Infected Messages Not Being Spam Checked
Mike Wallace
mike at mlrw.com
Fri Jan 22 21:40:25 GMT 2010
I am having a problem with Virus infected messages not being spam checked and getting delivered to users.
My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1 from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following additional spamassassin rules; Sought, OpenProtect and a couple of custom ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a special mailbox. Anything >10.0 are deleted. This works great as I have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed). None of the false positives are high scoring spam >10.0.
Here is an example of a message that was not spam checked:
Return-Path: improvesx66 at wires.tv
Received: from mailserver.mlrw.com (LHLO mailserver.mlrw.com) by
mailserver.mlrw.com with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mailserver.mlrw.com (Postfix) with ESMTP id 455AC1448859
for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
X-Virus-Scanned: amavisd-new at mlrw.com
Received: from gateway.mlrw.com
by mailserver.mlrw.com (Postfix) with ESMTP id ECE031448858
for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
Received: from mx1.mailhop.org (mxout-144-iad.mailhop.org [216.146.32.144])
by mlrw.com (Postfix) with ESMTP id 3E1FA2A00C4
for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
Received: from noblet1.lnk.telstra.net (noblet1.lnk.telstra.net [165.228.74.75])
by mx1.mailhop.org (Postfix) with ESMTP id CA691833D0B
for <user at mlrw.com>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)
Received: from 165.228.74.75 by mailstore1.secureserver.net; Fri, 22 Jan 2010 08:50:57 +1000
Date: Fri, 22 Jan 2010 08:50:57 +1000
From: "DHL Manager Keven Allen" <shipping at dhl.com>
X-Mailer: The Bat! (v3.51.10) Professional
Reply-To: improvesx66 at wires.tv
X-Priority: 3 (Normal)
Message-ID: <256744380.35200801834064 at wires.tv>
To: user at mlrw.com
Subject: {VIRUS?} DHL Delivery Problem Number 81419.
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------4B369E401538E9"
X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25
X-MLRW-MailScanner-VirusCheck: Message was found to be infected
X-MLRW-MailScanner-SpamCheck:
X-MLRW-MailScanner-From: improvesx66 at wires.tv
------------4B369E401538E9
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you.
DHL Delivery Services.
------------4B369E401538E9
Content-Type: application/zip; name="DHL_Label_NR06283.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="DHL_Label_NR06283.zip"
In the logs for clamd I see the following for that attachment: DHL_Label_NR06283.zip: Suspect.Bredozip-zippwd-2 FOUND
If I run spamassassin against a quarantined copy of the message here is it's score:
Content analysis details: (23.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.7 SARE_RECV_IP_FROMIP3 Received line is IP address from IP address
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[165.228.74.75 listed in zen.spamhaus.org]
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?165.228.74.75>]
1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.6792]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.0 DIGEST_MULTIPLE Message hits more than one network digest check
4.0 JM_SOUGHT_1 Body contains frequently-spammed text patterns
4.0 JM_SOUGHT_2 Body contains frequently-spammed text patterns
As you can see it's greater than 10.0 which means it would have been deleted.
Can anyone help me? I need to get these type of messages spam checked.
Thanks.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/73cbd03d/attachment-0001.html
More information about the MailScanner
mailing list