Martin G. Diehl wrote:
Thanks to everyone who responded ... you helped me think it through.
Greetings,
I am seeing some SpamAssassin eMail messages flagged as SPAM.
That's probably not unusual, given the nature of our discussions and especially because we quote actual SPAM examples within our messages.
OTOH, try to visualize the congress critters trying (and failing) to discuss 'int3rn3t p0rn' <g> without using any 'bad words' (TM). LOL
I know that someone is going to say, "whitelist" ...
The settings for my profile include
Allowed Email Addresses
users@spamassassin.apache.org dev@spamassassin.apache.org
I even added [EMAIL PROTECTED] and I am still seeing whitelist eMail giving false positives in SPAMassassin.
For the most part, that works ... with only ~ 1% getting flagged as SPAM.
I don't know exactly which package is doing the whitelist filtering, nor how that is integrated with the SpamAssassin scanning.
I was able to reach the eMail+QA administrator and discuss this issue ... using one of today's misfires ... it seemed to be caused by the SPAMassassin address being the 2nd address in the 'To:' not being checked against my whitelist. ... will be refereed to their programmer.
In the example quoted in this here, I think these are the applicable headers ...
Return-Path: <[EMAIL PROTECTED]>
Received: from unknown (HELO mail.apache.org) (209.237.227.199) by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
From: "martin smith" <[EMAIL PROTECTED]> To: "'Rakesh'" <[EMAIL PROTECTED]>, "Spamassassin" <users@spamassassin.apache.org>
My 4 questions ...
[snip]
(1) and (2) seemed not to be a factor.
(3) could the whitelist failure be caused by
"Spamassassin" <users@spamassassin.apache.org>
appearing as the _second_ 'To:' address?
Seems to be this form of addresses and how they are checking.
Something else that troubles me about this eMail example ...
X-Spam-Report: * 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
... even though this looks OK ...
Received: from unknown (HELO mail.apache.org) (209.237.227.199) by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
OTOH, 209.237.227.199 resolves to mail.apache.org ... and spamassassin.apache.org resolves to 209.237.227.199
(4) could that cause the whitelist failure?
will ask them again in a few days.
Anything else I should consider?
Thanks for listening.
Here are all of the headers and the message text ...
From - Sat May 07 08:28:31 2005
X-UIDL: 1115462268.M554851P37120.mx3.oct
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 37070 invoked by uid 0); 7 May 2005 10:37:36 -0000
Received: from 209.237.227.199 by mx3.oct (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25 (uvscan: v4.2.40/v4295. sophie: 2.14/3.73. f-prot: 4.1.1/3.13.4. spamassassin: 2.60-cvs. Clear:RC:0(209.237.227.199):. Processed in 0.188536 secs); 07 May 2005 10:37:36 -0000
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx3.oct
X-Qmail-Scanner: 1.25 (Clear:RC:0(209.237.227.199):. Processed in 0.188536 secs)
Received: from unknown (HELO mail.apache.org) (209.237.227.199)
by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
Received: (qmail 61841 invoked by uid 500); 7 May 2005 10:40:04 -0000
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
list-help: <mailto:[EMAIL PROTECTED]>
list-unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 61826 invoked by uid 99); 7 May 2005 10:40:04 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
tests=
Received-SPF: pass (hermes.apache.org: domain of [EMAIL PROTECTED] designates 212.250.162.17 as permitted sender)
Received: from smtpout17.mailhost.ntl.com (HELO mta09-winn.mailhost.ntl.com) (212.250.162.17)
by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 07 May 2005 03:40:04 -0700
Received: from aamta04-winn.mailhost.ntl.com ([212.250.162.8])
by mta09-winn.mailhost.ntl.com with ESMTP
id <[EMAIL PROTECTED]>
for <users@spamassassin.apache.org>;
Sat, 7 May 2005 11:37:05 +0100
Received: from marti.mine.nu ([81.106.206.105])
by aamta04-winn.mailhost.ntl.com with ESMTP
id <[EMAIL PROTECTED]>
for <users@spamassassin.apache.org>;
Sat, 7 May 2005 11:37:05 +0100
Received: from p42000 (martin [192.168.1.98])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id j47AawRY014071;
Sat, 7 May 2005 11:36:58 +0100
From: "martin smith" <[EMAIL PROTECTED]>
To: "'Rakesh'" <[EMAIL PROTECTED]>,
"Spamassassin" <users@spamassassin.apache.org>
Subject: *****SPAM***** RE: Way to evade URI checks
Date: Sat, 7 May 2005 11:37:00 +0100
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
Thread-Index: AcVS0HY4PWTqQht5TSKWb96NwD4Y8QAH9gAg
In-Reply-To: <[EMAIL PROTECTED]>
X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
X-Virus-Checked: Checked
X-Spam-Prev-Subject: RE: Way to evade URI checks
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd1.oct
X-Spam-Level: ************
X-Spam-PrefsFile: nac.net/mdiehl
X-Spam-Status: Yes, score=12.7 required=4.7 tests=FORGED_RCVD_HELO,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_OB_SURBL,URIBL_SBL,
URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.0.2
X-Spam-Report: * 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
* 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
* [cf: 100]
* 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: coolestrxever.com]
* 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: coolestrxever.com]
* 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
* [URIs: coolestrxever.com]
* 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
* [URIs: coolestrxever.com]
M>-----Original Message-----
M>From: Rakesh [mailto:[EMAIL PROTECTED] M>Sent: 07 May 2005 07:41
M>To: [EMAIL PROTECTED]; users@spamassassin.apache.org
M>Subject: Way to evade URI checks
M>
M>Seems Spammers have found a way to evade the URI checks
M>
M>the domain coolestrxever.com is listed in multi.surbl.org. M>But the spammers managed to to evade the URI checks by M>appending special charaters at the end of the url which are M>happily allowed by the browsers.
M>
M>The spam that I recieved had
M>
M>http://www.coolestrxever.com: (aa colon at the end of the url)
M>
M>After a bit of R&D I found the other options for spammers to M>carry this techinque
M>
M>http://www.coolestrxever.com; (a semicolon) M>http://www.coolestrxever.com, (a comma) M>http://www.coolestrxever.com. (a fullstop) M>http://www.coolestrxever.com? (a question mark)
M>
M>With all these special characters at the end of url, URI M>checks tries to make lookup as
M>
M>debug: querying for coolestrxever.com:.sc.surbl.org
M>
M>End result, passed the promising URI checks.
M>
M>I am seeing the first of its kind of spam. If any version of M>Spamassassin fixes this in its URI retrieval program please M>let me know
M>
M>--
There is a fix for these in the bugzilla, came in correctly caught by SURBL here, using 3.0.2.
There is two fixes I have applied and seems to catch the URL split over
lines too, not sure if these are included in 3.0.3, I suspect this one is.
Martin
-- Martin G. Diehl
