Forwarded spam is caught, original message is not

Scott Silva ssilva at sgvwater.com
Mon Mar 9 19:20:20 GMT 2009 

on 3-6-2009 6:59 PM Chris Barber spake the following:
> on 3-5-2009 9:21 AM Chris Barber spake the following:
>>> A DNS timeout on the surbl hits could explain it. The first time the surbl list lookup comes in just at the timeout, then the forward hits >the cached lookup and is faster.
>>>
>>> Do you quarantine all your messages? If so you could pull the original out and retest it. If it still doesn't hit, it is probably an >encoding issue, it it does, it is a DNS issue.
>>>
>> Scott,
>>
>> Looks like it is not a DNS issue. I put the original and forwarded messages back through the server and I had the same results. The original message does not hit the URIBL rules (even if I put it through many times) and the forwarded one does. The only difference I can see is the encoding. The URL's in the original have some extra characters it seems. See my original post for the queue files and you can see what I mean. 
>>
>> Is this some new tactic that spammers are using to get around URL checking in the body of emails? How can I troubleshoot this further?
>>
>> Thanks,
>> Chris
>>
>>
> 
>> Can you pastebin an example somewhere so others can test it. That way we can eliminate or implicate your systems configs or module >versions.
>>
> 
> 
> Here is the pastebin for the original messages which the URIBL rules miss on:
> http://pastebin.com/m6153469c
> 


Content analysis details:   (25.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 5.0 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 3.0 RCVD_IN_BACKSCATTER    RBL: Received via a relay in Backscatter.org
                            [65.54.246.102 listed in ips.backscatterer.org]
 0.5 RCVD_IN_APEWS          RBL: Received via a relay in APEWS
                            [61.56.166.224 listed in l2.apews.org]
 1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                            [URIs: enlargementpillspharmacy.com]
 1.5 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: enlargementpillspharmacy.com]
 0.0 SUBJ_BUY               Subject line starts with Buy or Buying
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 2.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.8 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 3.7 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 2.9 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 2.5 DIGEST_MULTIPLE        Message hits more than one network digest check

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.



> Here it is for the forwarded message which does trigger the URIBL rules:
> http://pastebin.com/m25691788
> 
>
Content analysis details:   (8.3 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                            [URIs: enlargementpillspharmacy.com]
 1.5 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: enlargementpillspharmacy.com]
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5176]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 2.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.8 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


> Thanks again for taking a look at this. It has been plaguing me for many months now. 
> -Chris
> 

 The original hits very well on my system. But both hit the uribl rules.


Here is my MailScanner -V to compare with your module versions

 MailScanner --version
Running on
Linux mail.sgvwater.com 2.6.9-78.0.13.ELsmp #1 SMP Wed Jan 14 15:55:36 EST
2009 x86_64 x86_64 x86_64 GNU/Linux
This is CentOS release 4.7 (Final)
This is Perl version 5.008005 (5.8.5)

This is MailScanner version 4.74.13
Module versions are:
1.00    AnyDBM_File
1.16    Archive::Zip
0.21    bignum
1.03    Carp
1.42    Compress::Zlib
1.119   Convert::BinHex
0.17    Convert::TNEF
2.121   Data::Dumper
2.27    Date::Parse
1.00    DirHandle
1.05    Fcntl
2.73    File::Basename
2.08    File::Copy
2.01    FileHandle
1.06    File::Path
0.20    File::Temp
0.78    Filesys::Df
1.35    HTML::Entities
3.56    HTML::Parser
2.37    HTML::TokeParser
1.23    IO
1.14    IO::File
1.13    IO::Pipe
2.02    Mail::Header
1.86    Math::BigInt
0.19    Math::BigRat
3.05    MIME::Base64
5.427   MIME::Decoder
5.427   MIME::Decoder::UU
5.427   MIME::Head
5.427   MIME::Parser
3.03    MIME::QuotedPrint
5.427   MIME::Tools
0.11    Net::CIDR
1.25    Net::IP
0.16    OLE::Storage_Lite
1.04    Pod::Escapes
3.05    Pod::Simple
1.08    POSIX
1.14    Scalar::Util
1.77    Socket
2.13    Storable
1.4     Sys::Hostname::Long
0.18    Sys::Syslog
1.26    Test::Pod
0.7     Test::Simple
1.9707  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.29    Archive::Tar
0.21    bignum
1.82    Business::ISBN
1.10    Business::ISBN::Data
1.08    Data::Dump
1.809   DB_File
1.13    DBD::SQLite
1.56    DBI
1.15    Digest
1.01    Digest::HMAC
2.36    Digest::MD5
2.11    Digest::SHA1
1.00    Encode::Detect
0.17008 Error
0.18    ExtUtils::CBuilder
2.18    ExtUtils::ParseXS
2.36    Getopt::Long
0.44    Inline
1.08    IO::String
1.04    IO::Zlib
2.21    IP::Country
missing Mail::ClamAV
3.002005        Mail::SpamAssassin
v2.004  Mail::SPF
1.999001        Mail::SPF::Query
0.2808  Module::Build
0.20    Net::CIDR::Lite
0.63    Net::DNS
0.002.2 Net::DNS::Resolver::Programmable
0.33    Net::LDAP
 4.004  NetAddr::IP
1.94    Parse::RecDescent
missing SAVI
2.56    Test::Harness
0.95    Test::Manifest
1.95    Text::Balanced
1.35    URI
0.7203  version
0.62    YAML

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090309/a72be813/signature.bin

More information about the MailScanner mailing list