Greetings Karsten. How can you tell that the header was mangled?
I have not gotten that deep into email analysis yet, however, I don't see what you mean. I also have to "train" my bayesian filter, so that could be why some mail is slipping through. In response to some other inquiries, citadel simply shoots the mail to spamd on the requisit host, and then relies on spamd to evaluate the message. There are no SA headers because of the process that was just described. This must be specific to citadel. Can anyone let me know where spamassassin stores spam on a default install? I need to find some spam/ham to train sa-learn with. Thanks again for the responses. I am still seeing two or three spam email messages getting through. This has to be the ham/spam thing that bayesian filtration takes care of, because obvious spam seems to be filtered pretty well. On Fri, 2009-04-10 at 14:39 -0400, Karsten Bräckelmann wrote: > On Fri, 2009-04-10 at 11:20 -0700, John Hardin wrote: > > On Fri, 10 Apr 2009, martes wrote: > > > > Here is a link to the listed message that passed through the filter. > > > > > > http://pastebin.com/d6fe63bd6 > > > > The headers in that spample don't say anything about SA at all. Did you > > export the message from your mail client? That can omit headers. > > Evolution does not omit headers when showing the message source. > However, that particular message indeed looks like the headers have been > severely altered. Note the Received headers position. > > Martes, how is SA integrated? Unfortunately, the Evolution Junk plugin > doesn't add the SA headers. > > > Btw, by glimpsing at the headers alone I can already tell it definitely > is spam. The Message-Id is very poorly forged and seriously broken. To > avoid the term braindead. :) It triggers my rule KB_RATWARE_MSGID. > > > > Is it possible for you to directly retrieve the message out of your system > > mailbox file using a text editor? That's guaranteed to not omit anything > > of interest. > > And please don't munge any data, unless you really have to -- for > instance, the Organization header appears to have been rewritten. > >
