One of our customers forwarded us these headers of a porn spam which made it
through Spamassassin:
Return-Path: <[EMAIL PROTECTED]>
Received: from paypal.com ([211.111.52.7])
by merlin.boreal.org (8.12.11/8.12.11) with SMTP id i4H3CuUm007290
for <snipped>; Sun, 16 May 2004 22:12:59 -0500 (CDT)
Message-ID: <[EMAIL PROTECTED]>
From: "Verna" <[EMAIL PROTECTED]>
To: "Flint" <Snipped>
Subject: While pole thru hole will be glorywhole
Date: Sun, 16 May 2004 21:27:59 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_C7B_C35E_4A5919D6.9B5EBC49"
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on teal.boreal.org
X-Spam-Level:
X-Spam-Status: No, hits=-13.5 required=6.0
tests=BAYES_56,HTML_IMAGE_ONLY_10,
HTML_MESSAGE,MIME_HTML_MOSTLY,USER_IN_DEF_WHITELIST autolearn=no
version=2.63
This received a high negative score because of the USER_IN_DEF_WHITELIST
hit. It has both a paypal.com received header and a From paypal.com
address, which means (if I'm reading the rules right) the SARE Spoof ruleset
wouldn't have caught it.
The customer didn't forward the whole message, but just to see if maybe this
was an issue with trusted networks I ran the headers through spamassassin -D
with the following results:
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/sbin', keeping.
debug: PATH included '/bin', keeping.
debug: PATH included '/usr/sbin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/games', keeping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/usr/X11R6/bin', keeping.
debug: PATH included '/home/<snip>/bin', which doesn't exist, dropping.
debug: Final PATH set to:
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sb
in:/usr/local/bin:/usr/X11R6/bin
debug: using "/usr/local/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/home/<snip>/.spamassassin" for user state dir
debug: using "/home/<snip>/.spamassassin/user_prefs" for user prefs file
debug: bayes: 5536 tie-ing to DB file R/O
/usr/local/spamassassin/bayes/bayes_to
ks
debug: bayes: 5536 tie-ing to DB file R/O
/usr/local/spamassassin/bayes/bayes_se
en
debug: bayes: found bayes db version 2
debug: Score set 3 chosen.
debug: Initialising learner
debug: received-header: parsed as [ ip=211.111.52.7 rdns=paypal.com helo=
by=mer
lin.boreal.org ident= ]
debug: is Net::DNS::Resolver available? yes
debug: trying (3) nytimes.com...
debug: looking up MX for 'nytimes.com'
debug: MX for 'nytimes.com' exists? 1
debug: MX lookup of nytimes.com succeeded => Dns available (set
dns_available to
hardcode)
debug: is DNS available? 1
debug: received-header: 'by' merlin.boreal.org has public IP 216.70.16.15
debug: received-header: relay 211.111.52.7 trusted? no
debug: all '*From' addrs: [EMAIL PROTECTED]
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: bayes corpus size: nspam = 781671, nham = 50577
debug: uri tests: Done uriRE
<snipped tokenize, Bayes and Razor lines>
debug: Razor2 results: spam? 0 highest cf score: 0
debug: running raw-body-text per-line regexp tests; score so far=0
debug: running uri tests; score so far=0
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=0
debug: Razor2 is available
debug: Current PATH is:
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin
:/usr/local/bin:/usr/X11R6/bin
debug: Pyzor is not available: pyzor not found
<snipped DCC checks>
debug: leaving helper-app run mode
debug: all '*To' addrs: <snip>@boreal.org
debug: DNS MX records found: 4
debug: forged-HELO: from=paypal.com helo= by=boreal.org
debug: RBL: success for 10 of 10 queries
debug: running meta tests; score so far=0
debug: auto-learn? ham=0.5, spam=12, body-hits=0, head-hits=0
debug: auto-learn: currently using scoreset 3. recomputing score based on
score
set 1.
debug: Score set 1 chosen.
debug: auto-learn: original score: 0, recomputed score: 0
debug: Score set 3 chosen.
debug: auto-learn? yes, ham (0 < 0.5)
debug: Learning Ham
debug: uri tests: Done uriRE
<snipped more bayes lines>
debug: is spam? score=-14.999 required=6
tests=BAYES_50,USER_IN_DEF_WHITELIST
--------
Notice that the IP of the fake paypal.com header is NOT trusted, in fact
later on down there's a line that says "debug: forged-HELO: from=paypal.com
helo= by=boreal.org" which seems to indicate that Spamassassin recognized
the paypal.com header was a forgery.
I admit I don't totally understand how the trusted_networks and
USER_IN_DEF_WHITELIST work - can anyone help me
a) figure out why this got a hit on USER_IN_DEF_WHITELIST?
b) figure out how to block this kind of thing?
Thanks for any help you can give!
Sandy
