Viagra spam mail autolearned as ham, tagged score -1.64

Nick Rosier nick.rosier at gmail.com
Thu Oct 18 22:05:53 CEST 2012 

matt wrote:
> Hello all.
>
> I just received a 'male enhancement pharmacy' type spam email that 
> amavisd-new (v2.6.6) assigned a score of (-1.64).  It is possibly the 
> best designed html spam I've seen, and I don't see how Spamassassin 
> could have ever found it.
>
> Considering that Viagra type spam is probably the most prolific and 
> obvious, I find it alarming that such a mail could sail through the 
> filters (not to mention be autolearned as ham!) in this day and age.
>
> I wish to submit this mail to the list for study, but I'm not sure if 
> that's appropriate for this list or if there exists some sort of 
> established "send us your spam mail" outfit from Symantec or something 
> like that.
>
> But if anyone would care to see, I uploaded the intact .eml message as 
> saved by Thunderbird to my site at
>     http://cipixia.com/quack.eml
>
> Is using 'sa-learn --spam' on this messsage all that's required to 
> "unautolearn it" as ham?
>
fed your mail to spamassassin instance and it was tagged as spam:

X-Spam-ASN: AS8075 65.52.0.0/14
X-Spam-Report:
         *  1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
         *      [URIs: yreyronwuddengeg.com]
         *  1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL 
blocklist
         *      [URIs: yreyronwuddengeg.com]
         *  1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
         *      [URIs: yreyronwuddengeg.com]
         *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser 
mail provider
         *      (jeffcola2[at]hotmail.com)
         *  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username 
ends in digit
         *      (jeffcola2[at]hotmail.com
         )
         * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover 
relay domain
         *  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail 
username ends in
         *      digit (jeffcola2[at]hotmail.com)
         *  0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML 
obfuscation
         *  0.0 HTML_MESSAGE BODY: HTML included in message
         *  0.0 RCVD_NOT_IN_IPREPDNS Sender not listed at
         *      http://www.chaosreigns.com/iprep/
         *  2.8 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft 
tool
X-Spam-Flag: YES
X-Spam-Status: Yes, score=6.3 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,
         
FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10,
         RCVD_NOT_IN_IPREPDNS,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK,
         URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=spam version=3.3.2
X-Spam-Level: ******
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.rkfomh.net

Can you show your report? Might be that the URI was not yet in 
blacklists... Or you might need to enable some extra rules.

N.

More information about the amavis-users mailing list