Inbound doesn't catch Heuristics.Phishing.Email.SSL-Spoof, Outbound does

[francis picabia]

On Mon, Sep 24, 2012 at 5:08 AM, Mark Martinec
<Mark.Martinec+amavis at ijs.si> wrote:
> Francis,
>
>> >> Here is a traced example of this problem.  The problem: a phishing block
>> >> is working only on outbound.  The inbound of the same email is not
>> >> being detected.
>>
>> > It is not the same message in these two cases,
>> > they have a different MIME structure. The second one
>> > is missing the multipart/related with a image/jpeg image.
>>
>> Sorry about that.  I think I've done a better trace this time.
>> New message comes in on the MX with low spam score.
>> When user attempts to report it to anti-spam and anti-fraud
>> addresses, it is blocked successfully.  Both systems have
>> Sanesecurity additions and I can see the MX is blocking many
>> emails (122 Blocked INFECTED on Sanesecurity.Scam4.1615.UNOFFICIAL
>> in recent days). Here is the log trace
>
> Again, it is not the same message:
>
> Inbound:
> p004 1 Content-Type: multipart/mixed
> p005 1/1 Content-Type: multipart/alternative
> p001 1/1/1 Content-Type: text/plain, size: 50 B, name:
> p002 1/1/2 Content-Type: text/html, size: 166 B, name:
> p003 1/2 Content-Type: application/rtf, size: 2831 B, name: Please ...
>
> Outbound:
> p004 1 Content-Type: multipart/mixed
> p005 1/1 Content-Type: multipart/alternative
> p001 1/1/1 Content-Type: text/plain, size: 6930 B, name:
> p002 1/1/2 Content-Type: text/html, size: 17524 B, name:
> p003 1/2 Content-Type: application/rtf, size: 2831 B, name: Please ...
>
> See sizes of text/plain and text/html MIME parts,
> they are quite different, although the application/rtf part
> seems to be the same.

I know it is not the same message.  It is a report of the spam in the forwarded
message.  It is the original message, plus "Sir, I have this phishing
scam to report...".

Therefore, if the detectable content was there on inbound, why is it
that only outbound can detect the phishing?