Odd missing X-Spam-Status: Yes header
Martin Hepworth
martinh at SOLID-STATE-LOGIC.COM
Fri Oct 28 09:42:44 IST 2005
Jim
This is the reason why Julian put in the organization name into the
X-MailScanner headers. Some virus writer had figured out a lot of people
where using the fact it had been scanned by an MS system and people where
trusting that based on the header information. So Jules has to make the MS
headers more unique to close that.
I also think is when we all realized how many MS installations are out
there, if the virus writers are exploiting yoursystem to fool another system
into letting malware through I think you've 'arrived' as it where ;-)
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Jim Davis
> Sent: 27 October 2005 19:14
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: [MAILSCANNER] Odd missing X-Spam-Status: Yes header
>
> This slipped by my procmail filter; it looks like the spammer added a fake
> spamassassin block to the headers...
>
> >From emala at abrilpesquisa.com.br Thu Oct 27 11:01:09 2005
> >Return-Path: <wwwrun at h8884.serverkompetenz.net>
> >Received: from hackberry.cs.arizona.edu (hackberry.cs.arizona.edu
> > [192.12.69.6])
> > by email.cs.arizona.edu (8.13.3/8.13.3) with ESMTP id j9RAM85n048192
> > for <jdavis at hackberry.cs.arizona.edu>; Thu, 27 Oct 2005 03:22:08 -
> 0700 (MST)
> > (envelope-from wwwrun at h8884.serverkompetenz.net)
> >Received: from cheltenham.cs.arizona.edu (cheltenham.cs.arizona.edu
> > [192.12.69.60])
> > by hackberry.cs.arizona.edu (Postfix) with ESMTP id 3D2E7D4081E
> > for <jdavis at hackberry.cs.arizona.edu>; Thu, 27 Oct 2005 03:22:07 -
> 0700 (MST)
> >Received: from h8884.serverkompetenz.net (h8884.serverkompetenz.net
> > [81.169.187.232])
> > by cheltenham.cs.arizona.edu (8.13.4/8.13.4) with ESMTP id
> > j9RAM3CY081643
> > for <jdavis at cs.arizona.edu>; Thu, 27 Oct 2005 03:22:03 -0700 (MST)
> > (envelope-from wwwrun at h8884.serverkompetenz.net)
> >Received: by h8884.serverkompetenz.net (Postfix, from userid 30)
> > id C039B177290; Thu, 27 Oct 2005 12:38:09 +0200 (CEST)
> >X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on localhost
> >From: Pesquisa Nacional Abril 2005 <emala at abrilpesquisa.com.br>
> >To: jdavis at CS.Arizona.EDU
> >Subject: Responda e concorra gratuitamente a um Palio Adventure 1.8
> >X-Priority: 1
> >X-MSMail-Priority: Normal
> >X-Mailer: Microsoft Outlook Express 6.00.2800.1437
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>
> ...right about here:
>
> >X-Spam-Checker-Version: SpamAssassin 3.0.3-spambr_20030926a (2005-04-27)
> on
> > localhost
> >X-Spam-Status: No, score=-105.5 required=3.0
> tests=ALL_TRUSTED,AWL,BAYES_00,
> > BR_CURSO_BODY,HTML_80_90,HTML_FONT_BIG,HTML_FONT_FACE_BAD,
> > HTML_MESSAGE,HTML_NONELEMENT_00_10,HTML_TAG_EXIST_TBODY,
> > USER_IN_WHITELIST autolearn=ham version=3.0.3-spambr_20030926a,
> Yes
> >Content-type: text/html
> >Message-Id: <20051027103809.C039B177290 at h8884.serverkompetenz.net>
> >Date: Thu, 27 Oct 2005 12:38:09 +0200 (CEST)
>
> While this is the real thing our local server added:
>
> >X-CS-MailScanner-SpamCheck: spam, SpamAssassin (score=11.692, required 5,
> > BAYES_99 3.50, DNS_FROM_RFC_ABUSE 0.20, FORGED_MUA_OUTLOOK 4.06,
> > FORGED_OUTLOOK_HTML 2.71, HTML_90_100 0.11, HTML_MESSAGE 0.00,
> > MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00,
> > NORMAL_HTTP_TO_IP 0.17, RAZOR2_CHECK 0.50, X_PRIORITY_HIGH 0.43)
> >X-Spam-Level: ***********
> >X-Spam-Flag: YES
> >
> >
> >
> ><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> [...]
>
> With
>
> High Scoring Spam Actions = header "X-Spam-Status: Yes" header
> "X-Spam-Flag: YES attachment deliver
>
> then there should have been a 'X-Spam-Status: Yes' header added (and the
> spam itself should have been wrapped in an attachment, but that's still
> not working). Could the bogus 'X-Spam-Status: No' header somehow have
> interfered with that?
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list