<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>I am having a problem with Virus infected messages not being spam checked and getting delivered to users. <div><br></div><div>My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1 from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following additional spamassassin rules; Sought, OpenProtect and a couple of custom ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a special mailbox. Anything >10.0 are deleted. This works great as I have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed). None of the false positives are high scoring spam >10.0.</div><div><br></div><div>Here is an example of a message that was not spam checked:</div><div><br></div><div><div><font class="Apple-style-span" color="#FF5141">Return-Path: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a></font></div><div><font class="Apple-style-span" color="#FF5141">Received: from <a href="http://mailserver.mlrw.com/">mailserver.mlrw.com</a> (LHLO <a href="http://mailserver.mlrw.com/">mailserver.mlrw.com</a>) by</font></div><div><font class="Apple-style-span" color="#FF5141"> <a href="http://mailserver.mlrw.com/">mailserver.mlrw.com</a> with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)</font></div><div><font class="Apple-style-span" color="#FF5141">Received: from localhost (localhost.localdomain [127.0.0.1])</font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">by <a href="http://mailserver.mlrw.com/">mailserver.mlrw.com</a> (Postfix) with ESMTP id 455AC1448859</font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)</font></div><div><font class="Apple-style-span" color="#FF5141">X-Virus-Scanned: amavisd-new at <a href="http://mlrw.com/">mlrw.com</a></font></div><div><font class="Apple-style-span" color="#FF5141">Received: from <a href="http://gateway.mlrw.com/">gateway.mlrw.com</a> </font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">by <a href="http://mailserver.mlrw.com/">mailserver.mlrw.com</a> (Postfix) with ESMTP id ECE031448858</font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)</font></div><div><font class="Apple-style-span" color="#FF5141">Received: from <a href="http://mx1.mailhop.org/">mx1.mailhop.org</a> (<a href="http://mxout-144-iad.mailhop.org/">mxout-144-iad.mailhop.org</a> [216.146.32.144])</font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">by <a href="http://mlrw.com/">mlrw.com</a> (Postfix) with ESMTP id 3E1FA2A00C4</font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)</font></div><div><font class="Apple-style-span" color="#FF5141">Received: from <a href="http://noblet1.lnk.telstra.net/">noblet1.lnk.telstra.net</a> (<a href="http://noblet1.lnk.telstra.net/">noblet1.lnk.telstra.net</a> [165.228.74.75])</font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">by <a href="http://mx1.mailhop.org/">mx1.mailhop.org</a> (Postfix) with ESMTP id CA691833D0B</font></div><div><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)</font></div><div><font class="Apple-style-span" color="#FF5141">Received: from 165.228.74.75 by <a href="http://mailstore1.secureserver.net/">mailstore1.secureserver.net</a>; Fri, 22 Jan 2010 08:50:57 +1000</font></div><div><font class="Apple-style-span" color="#FF5141">Date:</font><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">Fri, 22 Jan 2010 08:50:57 +1000</font></div><div><font class="Apple-style-span" color="#FF5141">From:</font><span class="Apple-tab-span" style="white-space: pre; "><font class="Apple-style-span" color="#FF5141">        </font></span><font class="Apple-style-span" color="#FF5141">"DHL Manager Keven Allen" <<a href="mailto:shipping@dhl.com">shipping@dhl.com</a>></font></div><div><font class="Apple-style-span" color="#FF5141">X-Mailer: The Bat! (v3.51.10) Professional</font></div><div><font class="Apple-style-span" color="#FF5141">Reply-To: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a></font></div><div><font class="Apple-style-span" color="#FF5141">X-Priority: 3 (Normal)</font></div><div><font class="Apple-style-span" color="#FF5141">Message-ID: <<a href="mailto:256744380.35200801834064@wires.tv">256744380.35200801834064@wires.tv</a>></font></div><div><font class="Apple-style-span" color="#FF5141">To: <a href="mailto:user@mlrw.com">user@mlrw.com</a></font></div><div><font class="Apple-style-span" color="#FF5141">Subject: {VIRUS?} DHL Delivery Problem Number 81419.</font></div><div><font class="Apple-style-span" color="#FF5141">MIME-Version: 1.0</font></div><div><font class="Apple-style-span" color="#FF5141">Content-Type: multipart/mixed;</font></div><div><font class="Apple-style-span" color="#FF5141"> boundary="----------4B369E401538E9"</font></div><div><font class="Apple-style-span" color="#FF5141">X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25</font></div><div><font class="Apple-style-span" color="#FF5141">X-MLRW-MailScanner-VirusCheck: Message was found to be infected</font></div><div><font class="Apple-style-span" color="#FF5141">X-MLRW-MailScanner-SpamCheck: </font></div><div><font class="Apple-style-span" color="#FF5141">X-MLRW-MailScanner-From: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">------------4B369E401538E9</font></div><div><font class="Apple-style-span" color="#FF5141">Content-Type: text/plain; charset=Windows-1252</font></div><div><font class="Apple-style-span" color="#FF5141">Content-Transfer-Encoding: 7bit</font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">Dear customer! </font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">The courier company was not able to deliver your parcel by your address.