Hello guys,
I have a bit of a problem matching some SPAM messages that make their way to
my users mailboxes and then proceed to block Outlook from downloading any
messages whatsoever. My system is FreeBSD 4.9 running SA 3.0 ( standard ).
Below, I will post two examples of these SPAM messages:
Return-Path:
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 23239 invoked by uid 1010); 27 Dec 2004 21:46:08 -
Received: from 172.182.180.35 by cust02.top-consulting.net (envelope-from
, uid 89) with G-Filter-1.00
Received: from unknown (HELO ACB6B423.ipt.aol.com) (172.182.180.35)
by cust02.top-consulting.net with SMTP; 27 Dec 2004 21:46:03 -
Received: from by 172.182.180.35; Mon, 27 Dec 2004 18:52:15 -0300
Message-ID: L[20
And
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 42592 invoked by uid 1010); 28 Dec 2004 05:22:23 -
Received: from 62.150.128.164 by cust02.top-consulting.net (envelope-from
[EMAIL PROTECTED], uid 89) with G-Filter-1.00
Received: from unknown (HELO RECEPTION) (62.150.128.164)
by cust02.top-consulting.net with SMTP; 28 Dec 2004 05:22:18 -
Received: from dns8[1
That's it. No subject, no date, no body..nothing. And I get TONS of these.
My attempts to solve this are the following:
I increased the MISSING_SUBJET test score to 5.0 and I created a test called
EMPTY_BODY which looks like this:
body BODY_EMPTY /^\s*$/
describe BODY_EMPTY No Body
score BODY_EMPTY 7.0
with this rule, I was able to stop test messages I would send myself from
remote accounts which had no subject and no body. I was thus very glad and I
thought the problem was fixed. Nonetheless, this morning I had yet more
complaints about the problem still happening ( see two messages above ). I
went to see the logs. This is what I saw:
For message #1, the logs show this:
Dec 27 21:46:07 cust02 spamd[97071]: got connection over /var/run/spamd
Dec 27 21:46:07 cust02 spamd[97071]: checking message ?L[20 for
[EMAIL PROTECTED]:0.
Dec 27 21:46:08 cust02 spamd[97071]: clean message (5.6/8.0) for
[EMAIL PROTECTED]:0 in 0.5 seconds, 222 bytes.
Dec 27 21:46:08 cust02 spamd[97071]: result: . 5 -
MISSING_DATE,MISSING_SUBJECT,RCVD_BY_IP
scantime=0.5,size=222,mid=?L[20,autolearn=no
For message #2, the logs show this:
Dec 28 05:22:21 cust02 spamd[41802]: got connection over /var/run/spamd
Dec 28 05:22:21 cust02 spamd[41802]: checking message (unknown) for
[EMAIL PROTECTED]:0.
Dec 28 05:22:23 cust02 spamd[41802]: clean message (5.6/8.0) for
[EMAIL PROTECTED]:0 in 1.8 seconds, 148 bytes.
Dec 28 05:22:23 cust02 spamd[41802]: result: . 5 -
MISSING_DATE,MISSING_SUBJECT
scantime=1.8,size=148,mid=(unknown),autolearn=no
Notice how in both cases the test BODY_EMPTY was not applied. I am not sure
why that's the case. I also tried with having the rule look at the rawbody
but that somehow matches a lot of real messages and fails to match my test
messages with empty body ?
Can anyone point me in a way to stop this kind of messages ?
Thank you!
George
