Hi,
I'm not unable to block a phishing email.
smtp log contains these records
2011-11-23 01:52:27.470596500 tcpserver: ok 3227
mailbox.mydomain.xx:xxx.xxx.xxx.xxx:25 :173.0.59.30::60803
2011-11-23 01:52:27.827007500 CHKUSER accepted sender: from
<i...@jserves.co.cc::> remote <dservmail.co.cc:unknown:173.0.59.30> rcpt
<> : sender accepted
2011-11-23 01:52:27.827757500 CHKUSER accepted rcpt: from
<i...@jserves.co.cc::> remote <dservmail.co.cc:unknown:173.0.59.30> rcpt
<xx...@mydomain.xx> : found existing recipient
2011-11-23 01:52:27.827772500 policy_check: remote i...@jserves.co.cc ->
local xx...@mydomain.xx (UNAUTHENTICATED SENDER)
2011-11-23 01:52:27.827803500 policy_check: policy allows transmission
2011-11-23 01:52:31.149553500 simscan:[3227]:CLEAN
(0.00/5.00):3.3212s:PREMIO NOTIFICA
960.000.00:173.0.59.30:i...@jserves.co.cc:xx...@mydomain.xx
clamav detects email is virus free
11-23 01:52:31
/var/qmail/simscan/1322009547.828470.3231/msg.1322009547.828470.3231: OK
11-23 01:52:31
/var/qmail/simscan/1322009547.828470.3231/addr.1322009547.828470.3231: OK
11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/textfile0: OK
11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/textfile1: OK
11-23 01:52:31 /var/qmail/simscan/1322009547.828470.3231/ziz.pdf: OK
but spamassassin don't process the phishing email: spam log contains no
records!
11-23 02:51:50 [28246] info: prefork: child states: II
11-23 02:53:09 [10722] info: spamd: connection from
localhost.localdomain [127.0.0.1] at port 47239
11-23 02:53:09 [10722] info: spamd: processing message
<189de6692a6bc5412222daf3ed45d...@async.facebook.com> for clamav:89
11-23 02:53:10 [10722] info: spamd: clean message (1.8/5.0) for
clamav:89 in 1.6 seconds, 8083 bytes.
11-23 02:53:10 [10722] info: spamd: result: . 1 -
BAYES_50,HTML_MESSAGE,RDNS_NONE,SARE_UNSUB13
scantime=1.6,size=8083,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=47239,mid=<189de6692a6bc5412222
daf3ed45d...@async.facebook.com>,bayes=0.500000,autolearn=no
11-23 02:53:10 [28246] info: prefork: child states: II
I've added some spam rules to block this email
blacklist_from i...@jserves.co.cc
header BLOCCO_SUBJECT_01 Subject=~ /\b960.000.00\b/i
score BLOCCO_SUBJECT_01 5
body BLOCCO_BODY_21 /Gentilmente Aprire l'allegato in formato pdf
per le informazioni sulla tua lotteria vincente/i
score BLOCCO_BODY_21 4
describe BLOCCO_BODY_21 BLOCCO "lotteria vincente 1"
body BLOCCO_BODY_22 /lotteria vincente/i
score BLOCCO_BODY_22 3
describe BLOCCO_BODY_22 BLOCCO "lotteria vincente 2"
i check spamaasssisin rules and these are ok
so i tried to calc spam score and i'm obtain 126.8!!!
X-Spam-Status: Yes, score=126.8 required=5.0 tests=BAYES_99,BLOCCO_BODY_21,
BLOCCO_BODY_22,BLOCCO_SUBJECT_01,FORGED_MUA_OUTLOOK,MSOE_MID_WRONG_CASE,
PYZOR_CHECK,RDNS_NONE,SUBJ_ALL_CAPS,URIBL_BLACK,USER_IN_BLACKLIST
autolearn=unavailable version=3.2.5
Phishing email contain a pdf. This is the source:
[..]
From: "apuestas"<i...@jserves.co.cc>
Subject: PREMIO NOTIFICA 960.000.00
Date: Thu, 17 Nov 2011 18:18:18 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_007B_01C2A9A6.1CD1EEB0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20111118021500.929e15b8...@jserves.co.cc>
To: undisclosed-recipients:;
This is a multi-part message in MIME format.
------=_NextPart_000_007B_01C2A9A6.1CD1EEB0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Ciao Vincitore
Gentilmente Aprire l'allegato in formato pdf per le informazioni sulla tua
lotteria vincente
Cordiali saluti
------=_NextPart_000_007B_01C2A9A6.1CD1EEB0
Content-Type: application/octet-stream;
name="ggg.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="ziz.pdf"
[..]
MUE3Q0QyNjdFNUIzMzM0M0Y+XS9JbmZvIDYgMCBSL0xlbmd0aCAzOS9Sb290
IDggMCBSL1NpemUgNy9UeXBlL1hSZWYvV1sxIDMgMF0+PnN0cmVhbQ0KaN5i
YgACJkY2vjAmBgbeRCDB2AMiPjEx/np8FshiYAQIMAA7aQUUDQplbmRzdHJl
YW0NZW5kb2JqDXN0YXJ0eHJlZg0KMTE2DQolJUVPRg0K
------=_NextPart_000_007B_01C2A9A6.1CD1EEB0--
[..]
so my question is:
why simscan don't performs spamasassin email check?
thank you
Michele