</font></div><div><font class="Apple-style-span" color="#FF5141">Cause: Error in shipping address. </font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">You may pickup the parcel at our post office personaly!</font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">Attention!</font></div><div><font class="Apple-style-span" color="#FF5141">The shipping label is attached to this e-mail. </font></div><div><font class="Apple-style-span" color="#FF5141">Please print this label to get this package at our post office.</font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">Please do not reply to this e-mail, it is an unmonitored mailbox!</font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">Thank you.</font></div><div><font class="Apple-style-span" color="#FF5141">DHL Delivery Services.</font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141"><br></font></div><div><font class="Apple-style-span" color="#FF5141">------------4B369E401538E9</font></div><div><font class="Apple-style-span" color="#FF5141">Content-Type: application/zip; name="DHL_Label_NR06283.zip"</font></div><div><font class="Apple-style-span" color="#FF5141">Content-Transfer-Encoding: base64</font></div><div><font class="Apple-style-span" color="#FF5141">Content-Disposition: attachment; filename="DHL_Label_NR06283.zip"</font></div><div><br></div><div>In the logs for clamd I see the following for that attachment: DHL_Label_NR06283.zip: Suspect.Bredozip-zippwd-2 FOUND</div><div><br></div><div>If I run spamassassin against a quarantined copy of the message here is it's score:</div><div><br></div><div>Content analysis details: (23.1 points, 5.0 required)<br><br> pts rule name description<br>---- ---------------------- --------------------------------------------------<br> 0.7 SARE_RECV_IP_FROMIP3<span class="Apple-tab-span" style="white-space: pre; ">                        </span>Received line is IP address from IP address<br> 3.0 RCVD_IN_XBL <span class="Apple-tab-span" style="white-space: pre; ">                                        </span>RBL: Received via a relay in Spamhaus XBL<br> <span class="Apple-tab-span" style="white-space: pre; ">                                                        </span>[165.228.74.75 listed in zen.spamhaus.org]<br> 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: <span class="Apple-tab-span" style="white-space: pre; ">        </span>Received via a relay in <a href="http://bl.spamcop.net/">bl.spamcop.net</a><br> <span class="Apple-tab-span" style="white-space: pre; ">                                                                        </span>[Blocked - see <<a href="http://www.spamcop.net/bl.shtml?165.228.74.75">http://www.spamcop.net/bl.shtml?165.228.74.75</a>>]<br> 1.0 BAYES_60 <span class="Apple-tab-span" style="white-space: pre; ">                                        </span>BODY: Bayesian spam probability is 60 to 80%<br> <span class="Apple-tab-span" style="white-space: pre; ">                                                        </span>[score: 0.6792]<br> 0.5 RAZOR2_CHECK <span class="Apple-tab-span" style="white-space: pre; ">                                </span>Listed in Razor2 (<a href="http://razor.sf.net/">http://razor.sf.net/</a>)<br> 1.5 RAZOR2_CF_RANGE_E4_51_100 <span class="Apple-tab-span" style="white-space: pre; ">        </span>Razor2 gives engine 4 confidence level<br> <span class="Apple-tab-span" style="white-space: pre; ">                                                        </span>above 50%<br> <span class="Apple-tab-span" style="white-space: pre; ">                                                        </span>[cf: 100]<br> 0.5 RAZOR2_CF_RANGE_51_100 <span class="Apple-tab-span" style="white-space: pre; ">                </span>Razor2 gives confidence level above 50%<br> <span class="Apple-tab-span" style="white-space: pre; ">                                                        </span>[cf: 100]<br> 3.7 PYZOR_CHECK <span class="Apple-tab-span" style="white-space: pre; ">                                </span>Listed in Pyzor (<a href="http://pyzor.sf.net/">http://pyzor.sf.net/</a>)<br> 2.2 DCC_CHECK <span class="Apple-tab-span" style="white-space: pre; ">                                        </span>Listed in DCC (<a href="http://rhyolite.com/anti-spam/dcc/">http://rhyolite.com/anti-spam/dcc/</a>)<br> 0.0 DIGEST_MULTIPLE <span class="Apple-tab-span" style="white-space: pre; ">                                </span>Message hits more than one network digest check<br> 4.0 JM_SOUGHT_1 <span class="Apple-tab-span" style="white-space: pre; ">                                </span>Body contains frequently-spammed text patterns<br> 4.0 JM_SOUGHT_2 <span class="Apple-tab-span" style="white-space: pre; ">                                </span>Body contains frequently-spammed text patterns<br><br>As you can see it's greater than 10.0 which means it would have been deleted.</div><div><br></div><div>Can anyone help me? I need to get these type of messages spam checked.</div><div><br></div><div>Thanks.</div><div><br></div><div>Mike</div></div></div>
<br></body></html>