Spammer with attachment that bypasses spamassassin

George Papamichelakis gpapamichelakis at gmail.com
Fri Mar 29 11:29:19 UTC 2019


Sure , Here  they are, I just tweaked the ips and names  , I noticed 
this in my postfix log file:

  MailScanner[29247]: Message BC40B48E89.AA059 from XXX.XXX.XXX.XXX 
(business-education+bncbcgz73fdtyhrblo767sakgqeq2agr3q at googlegroups.com) 
to xxxx.xxx is too big for spam checks (2655956 > 200000 bytes)

The headers are :

Return-Path: <business-education+bncbcgz73fdtyhrblo767sakgqeq2agr3q at googlegroups.com>
Received: from xxx.xxxx.xxxx
	by xxx.xxxx.xxxx
   (Dovecot) with LMTP id sbwwFzzwnVyRAgAAyyBr5g
	; Fri, 29 Mar 2019 12:15:24 +0200
Received: by xxx.xxxx.xxxx
  (Postfix)
	id 0FAC948E16; Fri, 29 Mar 2019 12:15:24 +0200 (EET)
Delivered-To: xx at xxxx.xx
Received: from mail-wr1-f57.google.com (mail-wr1-f57.google.com [209.85.221.57])
	by xxx.xxxx.xxxx
  (Postfix) with ESMTPS id BC40B48E89
	for <xxx at xxxx.xxx>; Fri, 29 Mar 2019 12:13:06 +0200 (EET)
Received: by mail-wr1-f57.google.com with SMTP id e14sf1337667wrt.18
         for <xxxxx at xxxx.xxx>; Fri, 29 Mar 2019 03:13:06 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1553854386; cv=pass;
         d=google.com; s=arc-20160816;
         b=bDj3MoszOIe10YUpXat4fWayZVSj+yX/GmZoXvbzayZem079c+fa/0VjHMWnOGNVVv
          GSy6RosiKQb7I7tol7BK6anz+YUuAahwsWx3lTvF+Z7dZxXWXlqQQpY/aYDxqX4Tcpfp
          7T4jRX3Qj8erZiZyRvwZcwMUoWmlqSfzoJnW0NFRv3/sGRPXMoJsAf/e2ruroiv+JfBH
          aVYACrXqE+dKLcQ37jc6mTZ+MKbrjF8P7T5F/GMHMcUP8MdfT30nrpva7YCjAnGHRdFY
          eaQlTUps/y8WrDf8/3sKk5iEsYeUbVzZRZqG67mWcE0ibJolsRyE61pRd/6jiTEe/8pV
          Dg5g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
         h=list-unsubscribe:list-archive:list-help:list-post:list-id
          :mailing-list:precedence:reply-to:to:subject:message-id:date:from
          :in-reply-to:references:mime-version:sender:dkim-signature;
         bh=DBS0pCCxQKHrs8JD5K0bx+wdmtXC5ACr4zeYr1o30+0=;
         b=mwjvFhzXcRvrSjDWhAnzJej7aZq9m06V16MDIhceydPwo2hOxECQwHzDVHFM6Bi+UO
          moUnvEYFOroVCWKrwTGIaDz7sE871ZfvJ147JIVzXs+XiMuasFXYlTVe3+yO5BHX2Jnj
          oX0k83tzybV4eyBCFLnD60ZDAKdSVHFL9tVltefRgTBf5z9WEo2XBwhxxd8YzKfgGfvL
          2MoiAD+LOWPYZAfabNKGAWaqVBTPeQzGIYjN1MbzEniyO2JSqly0hrXVDmJCUIMxLskp
          3U9NqMyNZwhH7QyKwzHTpfRvuMp6e8N4r0gSGdqIkyC6YspAJ8t8Hno5tw5Geoe31li+
          XV+w==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
        spf=pass (google.com: domain of xxx at xxxxx.xxx designates XX.XXX.XX.XX as permitted sender) smtp.mailfrom=xxxx at xxxxxxx.xxx
