[qmailtoaster] block a phishing email

Thu, 24 Nov 2011 01:08:03 -0800 

Hi,

I'm not unable to block a phishing email.

smtp log contains these records
2011-11-23 01:52:27.470596500 tcpserver: ok 3227 mailbox.mydomain.xx:xxx.xxx.xxx.xxx:25 :173.0.59.30::60803 2011-11-23 01:52:27.827007500 CHKUSER accepted sender: from <i...@jserves.co.cc::> remote <dservmail.co.cc:unknown:173.0.59.30> rcpt <> : sender accepted 2011-11-23 01:52:27.827757500 CHKUSER accepted rcpt: from <i...@jserves.co.cc::> remote <dservmail.co.cc:unknown:173.0.59.30> rcpt <xx...@mydomain.xx> : found existing recipient 2011-11-23 01:52:27.827772500 policy_check: remote i...@jserves.co.cc -> local xx...@mydomain.xx (UNAUTHENTICATED SENDER) 
2011-11-23 01:52:27.827803500 policy_check: policy allows transmission
2011-11-23 01:52:31.149553500 simscan:[3227]:CLEAN (0.00/5.00):3.3212s:PREMIO NOTIFICA 960.000.00:173.0.59.30:i...@jserves.co.cc:xx...@mydomain.xx 

clamav detects email is virus free
11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/msg.1322009547.828470.3231: OK 11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/addr.1322009547.828470.3231: OK 
11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/textfile0: OK
11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/textfile1: OK
11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/ziz.pdf: OK
but spamassassin don't process the phishing email: spam log contains no records! 

11-23 02:51:50 [28246] info: prefork: child states: II
11-23 02:53:09 [10722] info: spamd: connection from localhost.localdomain [127.0.0.1] at port 47239 11-23 02:53:09 [10722] info: spamd: processing message <189de6692a6bc5412222daf3ed45d...@async.facebook.com> for clamav:89 11-23 02:53:10 [10722] info: spamd: clean message (1.8/5.0) for clamav:89 in 1.6 seconds, 8083 bytes. 11-23 02:53:10 [10722] info: spamd: result: . 1 - BAYES_50,HTML_MESSAGE,RDNS_NONE,SARE_UNSUB13 scantime=1.6,size=8083,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=47239,mid=<189de6692a6bc5412222 
daf3ed45d...@async.facebook.com>,bayes=0.500000,autolearn=no
11-23 02:53:10 [28246] info: prefork: child states: II

I've added some spam rules to block this email

blacklist_from i...@jserves.co.cc

header BLOCCO_SUBJECT_01 Subject=~ /\b960.000.00\b/i
score BLOCCO_SUBJECT_01 5
body BLOCCO_BODY_21 /Gentilmente Aprire l'allegato in formato pdf per le informazioni sulla tua lotteria vincente/i 
score    BLOCCO_BODY_21 4
describe BLOCCO_BODY_21 BLOCCO "lotteria vincente 1"

body     BLOCCO_BODY_22 /lotteria vincente/i
score    BLOCCO_BODY_22 3
describe BLOCCO_BODY_22 BLOCCO "lotteria vincente 2"


i check spamaasssisin rules and these are ok
so i tried to calc spam score and i'm obtain 126.8!!!

X-Spam-Status: Yes, score=126.8 required=5.0 tests=BAYES_99,BLOCCO_BODY_21,
BLOCCO_BODY_22,BLOCCO_SUBJECT_01,FORGED_MUA_OUTLOOK,MSOE_MID_WRONG_CASE, 
        PYZOR_CHECK,RDNS_NONE,SUBJ_ALL_CAPS,URIBL_BLACK,USER_IN_BLACKLIST
        autolearn=unavailable version=3.2.5


Phishing email contain a pdf. This is the source:

[..]
From: "apuestas"<i...@jserves.co.cc>
Subject: PREMIO NOTIFICA 960.000.00
Date: Thu, 17 Nov 2011 18:18:18 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_007B_01C2A9A6.1CD1EEB0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20111118021500.929e15b8...@jserves.co.cc>
To: undisclosed-recipients:;

This is a multi-part message in MIME format.

------=_NextPart_000_007B_01C2A9A6.1CD1EEB0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit

 Ciao Vincitore

Gentilmente Aprire l'allegato in formato pdf per le informazioni sulla tua
lotteria vincente
Cordiali saluti

------=_NextPart_000_007B_01C2A9A6.1CD1EEB0
Content-Type: application/octet-stream;
        name="ggg.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="ziz.pdf"

[..]

MUE3Q0QyNjdFNUIzMzM0M0Y+XS9JbmZvIDYgMCBSL0xlbmd0aCAzOS9Sb290
IDggMCBSL1NpemUgNy9UeXBlL1hSZWYvV1sxIDMgMF0+PnN0cmVhbQ0KaN5i
YgACJkY2vjAmBgbeRCDB2AMiPjEx/np8FshiYAQIMAA7aQUUDQplbmRzdHJl
YW0NZW5kb2JqDXN0YXJ0eHJlZg0KMTE2DQolJUVPRg0K

------=_NextPart_000_007B_01C2A9A6.1CD1EEB0--
[..]


so my question is:
why simscan don't performs spamasassin email check?

thank you
Michele

Reply via email to