Hi Justin, everyone,
Justin Mason wrote:
It's worth checking this; that rule should fire only if the
mail really *did* come from Vonage. I suspect a bug in how your
mailserver's Received headers are parsed.
Could you post:
- a sample of a spam that passed this, with all headers
- output of "spamassassin -D -L -t < spam", the lines with
'received-header' and 'metadata' at least
Sure, see attachements for the the original and the output.
debug: received-header: parsed as [ ip=127.0.0.1 rdns=localhost
helo=localhost by=a48046.upc-a.chello.nl ident= envfrom= intl=0
id=k6D6gfSl010610 auth= ]
debug: found fetchmail marker, restarting parse
debug: received-header: parsed as [ ip=220.166.39.177 rdns=vm.vonage.com
helo=vm.vonage.com by=amsfep14-int.chello.nl ident= envfrom= intl=0
[EMAIL PROTECTED] auth= ]
debug: received-header: relay 220.166.39.177 trusted? no internal? no
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted: [ ip=220.166.39.177
rdns=vm.vonage.com helo=vm.vonage.com by=amsfep14-int.chello.nl ident=
envfrom= intl=0
[EMAIL PROTECTED] auth= ]
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d2fc4)
implements 'parsed_metadata'
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d2fc4)
implements 'parsed_metadata'
debug: is DNS available? 0
Just to clarify: This also happens on mailservers that are directly
listening on port 25, not trough fetchmail. 'DNS available 0' is a
surprise to me, because I've hardcoded it to 'yes' in local.cf. The
server that I pop the email from is listed as 'trusted' in my local.cf.
Regards, Paul Boven.
--- Begin Message ---
Do you like replica
joxaxajs http://www.conffortableoora.com
--- End Message ---
debug: SpamAssassin version 3.0.4
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/opt/csw/bin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/sbin', keeping.
debug: PATH included '/opt/sfw/bin', keeping.
debug: PATH included '/opt/Adobe/Acrobat7.0/bin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: Final PATH set to:
/opt/csw/bin:/usr/bin:/usr/sbin:/opt/sfw/bin:/opt/Adobe/Acrobat7.0/bin:/usr/local/bin
debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
debug: config: read file /etc/mail/spamassassin/init.pre
debug: using "/opt/SpamAssassin//share/spamassassin" for default rules dir
debug: config: read file /opt/SpamAssassin//share/spamassassin/10_misc.cf
debug: config: read file
/opt/SpamAssassin//share/spamassassin/20_anti_ratware.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_body_tests.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_compensate.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_drugs.cf
debug: config: read file
/opt/SpamAssassin//share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_head_tests.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_html_tests.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_meta_tests.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_phrases.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_porn.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_ratware.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/20_uri_tests.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/23_bayes.cf
debug: config: read file
/opt/SpamAssassin//share/spamassassin/25_body_tests_es.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/25_hashcash.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/25_spf.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/25_uribl.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/30_text_de.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/30_text_fr.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/30_text_nl.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/30_text_pl.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/50_scores.cf
debug: config: read file /opt/SpamAssassin//share/spamassassin/60_whitelist.cf
debug: using "/etc//mail/spamassassin" for site rules dir
debug: config: read file /etc//mail/spamassassin/70_sare_adult.cf
debug: config: read file /etc//mail/spamassassin/70_sare_bayes_poison_nxm.cf
debug: config: read file /etc//mail/spamassassin/70_sare_evilnum0.cf
debug: config: read file /etc//mail/spamassassin/70_sare_genlsubj0.cf
debug: config: read file /etc//mail/spamassassin/70_sare_header0.cf
debug: config: read file /etc//mail/spamassassin/70_sare_html0.cf
debug: config: read file /etc//mail/spamassassin/70_sare_obfu.cf
debug: config: read file /etc//mail/spamassassin/70_sare_obfu0.cf
debug: config: read file /etc//mail/spamassassin/70_sare_oem.cf
debug: config: read file /etc//mail/spamassassin/70_sare_random.cf
debug: config: read file /etc//mail/spamassassin/70_sare_specific.cf
debug: config: read file /etc//mail/spamassassin/70_sare_stocks.cf
debug: config: read file /etc//mail/spamassassin/70_sare_uri0.cf
debug: config: read file /etc//mail/spamassassin/70_sare_whitelist.cf
debug: config: read file /etc//mail/spamassassin/72_sare_bml_post25x.cf
debug: config: read file /etc//mail/spamassassin/72_sare_redirect_post3.0.0.cf
debug: config: read file /etc//mail/spamassassin/99_sare_fraud_post25x.cf
debug: config: read file /etc//mail/spamassassin/local.cf
debug: using "/export/home/paul/.spamassassin" for user state dir
debug: using "/etc/mail/spamassassin/local.cf" for user prefs file
debug: config: read file /etc/mail/spamassassin/local.cf
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d2fc4)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9a0784)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x9bd64c)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d2fc4) implements
'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9a0784) implements
'parse_config'
debug: bayes: 10770 tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks
debug: bayes: 10770 tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen
debug: bayes: found bayes db version 3
debug: Score set 2 chosen.