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
         d=googlegroups.com; s=20161025;
         h=sender:mime-version:references:in-reply-to:from:date:message-id
          :subject:to:x-original-sender:x-original-authentication-results
          :reply-to:precedence:mailing-list:list-id:list-post:list-help
          :list-archive:list-unsubscribe;
         bh=DBS0pCCxQKHrs8JD5K0bx+wdmtXC5ACr4zeYr1o30+0=;
         b=eZ9WUgiIsuUxH7BE4jjvsdfywpvlVI26SsyX5Hk0knrCGt9TLeok/9C4Or2nabBn24
          63eyeYX7W58BOVQwO5IR5ZnpKb+Zbab6CIkzaFK9lQX9kbDdXcKSGylI0P+++Mdcna1U
          4BPwHpCYNC8qXf6UNcBtT709eZ0Q5jsbQMnv5lZchvSWqc3rEqvt1w3yDyaMGV4Rp6U4
          7fROjJPTr2FazJd4KHOBDrYu+4nram1vJEFpuNtZOkomSTFaOzQ8KsNefQabfpLTd6/L
          5w/+KpPCFK+flpZX3UlltQZmq2Ixr9Riz2EOek+FC5veXdTuLXWC1dQPXIxGQXZb2A3y
          IsEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
         d=1e100.net; s=20161025;
         h=sender:x-gm-message-state:mime-version:references:in-reply-to:from
          :date:message-id:subject:to:x-original-sender
          :x-original-authentication-results:reply-to:precedence:mailing-list
          :list-id:x-spam-checked-in-group:list-post:list-help:list-archive
          :list-unsubscribe;
         bh=DBS0pCCxQKHrs8JD5K0bx+wdmtXC5ACr4zeYr1o30+0=;
         b=bBifMmPz8ja6VAfzvMblxLJYpeeN7MAr7CRvM21URzrJqgKt+wO0A7wspMGIiPflcQ
          0H+9McmWSGYxe9OPzzG3PfLYEsti8AZokMe0JEfeGTOecdz+nw/soB5p2shg+cE9eQ7y
          f7N2eRed9g5hbUzIVr30C7N274FW4eemUpCQbnHTZOcoA1b5PHYA2DtUa39GjCzoSzQE
          lXTy7og3ph+4fwAZpF6DDWRdi4VnqsuQgF/gDZXQRnV7/zeRBpgVHFwQojvEubWnU8My
          fH3J59R7OU7mhHaBI8FDBYV4Fw9OEWsDTazHlMgp/Mf8trc1ypyHXjkPNQ1wCvAPeykK
          clBQ==
Sender: business-education at googlegroups.com
X-Gm-Message-State: APjAAAVBRH41sEGircSxa9aCNJ3+Gdoqi3VgJziDALz6lNRtMiIgExdF
	bsKc5TOvc09p4IItxZTro7A=
X-Google-Smtp-Source: APXvYqzBH7+DrvOsVWtQ5ngRAm9523F7UnycoTigNImCbDoQsHOZ0qJiR4B4VvykasuyECpJ1eOX7w==
X-Received: by 2002:a5d:6b0d:: with SMTP id v13mr6769541wrw.284.1553854385485;
         Fri, 29 Mar 2019 03:13:05 -0700 (PDT)
X-BeenThere: business-education at googlegroups.com
Received: by 2002:adf:f8c6:: with SMTP id f6ls113789wrq.11.gmail; Fri, 29 Mar
  2019 03:13:00 -0700 (PDT)
X-Received: by 2002:adf:de84:: with SMTP id w4mr1246311wrl.13.1553854380443;
         Fri, 29 Mar 2019 03:13:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553854380; cv=none;
         d=google.com; s=arc-20160816;
         b=xQxxAGbN12GnmeQEd7IEF6uy7+LGBRZo+VAa2c7356vtwtz4zsIhwBKpR4oN71gWHR
