[Sending again as ASCII]
Here is the /var/log/mail entry from the email that leaked past Amavis-new:
Feb 18 15:07:11 linux postfix/smtpd[19386]: connect from
unknown[121.27.33.247]
Feb 18 15:07:12 linux postfix/smtpd[19386]: 3BFD9404B1:
client=unknown[121.27.33.247]
Feb 18 15:07:13 linux postfix/cleanup[19387]: 3BFD9404B1:
message-id=<[EMAIL PROTECTED]>
Feb 18 15:07:13 linux postfix/qmgr[31362]: 3BFD9404B1:
from=<[EMAIL PROTECTED]>, size=3514, nrcpt=1 (queue active)
Feb 18 15:07:14 linux postfix/smtpd[19386]: disconnect from
unknown[121.27.33.247]
Feb 18 15:07:33 linux postfix/smtpd[19392]: connect from
localhost.shaker-net.com[127.0.0.1]
Feb 18 15:07:33 linux postfix/smtpd[19392]: 7C4FA404B4:
client=localhost.shaker-net.com[127.0.0.1]
Feb 18 15:07:33 linux postfix/cleanup[19387]: 7C4FA404B4:
message-id=<[EMAIL PROTECTED]>
Feb 18 15:07:33 linux postfix/qmgr[31362]: 7C4FA404B4:
from=<[EMAIL PROTECTED]>, size=3966, nrcpt=1 (queue active)
Feb 18 15:07:33 linux postfix/smtpd[19392]: disconnect from
localhost.shaker-net.com[127.0.0.1]
Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN,
[121.27.33.247] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,
Message-ID: <[EMAIL PROTECTED]>, mail_id:
If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms
Looks to me like it is getting a '-300' score from some rule that I
can't find. The email comes
in forged to look as if I had sent it, from '[EMAIL PROTECTED]'.
That email address is *not*
in the whitelist in /etc/mail/spamassassin/local.cf
When I run the leaking email message through spamassassin manually, it
comes up with a score
of 58.4, quite different from what amavis-new reported above!
Received: from localhost by linux.shaker-net.com
with SpamAssassin (version 3.2.4);
Mon, 18 Feb 2008 20:31:17 -0800
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: *****SPAM***** February 73% OFF
Date: Mon, 18 Feb 2008 15:07:11 -0800 (PST)
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
linux.shaker-net.com
X-Spam-Level: **************************************************
X-Spam-Status: Yes, hits=58.4 required=5.0 tests=AWL,BAYES_95,FAKE_MSN,GIF,
HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,OFF,PERCENT,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE,UNKNOWN,URIBL_AB_SURBL,
URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,
URIBL_WS_SURBL,VIRUS_CLEAN autolearn=unavailable version=3.2.4
X-Spam-Report:
* 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: roundpast.com]
* 0.3 VIRUS_CLEAN Prolific and stubborn spammer
* 3.9 FAKE_MSN Fake mailer signature used by Spammers
* 2.9 UNKNOWN Probable Spammer
* 2.9 OFF Often used in Spam
* 1.9 PERCENT Often used in Spam
* 1.8 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of
words
* 0.2 HTML_MESSAGE BODY: HTML included in message
* 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
* [score: 0.9900]
* 0.9 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: roundpast.com]
* 2.9 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: roundpast.com]
* 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: roundpast.com]
* 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
* [URIs: roundpast.com]
* 0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
* [URIs: roundpast.com]
* 2.9 GIF RAW: Hiding Spam in a GIF image
* 2.9 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?121.27.33.247>]
* 5.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [121.27.33.247 listed in zen.spamhaus.org]
* 1.9 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: roundpast.com]
* 2.9 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 14 AWL AWL: From: address is in the auto white-list
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_47BA5B95.FC4A69D0"
This is a multi-part message in MIME format.
...
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
