Viagra spam mail autolearned as ham, tagged score -1.64

Fri Oct 19 22:23:47 CEST 2012

On 10/19/2012 12:46 AM, Tom Hendrikx wrote:
> On 10/19/12 6:56 AM, matt wrote:
>>
>> On 10/18/2012 02:03 PM, Tom Hendrikx wrote:
>>> On 18/10/12 22:05, Nick Rosier wrote:
>>>> matt wrote:
>>>>> Hello all.
>>
>> #####
>> I had to truncate my reply because mailman bounced the message as
>> "spam", probably due to the subject nature of what was being discussed.
>> #####
>>
>> In reply to Tom Hendrikx and Nick Rosier:
>>
>> That's so weird!  When I manually fed the message in with spamassassin -D <
>> /var/www/html/quack.eml, I get basically the same report as you guys do:
>>
>> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cipixia.com
>> X-Spam-Flag: YES
>> X-Spam-Level: ******
>> X-Spam-Status: Yes, score=6.4 required=5.0
>> tests=FREEMAIL_ENVFROM_END_DIGIT,
>>      FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,HTML_OBFUSCATE_05_10,
>>
>>      RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,TO_NO_BRKTS_MSFT,URIBL_BLACK,
>>      URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no version=3.3.2
>> X-Spam-Report:
>>      * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
>> http://www.dnswl.org/, no
>>      *      trust
>>      *      [65.54.190.147 listed in list.dnswl.org]
>>      *  1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>>      *      [URIs: yreyronwuddengeg.com]
>>      *  1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
>>      *      [URIs: yreyronwuddengeg.com]
>>      *  1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
>>      *      [URIs: yreyronwuddengeg.com]
>>      *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
>> provider
>>      *      (jeffcola2[at]hotmail.com)
>>      *  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in
>> digit
>>      *      (jeffcola2[at]hotmail.com
>>      )
>>      * -2.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay
>> domain
>>      *  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username
>> ends in
>>      *      digit (jeffcola2[at]hotmail.com)
>>      *  0.0 HTML_OBFUSCATE_05_10 BODY: Message is 5% to 10% HTML obfuscation
>>      *  0.0 HTML_MESSAGE BODY: HTML included in message
>>      *  2.9 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
>> X-Original-To: matt at cipixia.com
>> ##############
>>
>> But when the mail originally came to me and got sifted through
>> amavisd-new, all that was
>> reported in the maillog was:
>>
>> Oct 18 14:12:24 cipixia.com amavis[2072]: (02072-19) SPAM-TAG,
>> <jeffcola2 at hotmail.com> ->
>> <matt at cipixia.com>, No, score=-1.64 tagged_above=-999 required=6.2
>> tests=[FREEMAIL_ENVFROM_END_DIGIT=0.25,
>> FREEMAIL_FROM=0.001,
>> FREEMAIL_REPLYTO_END_DIGIT=0.25,
>> HTML_MESSAGE=0.001,
>> HTML_OBFUSCATE_05_10=0.001,
>> RCVD_IN_DNSWL_NONE=-0.0001,
>> RP_MATCHES_RCVD=-2.142,
>> SPF_PASS=-0.001] autolearn=ham
>>
>>
>> What could explain the discrepancy between amavisd-new's handling of it
>> and spamassassin's
>> manual invocation?  It looks like amavisd-new isn't consulting the dns
>> blacklists for some
>> reason :/
>>
>
> I tested your message within an hour after you sent it to the list, and
> at that time there were also no URIBLs that caught it. So I had the same
> results as you initially had (except for the TO_NO_BRKTS_MSFT rule). The
> URIBLs need to be fed spam to recognize these mails (f.i. from
> spamtraps), so you simply received the message before the URIBLs caught up.
>
> Other differences between manual invocation and amavisd could be because
> you don't reload/restart after running sa-update, and possibly amavisd
> config (but both of these have nothing to do with the URIBL stuff from
> above).
>
> --
> Tom
>

OK cool I feel much better now knowing there wasn't really a problem with my setup, just 
that the spam was too new to be blacklisted.  Thanks for clearing that up :)