Re: Spam with attachments and UNPARSEABLE_RELAY

Mon, 05 Dec 2016 14:23:43 -0800 

On 24/11/2016 13:09, RW wrote:

On Thu, 24 Nov 2016 11:33:19 +0100
Axb wrote:


On 11/24/2016 11:23 AM, Geoff Soper wrote:

For a few weeks I've been suffering spam messages with attachments
getting through with a suspicious score of 0.0. Upon inspection,
they all had the following lines in the header:

...
X-Spam-Status: No, score=0.0 required=3.0 tests=UNPARSEABLE_RELAY
     autolearn=unavailable version=3.3.2

Do you normally have a BAYES_* result in  X-Spam-Status? I think that
autolearn=unavailable implies that Bayes is configured to be on.

Try running one of these through spamassassin -D bayes

If you haven't already done it, set "bayes_auto_expire 0" and instead
run "sa-learn --force-expire" from cron (as the correct user).
OK, blindly following your suggestion yielded the following; does it tell you anything? 

Thanks!

-bash-3.2$ spamassassin -D bayes "Important Information.eml"
Dec 5 22:20:11.796 [30090] dbg: bayes: learner_new self=Mail::SpamAssassin::Plugin::Bayes=HASH(0xaa859f0), bayes_store_module=Mail::SpamAssassin::BayesStore::DBM Dec 5 22:20:11.803 [30090] dbg: bayes: learner_new: got store=Mail::SpamAssassin::BayesStore::DBM=HASH(0xacfea30) Dec 5 22:20:11.804 [30090] dbg: bayes: tie-ing to DB file R/O /var/www/vhosts/alphaworks.co.uk/.spamassassin/bayes_toks Dec 5 22:20:11.804 [30090] dbg: bayes: tie-ing to DB file R/O /var/www/vhosts/alphaworks.co.uk/.spamassassin/bayes_seen 
Dec  5 22:20:11.804 [30090] dbg: bayes: found bayes db version 3
Dec  5 22:20:11.804 [30090] dbg: bayes: DB journal sync: last sync: 0
Dec 5 22:20:11.805 [30090] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 
Dec  5 22:20:11.805 [30090] dbg: bayes: untie-ing
Dec 5 22:20:11.807 [30090] dbg: bayes: tie-ing to DB file R/O /var/www/vhosts/alphaworks.co.uk/.spamassassin/bayes_toks Dec 5 22:20:11.807 [30090] dbg: bayes: tie-ing to DB file R/O /var/www/vhosts/alphaworks.co.uk/.spamassassin/bayes_seen 
Dec  5 22:20:11.808 [30090] dbg: bayes: found bayes db version 3
Dec  5 22:20:11.808 [30090] dbg: bayes: DB journal sync: last sync: 0
Dec 5 22:20:11.808 [30090] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 
Dec  5 22:20:11.808 [30090] dbg: bayes: untie-ing
Dec 5 22:20:12.710 [30090] dbg: bayes: tie-ing to DB file R/W /var/www/vhosts/alphaworks.co.uk/.spamassassin/bayes_toks Dec 5 22:20:12.710 [30090] dbg: bayes: tie-ing to DB file R/W /var/www/vhosts/alphaworks.co.uk/.spamassassin/bayes_seen 
Dec  5 22:20:12.711 [30090] dbg: bayes: found bayes db version 3
Dec 5 22:20:12.711 [30090] dbg: bayes: 38b0ea13de18c1493d348447e5778b92e3bb542b@sa_generated already learnt correctly, not learning twice 
Dec  5 22:20:12.711 [30090] dbg: bayes: untie-ing
Dec  5 22:20:12.711 [30090] dbg: bayes: files locked, now unlocking lock
Return-Path: <mendez.derr...@cncvacation.com>
X-Spam-Relays-External:
X-Spam-Relays-Untrusted:
X-Spam-Flag: NO
X-Spam-Status: No, Score=0.0
X-Spam-Report:
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
        server.alphaworks.co.uk
X-Spam-Score: 0.0
X-Original-To: <removed>@alphaworks.co.uk
Delivered-To: <removed>@alphaworks.co.uk
X-No-Auth: unauthenticated sender
Received: (nullmailer pid 84240 invoked by uid 0334909);
        Fri, 25 Nov 2016 18:15:24 +0700
X-No-Auth: unauthenticated sender
Received: from internal (unknown [x.x.x.x])
Received: (nullmailer pid 84240 invoked by uid 0334909);
        Fri, 25 Nov 2016 18:15:24 +0700
To: <<removed>@alphaworks.co.uk>
Subject: *** VIRUS ***Important Information
X-PHP-Originating-Script: 0334909:SendMail.class.php
From: "Derrick Mendez" <mendez.derr...@cncvacation.com>
Date: Fri, 25 Nov 2016 18:15:24 +0700
MIME-Version: 1.0
Content-Type: multipart/related; boundary="e161521dd66255192e4d83eb2e8a112f"
Message-Id: <7009914603.543683.47189.sendm...@alphaworks.co.uk>
X-Procmail-Alphaworks-Geoff: 27/01/2014
X-Procmail-HeaderInclude: 27/01/2014
X-Procmail-Alphaworks-Whitelist: 27/01/2014
X-Procmail-DomainInclude: 27/01/2014
X-Procmail-Alphaworks-Blacklist: 27/01/2014
X-Procmail-BounceInclude: 27/01/2014
X-Procmail-DotInclude: 25/12/2009
X-Procmail-SpamAssassinInclude: 25/12/2009
X-Procmail-FooterInclude: 25/12/2009
X-Antivirus: avast! (VPS 161124-7, 24/11/2016), Inbound message
X-Antivirus-Status: Infected
X-Attachment: payment_<removed>.zip#2742364094|>HQ9eug679i3l.js Virus: JS:LockyDownloader [Trj] Deleted 

--e161521dd66255192e4d83eb2e8a112f
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Dear <removed>, your payment was not processed due to the =
problem with credentials.
Payment details are in the attached document.

Please check it out as soon as possible.
--e161521dd66255192e4d83eb2e8a112f--

-bash-3.2$

Reply via email to