          B/Qiy8szZvSCHkWZe242aJIqcwUmaxh7MS0dRlb3zKCiKd2mGkH7bzxjrOOH7iUagRQJ
          Ikw6z1OJY+vslqv70A5ACJwrNyu5L9qhpQJ1EIv1umR4GzIXjWJyzKS4w+ysyy0WJ0HE
          lLR2JTwghOnV4tBUNZYSuPyhgjgX3bTobTN+zGbcL3fptIE6xYG7FbWo6zOe9gymmopX
          yiR0Zbm7k0qh6r9j8uctE/1T3ULtirFpaGB2I+RWRe4U1Q6tlM+lQQ3/4Z6GR36thS6X
          9nIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
         h=to:subject:message-id:date:from:in-reply-to:references:mime-version;
         bh=cH+xK7PaOEPF19A/Hsv+6kzx+bqBeZZESuscUNhVNKc=;
         b=gvkuJ5kbSe5L4BxQLFnPirRSXUW7PDhMkOz4keTxL7biWAhdBPWQA5If1ShPdKQYfi
          to+kA2cddc1vAfSqI52ZnJU+//1DgoR/tw80F7enOnvS8kFkYQCoglrGpvjeAZSEozLR
          WIdEdLGHcrGWdDnAg5kK0P11YALOtl7dXQA25UPwbdZzWfXRsRpDmePVz8gWXNsFQk2U
          3eKzK/y1r1iYJAVTC2pOF4ZIFPG8SfrsRRBFsWjnechjmI3a+4K1nsqVafgHR7+/z6fJ
          LrN2JcAbNvJL4EqI0oZcK0aHzkQGXM1ZZH5S6VXcLvfL2xCNpdxGWkEYNp13U8n760o3
          ZssA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
        spf=pass (google.com: domain of xxx at xxxxx.xxx designates XX.XX.XX.XX as permitted sender) smtp.mailfrom=xxx at xxxx.xxx
Received: from xxxxx.xxxx.xxxx (XXx.xxxxxx.xxx. [XX.XX.XX.XX])
         by gmr-mx.google.com with ESMTPS id n65si73301wma.1.2019.03.29.03.12.59
         for <business-education at googlegroups.com>
         (version=TLS1 cipher=AES128-SHA bits=128/128);
         Fri, 29 Mar 2019 03:13:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of xxx at xxxxxx.xxx designates XX.XX.XX.XX as permitted sender) client-ip=XX.XX.XX.XX;
Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52])
	(Authenticated sender: xxx at xxxxxx.xxx)
	by xxxxx.xxx.xxx (ESMTP) with ESMTPSA
	for <business-education at googlegroups.com>; Fri, 29 Mar 2019 12:12:52 +0200 (EET)
Received: by mail-vs1-f52.google.com with SMTP id j184so943199vsd.11
         for <business-education at googlegroups.com>; Fri, 29 Mar 2019 03:12:52 -0700 (PDT)
X-Received: by 2002:a67:e28d:: with SMTP id g13mr29911012vsf.121.1553854370951;
  Fri, 29 Mar 2019 03:12:50 -0700 (PDT)
MIME-Version: 1.0
References: <CANRqB_k2U-5PD3GKpfN=BGBbc7Rkj50aBt1jm0i7zs1PV4EAfQ at mail.gmail.com>
  <CANRqB_=kJgxPrh-KM2iSseqgZ0mh9R1W-nVv=RN=PjF6pJdOAA at mail.gmail.com>
  <CANRqB_nAbwsN-UJrbvqTFhS9imbvvxeTm_xnT7gAMyRJ68=GgQ at mail.gmail.com>
  <CANRqB_mkywZVo5t6sa3Qo48RKhb_Yqzp9vR0LrqZfmKHecB7fg at mail.gmail.com>
  <CANRqB_mT7aJP8Uhgn4ejqLpsH5Gwc3uQXAJ82rZf--6x1Sdi6A at mail.gmail.com>
  <CANRqB_kN2LnaqGNzZ1Ym8u0OOVVo5c=NnZynNq=uHJz2p0VvgA at mail.gmail.com>
  <CANRqB_k-M2MLUDnZep3XXg4xwbx_qmoJ6n+r43k4GYmCqGmZug at mail.gmail.com>
