check_for_spf_helo_fail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8a4e5a8))
debug: running body-text per-line regexp tests; score so far=0
debug: running uri tests; score so far=0
debug: bayes corpus size: nspam = 5415, nham = 5779
debug: tokenize: header tokens for *p = "U*kelsee D*freereed.net D*net"
debug: tokenize: header tokens for *M = " 78ACF897 9BE2747 freereed net "
debug: tokenize: header tokens for *R = "U*kelsee D*freereed.net D*net"
debug: tokenize: header tokens for *F = "U*kelsee D*freereed.net D*net"
debug: tokenize: header tokens for *u = " Windows Eudora Pro Version 2.2 (32)"
debug: tokenize: header tokens for X-Accept-Language = " en-us"
debug: tokenize: header tokens for MIME-Version = " "
debug: tokenize: header tokens for To = "U*kathy D*heise.nu D*nu"
debug: tokenize: header tokens for *c = " /plain; charset="us-ascii""
debug: tokenize: header tokens for Content-Transfer-Encoding = " 7bit"
debug: tokenize: header tokens for *RT = " "
debug: tokenize: header tokens for *RU = " [ ip=220.175.203.188
rdns=freereed.net helo=freereed.net by=linus.heise.nu ident= envfrom= intl=0
id=j1C21xw5010674 ]"
debug: tokenize: header tokens for *r = " freereed.net ([220.175.203
ip*220.175.203.188 ]) by linus.heise.nu (8.12.10/8.12.10) ; "
debug: bayes token 'H*UA:2.2' => 0.998818414322251
debug: bayes token 'H*u:Version' => 0.998295202952029
debug: bayes token 'H*u:Eudora' => 0.998295202952029
debug: bayes token 'loudly' => 0.00881967213114754
debug: bayes token 'countrys' => 0.0105490196078431
debug: bayes token 'H*u:2.2' => 0.978
debug: bayes token 'H*u:Pro' => 0.978
debug: bayes token 'prices' => 0.96420555813155
debug: bayes token 'melida' => 0.958
debug: bayes token 'Melida' => 0.958
debug: bayes token 'probably' => 0.0440703411366895
debug: bayes token 'Brian' => 0.0539889717290001
debug: bayes token 'discount' => 0.945707749859809
debug: bayes token 'saving' => 0.91602900551525
debug: bayes token 'brian' => 0.0942638532509354
debug: bayes token 'times' => 0.104248902665297
debug: bayes token 'cell' => 0.114455958302445
debug: bayes token 'shipped' => 0.870373089975617
debug: bayes token 'brand' => 0.864679916674505
debug: bayes: score = 0.578054862335422
debug: bayes: 10681 untie-ing
debug: bayes: 10681 untie-ing db_toks
debug: bayes: 10681 untie-ing db_seen
debug: Razor2 is not available
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) implements
'check_tick'
debug: URIDNSBL: query for popuptales.com took 1 seconds to look up
(multi.surbl.org.:popuptales.com)
debug: URIDNSBL: query for popuptales.com took 1 seconds to look up
(ws.surbl.org.:popuptales.com)
debug: URIDNSBL: queries completed: 3 started: 2
debug: URIDNSBL: queries active: at Fri Feb 11 21:02:23 2005
debug: running raw-body-text per-line regexp tests; score so far=0.001
debug: running full-text regexp tests; score so far=0.001
debug: Razor2 is not available
debug: Current PATH is: /bin:/usr/bin:/usr/local/bin:/usr/bin/X11
debug: Pyzor is not available: pyzor not found
debug: DCCifd is not available: no r/w dccifd socket found.
debug: DCC is not available: no executable dccproc found.
