Viagra spam mail autolearned as ham, tagged score -1.64

Tom Hendrikx tom at whyscream.net
Thu Oct 18 23:03:34 CEST 2012


On 18/10/12 22:05, Nick Rosier wrote:
> matt wrote:
>> Hello all.
>>
>> I just received a 'male enhancement pharmacy' type spam email that
>> amavisd-new (v2.6.6) assigned a score of (-1.64).  It is possibly the
>> best designed html spam I've seen, and I don't see how Spamassassin
>> could have ever found it.
>>
>> Considering that Viagra type spam is probably the most prolific and
>> obvious, I find it alarming that such a mail could sail through the
>> filters (not to mention be autolearned as ham!) in this day and age.
>>
>> I wish to submit this mail to the list for study, but I'm not sure if
>> that's appropriate for this list or if there exists some sort of
>> established "send us your spam mail" outfit from Symantec or something
>> like that.
>>
>> But if anyone would care to see, I uploaded the intact .eml message as
>> saved by Thunderbird to my site at
>>     http://cipixia.com/quack.eml
>>
>> Is using 'sa-learn --spam' on this messsage all that's required to
>> "unautolearn it" as ham?
>>
> fed your mail to spamassassin instance and it was tagged as spam:
> 
> X-Spam-ASN: AS8075 65.52.0.0/14
> X-Spam-Report:
>         *  1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>         *      [URIs: yreyronwuddengeg.com]
>         *  1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> blocklist
>         *      [URIs: yreyronwuddengeg.com]
>         *  1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
>         *      [URIs: yreyronwuddengeg.com]
>         *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser
> mail provider
>         *      (jeffcola2[at]hotmail.com)
>         *  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username
> ends in digit
>         *      (jeffcola2[at]hotmail.com
>         )
>         * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover
> relay domain
>         *  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail
> username ends in
>         *      digit (jeffcola2[at]hotmail.com)
>         *  0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML
> obfuscation
>         *  0.0 HTML_MESSAGE BODY: HTML included in message
>         *  0.0 RCVD_NOT_IN_IPREPDNS Sender not listed at
>         *      http://www.chaosreigns.com/iprep/
>         *  2.8 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft
> tool
> X-Spam-Flag: YES
> X-Spam-Status: Yes, score=6.3 required=5.0
> tests=FREEMAIL_ENVFROM_END_DIGIT,
>        
> FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10,
>         RCVD_NOT_IN_IPREPDNS,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK,
>         URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=spam version=3.3.2
> X-Spam-Level: ******
> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.rkfomh.net
> 
> Can you show your report? Might be that the URI was not yet in
> blacklists... Or you might need to enable some extra rules.

I tried the same thing quite fast after matt sent his e-mail, and I had
the same result, minus the various DNSBLs. The only non-network test
that hit was the TO_NO_BRKTS_MSFT rule, which was not even
working/enabled on matts setup. It's still a bit icky that you're fully
depending on external (DNSBL) data here...

--
Tom


More information about the amavis-users mailing list