Greetings,
I am seeing some SpamAssassin eMail messages flagged as SPAM.
That's probably not unusual, given the nature of our discussions and
especially because we quote actual SPAM examples within our messages.
I know that someone is going to say, "whitelist" ...
The settings for my profile include
Allowed Email Addresses
users@spamassassin.apache.org
dev@spamassassin.apache.org
For the most part, that works ... with only ~ 1% getting flagged as SPAM.
I don't know exactly which package is doing the whitelist filtering, nor
how that is integrated with the SpamAssassin scanning.
In the example quoted in this here, I think these are the applicable headers ...
Return-Path: <[EMAIL PROTECTED]>
Received: from unknown (HELO mail.apache.org) (209.237.227.199)
by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
From: "martin smith" <[EMAIL PROTECTED]>
To: "'Rakesh'" <[EMAIL PROTECTED]>,
"Spamassassin" <users@spamassassin.apache.org>
My 4 questions ...
(1) is it customary for a whitelist test to be done _only_ on the
address in the 'From:' header?
(2) OR should a whitelist test be done on all of the addresses in any of
these headers ...
'Return-Path:', 'Received:'. 'From:', 'To:' ... ?
(3) could the whitelist failure be caused by
"Spamassassin" <users@spamassassin.apache.org>
appearing as the _second_ 'To:' address?
Something else that troubles me about this eMail example ...
X-Spam-Report:
* 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
... even though this looks OK ...
Received: from unknown (HELO mail.apache.org) (209.237.227.199)
by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
OTOH, 209.237.227.199 resolves to mail.apache.org ... and
spamassassin.apache.org resolves to 209.237.227.199
(4) could that cause the whitelist failure?
Anything else I should consider?
Thanks for listening.
Here are all of the headers and the message text ...
From - Sat May 07 08:28:31 2005
X-UIDL: 1115462268.M554851P37120.mx3.oct
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 37070 invoked by uid 0); 7 May 2005 10:37:36 -0000
Received: from 209.237.227.199 by mx3.oct (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25
(uvscan: v4.2.40/v4295. sophie: 2.14/3.73. f-prot: 4.1.1/3.13.4. spamassassin: 2.60-cvs.
Clear:RC:0(209.237.227.199):.
Processed in 0.188536 secs); 07 May 2005 10:37:36 -0000
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx3.oct
X-Qmail-Scanner: 1.25 (Clear:RC:0(209.237.227.199):. Processed in 0.188536 secs)
Received: from unknown (HELO mail.apache.org) (209.237.227.199)
by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
Received: (qmail 61841 invoked by uid 500); 7 May 2005 10:40:04 -0000
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
list-help: <mailto:[EMAIL PROTECTED]>
list-unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 61826 invoked by uid 99); 7 May 2005 10:40:04 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
tests=
Received-SPF: pass (hermes.apache.org: domain of [EMAIL PROTECTED] designates 212.250.162.17 as permitted sender)
Received: from smtpout17.mailhost.ntl.com (HELO mta09-winn.mailhost.ntl.com) (212.250.162.17)
by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 07 May 2005 03:40:04 -0700
Received: from aamta04-winn.mailhost.ntl.com ([212.250.162.8])
by mta09-winn.mailhost.ntl.com with ESMTP
id <[EMAIL PROTECTED]>
for <users@spamassassin.apache.org>;
Sat, 7 May 2005 11:37:05 +0100
Received: from marti.mine.nu ([81.106.206.105])
by aamta04-winn.mailhost.ntl.com with ESMTP
id <[EMAIL PROTECTED]>
for <users@spamassassin.apache.org>;
Sat, 7 May 2005 11:37:05 +0100
Received: from p42000 (martin [192.168.1.98])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id j47AawRY014071;
Sat, 7 May 2005 11:36:58 +0100
From: "martin smith" <[EMAIL PROTECTED]>
To: "'Rakesh'" <[EMAIL PROTECTED]>,
"Spamassassin" <users@spamassassin.apache.org>
Subject: *****SPAM***** RE: Way to evade URI checks
Date: Sat, 7 May 2005 11:37:00 +0100
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
Thread-Index: AcVS0HY4PWTqQht5TSKWb96NwD4Y8QAH9gAg
In-Reply-To: <[EMAIL PROTECTED]>
X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
X-Virus-Checked: Checked
X-Spam-Prev-Subject: RE: Way to evade URI checks
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd1.oct
X-Spam-Level: ************
X-Spam-PrefsFile: nac.net/mdiehl
X-Spam-Status: Yes, score=12.7 required=4.7 tests=FORGED_RCVD_HELO,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_OB_SURBL,URIBL_SBL,
URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.0.2
X-Spam-Report:
* 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
* 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
* [cf: 100]
* 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: coolestrxever.com]
* 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: coolestrxever.com]
* 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
* [URIs: coolestrxever.com]
* 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
* [URIs: coolestrxever.com]
M>-----Original Message-----
M>From: Rakesh [mailto:[EMAIL PROTECTED]
M>Sent: 07 May 2005 07:41
M>To: [EMAIL PROTECTED]; users@spamassassin.apache.org
M>Subject: Way to evade URI checks
M>
M>Seems Spammers have found a way to evade the URI checks
M>
M>the domain coolestrxever.com is listed in multi.surbl.org.
M>But the spammers managed to to evade the URI checks by
M>appending special charaters at the end of the url which are
M>happily allowed by the browsers.
M>
M>The spam that I recieved had
M>
M>http://www.coolestrxever.com: (aa colon at the end of the url)
M>
M>After a bit of R&D I found the other options for spammers to
M>carry this techinque
M>
M>http://www.coolestrxever.com; (a semicolon)
M>http://www.coolestrxever.com, (a comma)
M>http://www.coolestrxever.com. (a fullstop)
M>http://www.coolestrxever.com? (a question mark)
M>
M>With all these special characters at the end of url, URI
M>checks tries to make lookup as
M>
M>debug: querying for coolestrxever.com:.sc.surbl.org
M>
M>End result, passed the promising URI checks.
M>
M>I am seeing the first of its kind of spam. If any version of
M>Spamassassin fixes this in its URI retrieval program please
M>let me know
M>
M>--
There is a fix for these in the bugzilla, came in correctly caught by SURBL
here, using 3.0.2.
There is two fixes I have applied and seems to catch the URL split over
lines too, not sure if these are included in 3.0.3, I suspect this one is.
Martin
--
Martin G. Diehl
