Infected Messages Not Being Spam Checked

Mike Wallace mike at
Fri Jan 22 17:58:27 GMT 2010

I am having a problem with Virus infected messages not being spam checked and getting delivered to users. 

My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1 from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following additional spamassassin rules; Sought, OpenProtect and a couple of custom ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a special mailbox. Anything >10.0 are deleted. This works great as I have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed). None of the false positives are high scoring spam >10.0.

Here is an example of a message that was not spam checked:

Return-Path: improvesx66 at
Received: from (LHLO by with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
Received: from localhost (localhost.localdomain [])
	by (Postfix) with ESMTP id 455AC1448859
	for <user at>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
X-Virus-Scanned: amavisd-new at
Received: from 
	by (Postfix) with ESMTP id ECE031448858
	for <user at>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
Received: from ( [])
	by (Postfix) with ESMTP id 3E1FA2A00C4
	for <user at>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
Received: from ( [])
	by (Postfix) with ESMTP id CA691833D0B
	for <user at>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)
Received: from by; Fri, 22 Jan 2010 08:50:57 +1000
Date:	Fri, 22 Jan 2010 08:50:57 +1000
From:	"DHL Manager Keven Allen" <shipping at>
X-Mailer: The Bat! (v3.51.10) Professional
Reply-To: improvesx66 at
X-Priority: 3 (Normal)
Message-ID: <256744380.35200801834064 at>
To: user at
Subject: {VIRUS?} DHL Delivery Problem Number 81419.
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25
X-MLRW-MailScanner-VirusCheck: Message was found to be infected
X-MLRW-MailScanner-From: improvesx66 at

Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit

Dear customer! 

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address. 

You may pickup the parcel at our post office personaly!

The shipping label is attached to this e-mail. 
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you.
DHL Delivery Services.

Content-Type: application/zip; name=""
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=""

In the logs for clamd I see the following for that attachment: Suspect.Bredozip-zippwd-2 FOUND

If I run spamassassin against a quarantined copy of the message here is it's score:

Content analysis details:   (23.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.7 SARE_RECV_IP_FROMIP3			Received line is IP address from IP address
 3.0 RCVD_IN_XBL            					RBL: Received via a relay in Spamhaus XBL
                            							[ listed in]
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: 	Received via a relay in
               									[Blocked - see <>]
 1.0 BAYES_60              					BODY: Bayesian spam probability is 60 to 80%
                          							[score: 0.6792]
 0.5 RAZOR2_CHECK           				Listed in Razor2 (
 1.5 RAZOR2_CF_RANGE_E4_51_100 	Razor2 gives engine 4 confidence level
                            							above 50%
                            							[cf: 100]
 0.5 RAZOR2_CF_RANGE_51_100 		Razor2 gives confidence level above 50%
                           							[cf: 100]
 3.7 PYZOR_CHECK            				Listed in Pyzor (
 2.2 DCC_CHECK              					Listed in DCC (
 0.0 DIGEST_MULTIPLE        				Message hits more than one network digest check
 4.0 JM_SOUGHT_1            				Body contains frequently-spammed text patterns
 4.0 JM_SOUGHT_2            				Body contains frequently-spammed text patterns

As you can see it's greater than 10.0 which means it would have been deleted.

Can anyone help me? I need to get these type of messages spam checked.


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the MailScanner mailing list