Spam slipping through

Drew Burchett DrewB at united-systems.com
Fri Jan 19 19:58:58 CET 2007


Well, I thought it was working, but it's not at all.  From what I can
tell, it is using the sa-updated rules.  At least part of the debug
reads " plugin: fixed relative path:
/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf"
But one of the messages that passed through the MTA came through with
this report:

5.00 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) 
0.75 BAYES_50 Bayesian spam probability is 40 to 60% 
0.13 HTML_50_60 Message is 50% to 60% HTML 
1.25 HTML_MESSAGE HTML included in message 
0.41 SARE_HOMELOAN   
0.68 SARE_MONEYTERMS   
0.30 SARE_WEOFFER   
-0.00 SPF_HELO_PASS SPF: HELO matches SPF record 
-100.00 USER_IN_WHITELIST From: address is in the user's white-list 
1.36 X_MAILER_SPAM X-Mailer: header is bulk email fingerprint

Which would be fine EXCEPT there's no way in the world this user is in
any whitelist on my system.  I've double checked and triple checked to
make sure.  Plus, when I run the archived copy of this email through
spamassassin on the command line (making sure to use the MTA user), I
get this report:


Content analysis details:   (19.6 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
-0.0 NO_RELAYS              Informational: message was not relayed via
SMTP
 2.5 MISSING_HB_SEP         Missing blank line between message header
and body
 2.5 HEAD_LONG              Message headers are very long
 1.6 HEAD_ILLEGAL_CHARS     Headers have too many raw illegal characters
 0.3 SARE_WEOFFER           BODY: Offers Something
 0.4 SARE_HOMELOAN          BODY: Home mortgage stuff
 0.7 SARE_MONEYTERMS        BODY: Talks about money in some way.
 1.7 SARE_URI_EQUALS        URI: Trying to hide the real URL with IE
parsing bug
 0.8 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5006]
 2.2 NULL_IN_BODY           FULL: Message has NUL (ASCII 0) byte in
message
 1.8 MISSING_SUBJECT        Missing Subject: header
 0.1 TO_CC_NONE             No To: or Cc: header
-0.0 NO_RECEIVED            Informational: message has no Received
headers
 5.0 ADVANCE_FEE_1          Appears to be advance fee fraud (Nigerian
419)

This looks more like what I would expect from this particular email.
So, what is going on that it's getting a completely different score in
MailScanner?


--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.



More information about the MailScanner mailing list