[RESEND ... one correspondent could not read the
quoted header lines when placed following my name]
Greetings,
I saw a SPAM message with the SPAMassassin message headers
(X-spam headers) grossly out of sequence. The message
was recognized as SPAM ... but because the X-spam headers
were written in the wrong part of the message, it was able
to 'appear' as a non-SPAM message.
I have included all of the headers ... just replaced
the message content with '[snip]' ... you'll see those
headers after -~-[beg_SPAM_headers]-~-~
Here is what I can see is wrong in the message headers
after being processed by SPAMassassin ...
(a) the message has 2 'Subject:' headers
(b) the first subject header is the original unmodified
header from the SPAMmer: 'Subject: Urgent Security Notice'
(c) the second subject header is what SPAMassassin
generated: 'Subject: *****SPAM***** '
(d) the message was recognized as SPAM ... 'X-Spam-Flag: YES'
(e) all of the X-Spam- headers follow the message body
(f) this probably resulted from intentional misscoding of the
MIME headers.
IOW, I know what is happening ... but I don't know why.
My questions ...
(1) why do the X-Spam headers follow the message body?
(2) are the MIME headers properly coded?
(3) what kind of configuration error could cause the X-spam
headers to be misplaced?
(4) are the message headers misscoded to exploit a bug in
SPAMassassin?
~-~-~-~-~-~-~-~-~-~-~-~-[beg_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~
From - Mon Apr 25 12:36:07 2005
X-UIDL: 1114445011.M327672P25855.mx4.oct
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 25794 invoked by uid 1005); 25 Apr 2005 16:03:19 -0000
Received: from [EMAIL PROTECTED] by mx4.oct by uid 0 with
qmail-scanner-1.20rc3
(sophie: 2.14/3.73. spamassassin: 2.60-cvs. Clear:RC:0:.
Processed in 0.95741 secs); 25 Apr 2005 16:03:19 -0000
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx4.oct
X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED]
X-Qmail-Scanner: 1.20rc3 (Clear:RC:0:. Processed in 0.95741 secs)
Received: from unknown (HELO Sue-38) (83.104.159.186)
by rbl-mx4.oct.nac.net with SMTP; 25 Apr 2005 16:03:18 -0000
From: "Charter One BANK" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Urgent Security Notice
Date: Mon, 25 Apr 2005 17:03:22 +0100
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----fmkdahmjgeazvksmslealhoy"
X-Mailer: WEBMail
X-MimeOLE: Produced By Microsoft MimeOLE V4.00.2600.1106
This is a multi-part message in MIME format.
------fmkdahmjgeazvksmslealhoy
Content-Type: multipart/alternative;
boundary="----vjjqdusbszwilaadlkdvppfa"
------vjjqdusbszwilaadlkdvppfa
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
[snip]
------vjjqdusbszwilaadlkdvppfa
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
[snip]
------vjjqdusbszwilaadlkdvppfa--
------fmkdahmjgeazvksmslealhoy
Content-Type: image/gif;
name="tuzjytembpavuggfvypmopuj.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
Content-Disposition: inline;
filename="tuzjytembpavuggfvypmopuj.gif"
[snip]
------fmkdahmjgeazvksmslealhoy--
X-Qmail-Scanner-Message-ID: <[EMAIL PROTECTED]>
Subject: *****SPAM*****
X-Spam-Prev-Subject: (nonexistent)
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
spamd6.oct.nac.net
X-Spam-Level: ******
X-Spam-PrefsFile: nac.net/mdiehl
X-Spam-Status: Yes, score=6.1 required=4.7 tests=FROM_ENDS_IN_NUMS,
FROM_HAS_ULINE_NUMS,MISSING_DATE,MISSING_SUBJECT,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=disabled version=3.0.2
X-Spam-Report:
* 0.5 FROM_ENDS_IN_NUMS From: ends in numbers
* 0.0 MISSING_DATE Missing Date: header
* 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
50%
* [cf: 96]
* 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 1.6 MISSING_SUBJECT Missing Subject: header
* 0.4 FROM_HAS_ULINE_NUMS From: contains an underline and
numbers/letters
~-~-~-~-~-~-~-~-~-~-~-~-[end_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~
--
Martin G. Diehl