  <CANRqB_kU8HapxUfNjOK6WbYEz9T6XLrRs9LnmRgcSOceMpF9zQ at mail.gmail.com>
  <CANRqB_=+0XBEVY+SizVb+gK11Jv+=LVDN4BKgWcbA5TfWtkJjQ at mail.gmail.com>
  <CANRqB_ncQnLz9LRSygBY2PRm7TJ3KFdKmssfbFd=TWcWqg=1Hg at mail.gmail.com>
  <CANRqB_knDxy6qi=ojcxM96uJGaAPp-jZBgDE5bT0qXK+7Rca+Q at mail.gmail.com>
  <CANRqB_nZNOHhtrrQS_Ki723qfhFOJtVC=ek7h+VW_OJgnK2VEw at mail.gmail.com>
  <CANRqB_n83NYjSszj8SASF62OEdeYf8SeF6nCdfMWVwBiW0Tx6w at mail.gmail.com>
  <CANRqB_kHSNLe6nAjaBER5O2GmAnUNE0d6+yayuy0sPf2N8kn0Q at mail.gmail.com>
  <CANRqB_m59+x1mBEwkgpyLwpcURoTkcWjrtkyX5wYmXLuWx4JMA at mail.gmail.com>
  <CANRqB_ms7AFhT-y0nwxCOi4B6WL5uh+s_7-vVZq0OEXYfVy_LA at mail.gmail.com>
  <CANRqB_=9E7D2e=Zyuj5mwTXaOAezA8nFhuVdnVsTc9hCVuKr_w at mail.gmail.com>
  <CANRqB_=H-AcrnNFApWECjqwn8a2sBjK8aXoPAy1_SoB=XO89rA at mail.gmail.com>
  <CANRqB_kvL_aJcOUZ4pu5+T85S0Weqvch+iU5A1c2HQuOnjnWsg at mail.gmail.com>
  <CANRqB_mQ5oZHGfZ=uia6nHF=D0tGW1ajC60hzbUbeFSthFfX7w at mail.gmail.com>
  <CANRqB_mBMiogbDzukxPbq5ibA8G03fTpVTMvMDCBnWEH0vdy5g at mail.gmail.com>
  <CANRqB_ksDtpUgj80yc9Rcm+jLV4G=22k41zrbzWeNsREVPOgoQ at mail.gmail.com>
  <CANRqB_mXAzK9111A_0KCfozyLAWV=PQKLj=depFrLNkMu=SDrw at mail.gmail.com>
  <CANRqB_k=GjNRDAgwr8sd2k+t0K0Kv8S5AhjXwO41Qiiib5EXiA at mail.gmail.com>
  <CANRqB_kO54X=ARk1ZTMVQOTYS2R6cqFeMo4s6zCpfTxQT9SP+w at mail.gmail.com>
  <CANRqB_ms2reFNa8-LONHnes6HDmisZTEC0v+xMZsUG6G0gpyOA at mail.gmail.com>
  <CANRqB_mpPmRV3BE4r+sR83Mkcv_GOv6tsL9B54oYse3dZrZoMg at mail.gmail.com>
  <CANRqB_k1cz4Bj9D9g11u1CLQ+eKX3kYeNPtT61i9KHGOsaf8yg at mail.gmail.com>
  <CANRqB_n7D1wzpsYixJLxWuRiYj5JKHkyYktqMu4-ymNANmZ+dA at mail.gmail.com>
  <CANRqB_=dOfKyZH4f2zxiZH-h-amP9EV2vCE4EVXWqL20MaAAGw at mail.gmail.com>
  <CANRqB_mmsbtWsGJm+adKutdox52Vimw-yi7oJVC8Aixw4A8+gw at mail.gmail.com>
  <CANRqB_mEqvvOW4c+BxLFsHv1hjfwvtYhp42iaNh9ZOuqx9Y21w at mail.gmail.com>
  <CANRqB_=yGFDpYZmSqUB2bivu=aG8kEAPpRWd7XbhHe7j2V+s1Q at mail.gmail.com>
  <CANRqB_nXBy1KgPh6GqomXFG=iwskdf06h2ZB11DSKkcBvPdTKQ at mail.gmail.com>
  <CANRqB_mwLqXSrxzX3HpTBjNSjo=OXSYdnXNo9qAETTXPzD-Mhg at mail.gmail.com>
  <CANRqB_ny_kxuhkF7NpLHV6EWuV8-nTYU1BT+gYbiheJUW8aQ=Q at mail.gmail.com>
  <CANRqB_kVFXOdLoqVanySpdQGjar-iLT-Mvg7rJU24napwF5aKw at mail.gmail.com> <CANRqB_=eMeWsNSvFsUC8ToiyDVPe9KHTrDweDJkHzKyx+rzsBQ at mail.gmail.com>
In-Reply-To: <CANRqB_=eMeWsNSvFsUC8ToiyDVPe9KHTrDweDJkHzKyx+rzsBQ at mail.gmail.com>
From: "Business Education" <xxx at xxxxxxx.xxx>
Date: Fri, 29 Mar 2019 12:12:36 +0200
X-Gmail-Original-Message-ID: <CANRqB_kYjsK-UGt_YnRqcDgPE0=3ex9w0SVC-bucpn21kTffCg at mail.gmail.com>
