Problem Email Again (retry)

Mike Kercher mike at CAMAROSS.NET
Fri Jun 17 03:16:57 IST 2005 

 

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Stephen Swaney
Sent: Thursday, June 16, 2005 8:41 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Problem Email Again (retry)

Mike Kercher wrote:

> 
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf
>Of Scott Silva
>Sent: Thursday, June 16, 2005 2:03 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Problem Email Again (retry)
>
>Mike Kercher said the following on 6/15/2005 4:53 PM:
>  
>
>>I tried attaching the problem qf/df pair and it was rejected so I have 
>>uploaded the archive here:
>>
>>http://www.abby.com/problem_email.tar.gz
>>
>>
>>
>>I emailed the list a week or so ago about certain emails getting stuck 
>>in /var/spool/mqueue.in, being processed over and over again.  It 
>>happened again today.  I restarted MailScanner in debug mode and 
>>didn't see anything useful there:
>>
>>Jun 15 18:39:11 mail sendmail[4248]: alias database /etc/aliases 
>>rebuilt by root
>>    
>>
>
>
>  
>
No problem here. Our results- Spam Score is off the map and it's also seen
as infected by Clam AV (PayPal phishing scheme):

Jun 16 21:10:55 tester3 MailScanner[32203]: Message j5FJvISb003617 from
66.163.175.82 (service at paypal.com) to abby.com is spam, SpamAssassin
(score=123.739, required 5, autolearn=spam, BAYES_50 0.00, DCC_CHECK 2.17,
DIGEST_MULTIPLE 0.10, FORGED_MUA_OUTLOOK 3.92, FORGED_OUTLOOK_HTML 0.63,
FORGED_OUTLOOK_TAGS 0.07, HTML_80_90 0.15, HTML_MESSAGE 0.00, MIME_HTML_ONLY
0.18, MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72, PYZOR_CHECK 3.45,
RAZOR2_CF_RANGE_51_100 0.06, RAZOR2_CHECK 1.51, RCVD_IN_BL_SPAMCOP_NET 1.22,
SARE_FORGED_PAYPAL 104.00, SARE_FORGED_PAYPAL_C 1.30, URIBL_OB_SURBL 3.21)
Jun 16 21:10:56 tester3 MailScanner[32203]: Spam Actions: message
j5FJvISb003617 actions are store
Jun 16 21:10:56 tester3 MailScanner[32203]: ClamAVModule::INFECTED:: 
HTML.Phishing.Pay-24:: ./j5FJvISb003617/msg-32203-2.html Jun 16 21:10:57
tester3 MailScanner[32203]: Infected message
j5FJvISb003617 came from 66.163.175.82
Jun 16 21:10:57 tester3 MailScanner[32203]: Saved entire message to
/var/spool/MailScanner/quarantine/20050616/j5FJvISb003617
Jun 16 21:10:57 tester3 MailScanner[32203]: Saved infected
"msg-32203-2.html" to
/var/spool/MailScanner/quarantine/20050616/j5FJvISb003617


what do your logs report when you try and feed it through?

Steve

Steve at fsl.com
www.fsl.com

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------------

This from my original post:

Jun 15 18:39:19 mail MailScanner[4285]: Message j5FJvISb003617 from
66.163.175.82 (service at paypal.com) to abby.com is spam, SpamAssassin
(score=12.606, required 5.7, AWL -0.01, BAYES_40 -1.10, DCC_CHECK 2.17,
DIGEST_MULTIPLE 0.10, FORGED_MUA_OUTLOOK 3.92, FORGED_OUTLOOK_HTML 0.63,
FORGED_OUTLOOK_TAGS 0.07, HTML_80_90 0.15, HTML_MESSAGE 0.00, MIME_HTML_ONLY
0.18, MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72, RAZOR2_CHECK 1.51,
URIBL_OB_SURBL 3.21) 

A score of 12.606 is beyond my High Scoring Spam threshold and would be
deleted by default as shown here:

Jun 15 18:39:19 mail MailScanner[4285]: Spam Checks: Found 1 spam messages 

Jun 15 18:39:19 mail MailScanner[4285]: Spam Actions: message j5FJvISb003617
actions are delete 

ClamAV also picks it up as a Phish.  So, it is being detected as both spam
(by SA) and as a virus (by ClamAV).  The problem is that it never leaves the
mqueue.in, so it gets processed over and over again.  The continuous
processing of the same message(s) drives the load up over 6 on this box when
it normally about .17 or so.

Mike

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list