HTML body changed??? - Different SA scores / SA and MA

Julian Field mailscanner at ecs.soton.ac.uk
Tue Mar 11 14:16:30 GMT 2003 

There is currently a little problem in the MS->SA interface for Exim. It's
not very serious but can cause test results that differ a bit from what you
expect. There is a fix for it, but I want to do some more testing on it
first to be sure it won't break anything else.

At 13:04 11/03/2003, you wrote:
>Hi Julian,
>
>I am still playing around with SpamAssassin and MailScanner a bit. Here
>is something strange:
>
>I took a junk mail and ran it through spamassassin -t. This is the
>report:
>
>
>Content analysis details:   (25.80 points, 6 required)
>X_PRIORITY_HIGH    (1.9 points)  Sent with 'X-Priority' set to high
>BAYES_90           (2.9 points)  BODY: Bayesian classifier says spam
>probability is 90 to 99%
>                    [score: 0.9815]
>HTML_40_50         (0.4 points)  BODY: Message is 40% to 50% HTML
>HTML_IMAGE_ONLY_02 (1.5 points)  BODY: HTML has images with 0-200 bytes
>of words
>PYZOR_CHECK        (1.2 points)  Listed in Pyzor, see
>http://pyzor.sf.net/
>DATE_IN_PAST_12_24 (0.1 points)  Date: is 12 to 24 hours before
>Received: date
>MSGID_OUTLOOK_TIME (4.4 points)  Message-Id is fake (in Outlook Express
>format)
>RCVD_FAKE_HELO_DOTCOM_2 (2.8 points)  Received contains a faked HELO
>hostname (2)
>RCVD_IN_NJABL      (1.2 points)  RBL: Received via a relay in
>dnsbl.njabl.org
>                    [RBL check: found 3.160.178.202.dnsbl.njabl.org.,]
>                    [type: 127.0.0.9]
>RCVD_IN_OSIRUSOFT_COM (0.5 points)  RBL: Received via a relay in
>relays.osirusoft.com
>                    [RBL check: found
>3.160.178.202.relays.osirusoft.com., type: 127.0.0.3]
>RCVD_IN_BL_SPAMCOP_NET (4.0 points)  RBL: Received via a relay in
>bl.spamcop.net
>                    [RBL check: found 3.160.178.202.bl.spamcop.net.]
>RCVD_IN_DSBL       (4.3 points)  RBL: Received via a relay in
>list.dsbl.org
>                    [RBL check: found 3.160.178.202.list.dsbl.org.]
>PRIORITY_NO_NAME   (0.6 points)  Message has priority setting, but no
>X-Mailer
>
>
>Then I fed exatly the same file into my system using exim -t < msg.txt.
>This is what SA/MS found:
>
>X-MailScanner-SpamCheck: spam, SpamAssassin (score=23.1, required 6,
>AWL,
>         BAYES_90, DATE_IN_PAST_12_24, HTML_20_30, HTML_IMAGE_ONLY_06,
>         MSGID_OUTLOOK_TIME, PRIORITY_NO_NAME, RCVD_FAKE_HELO_DOTCOM_2,
>         RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL,
>         RCVD_IN_OSIRUSOFT_COM, X_PRIORITY_HIGH)
>
>
>MailScanner/SpamAssassin changed HTML_40_50 to HTML_20_30. Why/How?
>Moreover it shows HTML_IMAGE_ONLY_06 and not _02. Obviously something
>changed the HTML source. I cannot see an Iframe tag anywhere. Moreover
>the PYZOR_CHECK is missing which also indicates that the body has been
>altered by MailScanner.
>
>This is the body of the msg.file:
>
>This is a multi-part message in MIME format.
>
>------_=_NextPart_001_01C2E70F.C1B22B00
>Content-Type: text/plain;
>         charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>
>  <http://datematch.org/dateme/> I can't wait to meet  =
>8421PFsC8-249DRPN4997MsTV2-l25=20
>
>------_=_NextPart_001_01C2E70F.C1B22B00
>Content-Type: text/html;
>         charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>
>
><META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
>charset=3Diso-8859-1">
><center>
><a href=3D"http://datematch.org/dateme/">
>I can't wait to meet
><img src=3D"http://dateme.coolfreepages.com/date.jpg"
></a>
>
>8421PFsC8-249DRPN4997MsTV2-l25
>
>------_=_NextPart_001_01C2E70F.C1B22B00--
>
>
>Thanks,
>   JP

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list