Odd missing X-Spam-Status: Yes header

Julian Field MailScanner at ecs.soton.ac.uk
Fri Oct 28 09:59:25 IST 2005 

-----BEGIN PGP SIGNED MESSAGE-----

The only time MailScanner actually uses the contents of any of the  
headers is when deciding to sign (add inline.sig.* to) messages. It  
uses the local MailScanner header to work out if it has already been  
through one of your MailScanner servers. And the envelope-from is  
added for SPF checks in SpamAssassin. But that's it.

No scanning can be bypassed by the spammers or virus writers putting  
anything in the headers.

On 28 Oct 2005, at 09:42, Martin Hepworth wrote:

> Jim
>
> This is the reason why Julian put in the organization name into the
> X-MailScanner headers. Some virus writer had figured out a lot of  
> people
> where using the fact it had been scanned by an MS system and people  
> where
> trusting that based on the header information. So Jules has to make  
> the MS
> headers more unique to close that.
>
> I also think is when we all realized how many MS installations are out
> there, if the virus writers are exploiting yoursystem to fool  
> another system
> into letting malware through I think you've 'arrived' as it where ;-)
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>> Behalf Of Jim Davis
>> Sent: 27 October 2005 19:14
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: [MAILSCANNER] Odd missing X-Spam-Status: Yes header
>>
>> This slipped by my procmail filter; it looks like the spammer  
>> added a fake
>> spamassassin block to the headers...
>>
>>
>>> From emala at abrilpesquisa.com.br Thu Oct 27 11:01:09 2005
>>> Return-Path: <wwwrun at h8884.serverkompetenz.net>
>>> Received: from hackberry.cs.arizona.edu (hackberry.cs.arizona.edu
>>>    [192.12.69.6])
>>>     by email.cs.arizona.edu (8.13.3/8.13.3) with ESMTP id  
>>> j9RAM85n048192
>>>     for <jdavis at hackberry.cs.arizona.edu>; Thu, 27 Oct 2005  
>>> 03:22:08 -
>>>
>> 0700 (MST)
>>
>>>     (envelope-from wwwrun at h8884.serverkompetenz.net)
>>> Received: from cheltenham.cs.arizona.edu (cheltenham.cs.arizona.edu
>>>    [192.12.69.60])
>>>     by hackberry.cs.arizona.edu (Postfix) with ESMTP id 3D2E7D4081E
>>>     for <jdavis at hackberry.cs.arizona.edu>; Thu, 27 Oct 2005  
>>> 03:22:07 -
>>>
>> 0700 (MST)
>>
>>> Received: from h8884.serverkompetenz.net (h8884.serverkompetenz.net
>>>    [81.169.187.232])
>>>     by cheltenham.cs.arizona.edu (8.13.4/8.13.4) with ESMTP id
>>>    j9RAM3CY081643
>>>     for <jdavis at cs.arizona.edu>; Thu, 27 Oct 2005 03:22:03 -0700  
>>> (MST)
>>>     (envelope-from wwwrun at h8884.serverkompetenz.net)
>>> Received: by h8884.serverkompetenz.net (Postfix, from userid 30)
>>>     id C039B177290; Thu, 27 Oct 2005 12:38:09 +0200 (CEST)
>>> X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on localhost
>>> From: Pesquisa Nacional Abril 2005 <emala at abrilpesquisa.com.br>
>>> To: jdavis at CS.Arizona.EDU
>>> Subject: Responda e concorra gratuitamente a um Palio Adventure 1.8
>>> X-Priority: 1
>>> X-MSMail-Priority: Normal
>>> X-Mailer: Microsoft Outlook Express 6.00.2800.1437
>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>>>
>>
>> ...right about here:
>>
>>
>>> X-Spam-Checker-Version: SpamAssassin 3.0.3-spambr_20030926a  
>>> (2005-04-27)
>>>
>> on
>>
>>>        localhost
>>> X-Spam-Status: No, score=-105.5 required=3.0
>>>
>> tests=ALL_TRUSTED,AWL,BAYES_00,
>>
>>>        BR_CURSO_BODY,HTML_80_90,HTML_FONT_BIG,HTML_FONT_FACE_BAD,
>>>        HTML_MESSAGE,HTML_NONELEMENT_00_10,HTML_TAG_EXIST_TBODY,
>>>        USER_IN_WHITELIST autolearn=ham version=3.0.3- 
>>> spambr_20030926a,
>>>
>> Yes
>>
>>> Content-type: text/html
>>> Message-Id: <20051027103809.C039B177290 at h8884.serverkompetenz.net>
>>> Date: Thu, 27 Oct 2005 12:38:09 +0200 (CEST)
>>>
>>
>> While this is the real thing our local server added:
>>
>>
>>> X-CS-MailScanner-SpamCheck: spam, SpamAssassin (score=11.692,  
>>> required 5,
>>>     BAYES_99 3.50, DNS_FROM_RFC_ABUSE 0.20, FORGED_MUA_OUTLOOK 4.06,
>>>     FORGED_OUTLOOK_HTML 2.71, HTML_90_100 0.11, HTML_MESSAGE 0.00,
>>>     MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00,
>>>     NORMAL_HTTP_TO_IP 0.17, RAZOR2_CHECK 0.50, X_PRIORITY_HIGH 0.43)
>>> X-Spam-Level: ***********
>>> X-Spam-Flag: YES
>>>
>>>
>>>
>>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
>>>
>> [...]
>>
>> With
>>
>> High Scoring Spam Actions = header "X-Spam-Status: Yes" header
>> "X-Spam-Flag: YES attachment deliver
>>
>> then there should have been a 'X-Spam-Status: Yes' header added  
>> (and the
>> spam itself should have been wrapped in an attachment, but that's  
>> still
>> not working).  Could the bogus 'X-Spam-Status: No' header somehow  
>> have
>> interfered with that?
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)

iQEVAwUBQ2HocPw32o+k+q+hAQFf9Qf/UAfRF1ZSwkGOk3Ba81QqOdlrTK9XTVTt
Fk/DuzEaSu685BJVKQanYiKcLzj0mhWAlrvcvMUD8NjchR2xR0jKFqIINmSXpNGr
yfT/oht5osZJYH3s1LQAZhpFyY5l/khuSocGt2oY9CSX3Pyt+LQf+t9emNRb1doA
phwUDDJBH9sr7u2+P1bN6v2YFbDOezVfb6DVpYUsR3tVQwqpGdhF0EjT1nm0z2vT
p/evgcW1iNEeoBj878Esx4yKPg5OqKc5w+UHGcxHqMGHYTwFjahMMnJrr1Dl1yQG
IjT2BacIe5Zb/VbS1+MdQyukAjti9dOyBou3Mv28jslxtHyXM/v48g==
=WfpN
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list