Infected Messages Not Being Spam Checked

Mike Wallace mike at mlrw.com
Fri Jan 22 17:58:27 GMT 2010 

I am having a problem with Virus infected messages not being spam checked and getting delivered to users. 

My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1 from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following additional spamassassin rules; Sought, OpenProtect and a couple of custom ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a special mailbox. Anything >10.0 are deleted. This works great as I have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed). None of the false positives are high scoring spam >10.0.

Here is an example of a message that was not spam checked:

Return-Path: improvesx66 at wires.tv
Received: from mailserver.mlrw.com (LHLO mailserver.mlrw.com) by
 mailserver.mlrw.com with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mailserver.mlrw.com (Postfix) with ESMTP id 455AC1448859
	for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
X-Virus-Scanned: amavisd-new at mlrw.com
Received: from gateway.mlrw.com 
	by mailserver.mlrw.com (Postfix) with ESMTP id ECE031448858
	for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
Received: from mx1.mailhop.org (mxout-144-iad.mailhop.org [216.146.32.144])
	by mlrw.com (Postfix) with ESMTP id 3E1FA2A00C4
	for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
Received: from noblet1.lnk.telstra.net (noblet1.lnk.telstra.net [165.228.74.75])
	by mx1.mailhop.org (Postfix) with ESMTP id CA691833D0B
	for <user at mlrw.com>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)
Received: from 165.228.74.75 by mailstore1.secureserver.net; Fri, 22 Jan 2010 08:50:57 +1000
Date:	Fri, 22 Jan 2010 08:50:57 +1000
From:	"DHL Manager Keven Allen" <shipping at dhl.com>
X-Mailer: The Bat! (v3.51.10) Professional
Reply-To: improvesx66 at wires.tv
X-Priority: 3 (Normal)
Message-ID: <256744380.35200801834064 at wires.tv>
To: user at mlrw.com
Subject: {VIRUS?} DHL Delivery Problem Number 81419.
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------4B369E401538E9"
X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25
X-MLRW-MailScanner-VirusCheck: Message was found to be infected
X-MLRW-MailScanner-SpamCheck: 
X-MLRW-MailScanner-From: improvesx66 at wires.tv


------------4B369E401538E9
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit

Dear customer! 

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address. 

You may pickup the parcel at our post office personaly!

Attention!
The shipping label is attached to this e-mail. 
Please print this label to get this package at our post office.


Please do not reply to this e-mail, it is an unmonitored mailbox!



Thank you.
DHL Delivery Services.




------------4B369E401538E9
Content-Type: application/zip; name="DHL_Label_NR06283.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="DHL_Label_NR06283.zip"

In the logs for clamd I see the following for that attachment: DHL_Label_NR06283.zip: Suspect.Bredozip-zippwd-2 FOUND

If I run spamassassin against a quarantined copy of the message here is it's score:

Content analysis details:   (23.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.7 SARE_RECV_IP_FROMIP3			Received line is IP address from IP address
 3.0 RCVD_IN_XBL            					RBL: Received via a relay in Spamhaus XBL
                            							[165.228.74.75 listed in zen.spamhaus.org]
 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: 	Received via a relay in bl.spamcop.net
               									[Blocked - see <http://www.spamcop.net/bl.shtml?165.228.74.75>]
 1.0 BAYES_60              					BODY: Bayesian spam probability is 60 to 80%
                          							[score: 0.6792]
 0.5 RAZOR2_CHECK           				Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_E4_51_100 	Razor2 gives engine 4 confidence level
                            							above 50%
                            							[cf: 100]
 0.5 RAZOR2_CF_RANGE_51_100 		Razor2 gives confidence level above 50%
                           							[cf: 100]
 3.7 PYZOR_CHECK            				Listed in Pyzor (http://pyzor.sf.net/)
 2.2 DCC_CHECK              					Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 0.0 DIGEST_MULTIPLE        				Message hits more than one network digest check
 4.0 JM_SOUGHT_1            				Body contains frequently-spammed text patterns
 4.0 JM_SOUGHT_2            				Body contains frequently-spammed text patterns

As you can see it's greater than 10.0 which means it would have been deleted.

Can anyone help me? I need to get these type of messages spam checked.

Thanks.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/a5ad4289/attachment.html

More information about the MailScanner mailing list