Viagra spam mail autolearned as ham, tagged score -1.64

Tom Hendrikx tom at whyscream.net
Fri Oct 19 09:46:33 CEST 2012


On 10/19/12 6:56 AM, matt wrote:
> 
> On 10/18/2012 02:03 PM, Tom Hendrikx wrote:
>> On 18/10/12 22:05, Nick Rosier wrote:
>>> matt wrote:
>>>> Hello all.
> 
> #####
> I had to truncate my reply because mailman bounced the message as
> "spam", probably due to the subject nature of what was being discussed.
> #####
> 
> In reply to Tom Hendrikx and Nick Rosier:
> 
> That's so weird!  When I manually fed the message in with spamassassin -D <
> /var/www/html/quack.eml, I get basically the same report as you guys do:
> 
> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cipixia.com
> X-Spam-Flag: YES
> X-Spam-Level: ******
> X-Spam-Status: Yes, score=6.4 required=5.0
> tests=FREEMAIL_ENVFROM_END_DIGIT,
>     FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10,
> 
>     RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK,
>     URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no version=3.3.2
> X-Spam-Report:
>     * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> http://www.dnswl.org/, no
>     *      trust
>     *      [65.54.190.147 listed in list.dnswl.org]
>     *  1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>     *      [URIs: yreyronwuddengeg.com]
>     *  1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
>     *      [URIs: yreyronwuddengeg.com]
>     *  1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
>     *      [URIs: yreyronwuddengeg.com]
>     *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
> provider
>     *      (jeffcola2[at]hotmail.com)
>     *  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in
> digit
>     *      (jeffcola2[at]hotmail.com
>     )
>     * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay
> domain
>     *  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username
> ends in
>     *      digit (jeffcola2[at]hotmail.com)
>     *  0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
>     *  0.0 HTML_MESSAGE BODY: HTML included in message
>     *  2.9 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
> X-Original-To: matt at cipixia.com
> ##############
> 
> But when the mail originally came to me and got sifted through
> amavisd-new, all that was
> reported in the maillog was:
> 
> Oct 18 14:12:24 cipixia.com amavis[2072]: (02072-19) SPAM-TAG,
> <jeffcola2 at hotmail.com> ->
> <matt at cipixia.com>, No, score=-1.64 tagged_above=-999 required=6.2
> tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25,
> FREEMAIL_FROM=0.001,
> FREEMAIL_REPLYTO_END_DIGIT=0.25,
> HTML_MESSAGE=0.001,
> HTML_OBFUSCATE_05_10=0.001,
> RCVD_IN_DNSWL_NONE=-0.0001,
> RP_MATCHES_RCVD=-2.142,
> SPF_PASS=-0.001] autolearn=ham
> 
> 
> What could explain the discrepancy between amavisd-new's handling of it
> and spamassassin's
> manual invocation?  It looks like amavisd-new isn't consulting the dns
> blacklists for some
> reason :/
> 

I tested your message within an hour after you sent it to the list, and
at that time there were also no URIBLs that caught it. So I had the same
results as you initially had (except for the TO_NO_BRKTS_MSFT rule). The
URIBLs need to be fed spam to recognize these mails (f.i. from
spamtraps), so you simply received the message before the URIBLs caught up.

Other differences between manual invocation and amavisd could be because
you don't reload/restart after running sa-update, and possibly amavisd
config (but both of these have nothing to do with the URIBL stuff from
above).

--
Tom


More information about the amavis-users mailing list