debug: Running tests for priority: 500
debug: URIDNSBL: queries completed: 1 started: 1
debug: URIDNSBL: queries active: A=1 at Fri Feb 11 21:02:23 2005
debug: URIDNSBL: domain "popuptales.com" listed (URIBL_SBL):
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL21231";
debug: URIDNSBL: query for popuptales.com took 2 seconds to look up
(sbl.spamhaus.org.:4.123.192.210)
debug: URIDNSBL: queries completed: 2 started: 1
debug: URIDNSBL: queries active: at Fri Feb 11 21:02:24 2005
debug: URIDNSBL: domain "popuptales.com" listed (URIBL_SBL):
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL23650";
debug: URIDNSBL: query for popuptales.com took 3 seconds to look up
(sbl.spamhaus.org.:149.2.210.221)
debug: URIDNSBL: queries completed: 1 started: 0
debug: URIDNSBL: queries active: at Fri Feb 11 21:02:25 2005
debug: RBL: success for 11 of 12 queries
debug: DNS: timeout for ipwhois-notfirsthop after 2 seconds
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84e2764) implements
'check_post_dnsbl'
debug: running meta tests; score so far=1.104
debug: running header regexp tests; score so far=1.104
debug: running body-text per-line regexp tests; score so far=1.104
debug: running uri tests; score so far=1.104
debug: running raw-body-text per-line regexp tests; score so far=1.104
debug: running full-text regexp tests; score so far=1.104
debug: Running tests for priority: 1000
debug: running meta tests; score so far=1.104
debug: running header regexp tests; score so far=1.104
debug: using "/home/theo/.spamassassin" for user state dir
debug: lock: 10681 created /home/theo/.spamassassin/auto-whitelist.mutex
debug: lock: 10681 trying to get lock on
/home/theo/.spamassassin/auto-whitelist with 30 timeout
debug: lock: 10681 link to /home/theo/.spamassassin/auto-whitelist.mutex: link
ok
debug: Tie-ing to DB file R/W in /home/theo/.spamassassin/auto-whitelist
debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=220.175 scores 0/0
debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=none scores 0/0
debug: AWL active, pre-score: 1.104, autolearn score: 1.104, mean: undef, IP:
220.175.203.188
debug: add_score: New count: 1, new totscore: 1.104
debug: DB addr list: untie-ing and unlocking.
debug: DB addr list: file locked, breaking lock.
debug: unlock: 10681 unlocked /home/theo/.spamassassin/auto-whitelist.mutex
debug: Post AWL score: 1.104
debug: running body-text per-line regexp tests; score so far=1.104
debug: running uri tests; score so far=1.104
debug: running raw-body-text per-line regexp tests; score so far=1.104
debug: running full-text regexp tests; score so far=1.104
debug: auto-learn: currently using scoreset 3, recomputing score based on
scoreset 1.
debug: auto-learn: message score: 1.104, computed score for autolearn: 1.679
debug: auto-learn? ham=0.1, spam=12, body-points=1.05, head-points=1.679,
learned-points=0.001
debug: auto-learn? no: inside auto-learn thresholds, not considered ham or spam
debug: is spam? score=1.104 required=5
debug: tests=BAYES_50,RCVD_IN_SBL,URIBL_SBL
debug:
subtests=__CT,__CTE,__CTYPE_CHARSET_QUOTED,__CT_TEXT_PLAIN,__HAS_MSGID,__HAS_SUBJECT,__MIME_VERSION,__MOZILLA_MSGID,__MSGID_OK_HOST,__RCVD_IN_SBL_XBL,__RCVD_IN_SORBS,__SANE_MSGID,__USER_AGENT
procmail: [10679] Fri Feb 11 21:02:26 2005
procmail: No match on "^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*"
procmail: No match on "^X-Spam-Status: Yes"
procmail: Locking "/var/spool/mail/theo.lock"
procmail: Assigning "LASTFOLDER=/var/spool/mail/theo"
procmail: Opening "/var/spool/mail/theo"
procmail: Acquiring kernel-lock
procmail: Unlocking "/var/spool/mail/theo.lock"
procmail: Notified comsat: "[EMAIL PROTECTED]:/var/spool/mail/theo"
From [EMAIL PROTECTED] Fri Feb 11 21:02:20 2005
Subject: For quality ink products at bargain prices, visit us
Folder: /var/spool/mail/theo 1722