Message-ID: <CANRqB_kYjsK-UGt_YnRqcDgPE0=3ex9w0SVC-bucpn21kTffCg at mail.gmail.com>
Subject: =?UTF-8?B?zpXOmc6UzpnOms6XIM6gzqHOn86jzqbOn86hzpEgzpPOmc6RIM6kzpEgMTIwIEFEVkFOQw==?=
	=?UTF-8?B?RUQgQ09VUlNFUyDOpM6fzqUgU0JF?=
To: business-education at googlegroups.com
Content-Type: multipart/mixed; boundary="000000000000d0be6e058538e96d"
X-Original-Sender: xxx at xxxxxx.xxx
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
  (google.com: domain of xxx at xxxxx.xxx designates XX.XX.XX.XX as permitted
  sender) smtp.mailfrom=xxx at xxxxx.xxx
Reply-To: xxx at xxxxx.xxx
Precedence: list
Mailing-list: list business-education at googlegroups.com; contact business-education+owners at googlegroups.com
List-ID: <business-education.googlegroups.com>
X-Spam-Checked-In-Group: business-education at googlegroups.com
X-Google-Group-Id: 646963186979
List-Post: <https://groups.google.com/group/business-education/post>,
  <mailto:business-education at googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:business-education+help at googlegroups.com>
List-Archive: <https://groups.google.com/group/business-education
List-Unsubscribe: <mailto:googlegroups-manage+646963186979+unsubscribe at googlegroups.com>,
  <https://groups.google.com/group/business-education/subscribe>
X-XXX-MailScanner-Information: Please contact the ISP for more information
X-XXX-MailScanner-ID: BC40B48E89.AA059
X-XXX-MailScanner: Found to be clean
X-XXX-MailScanner-From: business-education+bncbcgz73fdtyhrblo767sakgqeq2agr3q at googlegroups.com
X-Spam-Status: No



GP


On 3/29/19 1:08 PM, L.P.H. van Belle via MailScanner wrote:
> Can you send me the header info?
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: MailScanner
>> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> info] Namens George Papamichelakis
>> Verzonden: vrijdag 29 maart 2019 12:08
>> Aan: mailscanner at lists.mailscanner.info
>> Onderwerp: Spammer with attachment that bypasses spamassassin
>>
>> Hi all
>>
>>
>> I Have issue with one spammer that due to fact that  he includes some
>> pdf file in his email
>>
>> bypasses the blacklist and his email gets delivered to all addresses
>> that he has from the domain.
>>
>> Can I somehow force mailscanner to not bypass this particular sender
>> due to message size ?
>>
>> I use mailscanner 5.0.2 with postfix  on a debian machine and
>> mailwatch
>> 1.2.10 web interface.
>>
>>
>> thanks in advance
>>
>> GP
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190329/d7215181/attachment.html>


More information about the MailScanner mailing list