HTML body changed??? - Different SA scores / SA and MA

Jan-Peter Koopmann Jan-Peter.Koopmann at SECEIDOS.DE
Tue Mar 11 13:04:58 GMT 2003 

Hi Julian,

I am still playing around with SpamAssassin and MailScanner a bit. Here
is something strange:

I took a junk mail and ran it through spamassassin -t. This is the
report:


Content analysis details:   (25.80 points, 6 required)
X_PRIORITY_HIGH    (1.9 points)  Sent with 'X-Priority' set to high
BAYES_90           (2.9 points)  BODY: Bayesian classifier says spam
probability is 90 to 99%
                   [score: 0.9815]
HTML_40_50         (0.4 points)  BODY: Message is 40% to 50% HTML
HTML_IMAGE_ONLY_02 (1.5 points)  BODY: HTML has images with 0-200 bytes
of words
PYZOR_CHECK        (1.2 points)  Listed in Pyzor, see
http://pyzor.sf.net/
DATE_IN_PAST_12_24 (0.1 points)  Date: is 12 to 24 hours before
Received: date
MSGID_OUTLOOK_TIME (4.4 points)  Message-Id is fake (in Outlook Express
format)
RCVD_FAKE_HELO_DOTCOM_2 (2.8 points)  Received contains a faked HELO
hostname (2)
RCVD_IN_NJABL      (1.2 points)  RBL: Received via a relay in
dnsbl.njabl.org
                   [RBL check: found 3.160.178.202.dnsbl.njabl.org.,]
                   [type: 127.0.0.9]
RCVD_IN_OSIRUSOFT_COM (0.5 points)  RBL: Received via a relay in
relays.osirusoft.com
                   [RBL check: found
3.160.178.202.relays.osirusoft.com., type: 127.0.0.3]
RCVD_IN_BL_SPAMCOP_NET (4.0 points)  RBL: Received via a relay in
bl.spamcop.net
                   [RBL check: found 3.160.178.202.bl.spamcop.net.]
RCVD_IN_DSBL       (4.3 points)  RBL: Received via a relay in
list.dsbl.org
                   [RBL check: found 3.160.178.202.list.dsbl.org.]
PRIORITY_NO_NAME   (0.6 points)  Message has priority setting, but no
X-Mailer


Then I fed exatly the same file into my system using exim -t < msg.txt.
This is what SA/MS found:

X-MailScanner-SpamCheck: spam, SpamAssassin (score=23.1, required 6,
AWL,
        BAYES_90, DATE_IN_PAST_12_24, HTML_20_30, HTML_IMAGE_ONLY_06,
        MSGID_OUTLOOK_TIME, PRIORITY_NO_NAME, RCVD_FAKE_HELO_DOTCOM_2,
        RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL,
        RCVD_IN_OSIRUSOFT_COM, X_PRIORITY_HIGH)


MailScanner/SpamAssassin changed HTML_40_50 to HTML_20_30. Why/How?
Moreover it shows HTML_IMAGE_ONLY_06 and not _02. Obviously something
changed the HTML source. I cannot see an Iframe tag anywhere. Moreover
the PYZOR_CHECK is missing which also indicates that the body has been
altered by MailScanner.

This is the body of the msg.file:

This is a multi-part message in MIME format.

------_=_NextPart_001_01C2E70F.C1B22B00
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

 <http://datematch.org/dateme/> I can't wait to meet  =
8421PFsC8-249DRPN4997MsTV2-l25=20

------_=_NextPart_001_01C2E70F.C1B22B00
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<center>
<a href=3D"http://datematch.org/dateme/">
I can't wait to meet
<img src=3D"http://dateme.coolfreepages.com/date.jpg"
</a>

8421PFsC8-249DRPN4997MsTV2-l25

------_=_NextPart_001_01C2E70F.C1B22B00--


Thanks,
  JP

More information about the MailScanner mailing list