What I copied and pasted into my message was the original spammy
message (the source of it) as IMP showed it. The posterior ALL_TRUSTED
occured because it has already been scanned and tagged by my servers.
But the main difference between the live run and the ones I did with
SA by itself (both as root and as user amavis) is the URIDNSBL hit.
Well, the blaming on Net::DNS wasn't an easy way out. I ran Amavis in
debug mode and spotted out some warnings about the use of (.) in
concatenation string in Util.pm (not literally, i'll post the correct
output on monday, when I get back to work). From this debug, I see
Amavis loading up the URIDNSBL plugin at startup, but lately it simply
doesn't fire up on any spammy link (I googled for them, since the DDoS
attack blocked the website).
Anyway, seems like my perl installation came out buggy (upgraded from
source to 5.8.8 before upgrading SA from 3.1.8 to 3.2.0), and it is
messing things up. Lately some errors with Net::SMTP came out when
reporting to SpamCop, so I guess I'll have to start it all over again
from scratch, but this time making sure all compiles ok.
Thanks,
Luis
2007/6/8, guenther <[EMAIL PROTECTED]>:
On Fri, 2007-06-08 at 18:46 -0300, Luis Hernán Otegui wrote:
> OK, i?ve been googlin' around, and it seems like an issue between
> Amavis (or MailScanner, for waht I've found) and some unsupported
> versions of Net::DNS, because when I run the message through SA by
> itself, this comes out:
Whatever you manually fed SA was even more borked than the inline
copy-n-paste of a message in your OP. Looking briefly at your original
paste, I do see these:
> Date: Fri, 8 Jun 2007 20:25:53 -0100
> From: "Deana Adams" <[EMAIL PROTECTED]>
> Message-ID: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Can you imagine that you are healthy?
However, your manual run hit hard on...
> 0.0 MISSING_MID Missing Message-Id: header
> 0.0 MISSING_DATE Missing Date: header
> 1.3 MISSING_HEADERS Missing To: header
> 1.8 MISSING_SUBJECT Missing Subject: header
> 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO
> 0.5 FM_NO_TO FM_NO_TO
The "-1.8 ALL_TRUSTED" seems to support the assumption that you fed a
body only. Could be due to the exact details how you did it, though.
Also, this run didn't identify a HTML part at all...
The only difference that accounts for the spamminess in the second run
is the URIBL_BLACK hit. Maybe an oops, maybe a misconfiguration, maybe
due to not running in real time, but long after.
> So I'm blaming it on Amavis... (Net::DNS 0.59 here)...
I don't see much evidence for this, yet. ;)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
--
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-------------------------------------------------