debug: received-header: parsed as [ ip=127.0.0.1 rdns=localhost helo=localhost
by=a48046.upc-a.chello.nl ident= envfrom= intl=0 id=k6D6gfSl010610 auth= ]
debug: found fetchmail marker, restarting parse
debug: received-header: parsed as [ ip=220.166.39.177 rdns=vm.vonage.com
helo=vm.vonage.com by=amsfep14-int.chello.nl ident= envfrom= intl=0 [EMAIL
PROTECTED] auth= ]
debug: received-header: relay 220.166.39.177 trusted? no internal? no
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted: [ ip=220.166.39.177
rdns=vm.vonage.com helo=vm.vonage.com by=amsfep14-int.chello.nl ident= envfrom=
intl=0 [EMAIL PROTECTED] auth= ]
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d2fc4) implements
'parsed_metadata'
debug: is DNS available? 0
debug: ---- MIME PARSER START ----
debug: main message type: text/plain
debug: parsing normal part
debug: added part, type: text/plain
debug: ---- MIME PARSER END ----
debug: decoding: other encoding type (7bit), ignoring
debug: uri found: http://www.conffortableoora.com
debug: Running tests for priority: 0
debug: running header regexp tests; score so far=0
debug: forged-HELO: from=vonage.com helo=vonage.com by=amsfep14-int.chello.nl
debug: all '*From' addrs: [EMAIL PROTECTED]
debug: all '*To' addrs: [EMAIL PROTECTED]
debug: registering glue method for check_hashcash_value
(Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9a0784))
debug: registering glue method for check_hashcash_double_spend
(Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9a0784))
debug: running body-text per-line regexp tests; score so far=-98.347
debug: running uri tests; score so far=-96.535
debug: bayes corpus size: nspam = 24841, nham = 97477
debug: tokenize: header tokens for *p = "U*hetomy7 D*vm.vonage.com D*vonage.com
D*com"
debug: tokenize: header tokens for *M = " OEA0019 OEB3d65 OEC5696a8c0 qoqy "
debug: tokenize: header tokens for *F = "U*hetomy7 D*vm.vonage.com D*vonage.com
D*com"
debug: tokenize: header tokens for To = "U*p.boven D*chello.nl D*nl"
debug: tokenize: header tokens for MIME-Version = " "
debug: tokenize: header tokens for *c = " /plain; format=flowed;
charset="iso-8859-1"; reply-type=original"
debug: tokenize: header tokens for Content-Transfer-Encoding = " 7bit"
debug: tokenize: header tokens for X-Priority = " 3"
debug: tokenize: header tokens for X-MSMail-Priority = " Normal"
debug: tokenize: header tokens for *x = " Microsoft Outlook Express
6.00.2900.2869"
debug: tokenize: header tokens for X-MimeOLE = " Produced By Microsoft MimeOLE
V6.00.2900.2869"
debug: tokenize: header tokens for X-UPC-BM-SpamWall = " True"
debug: tokenize: header tokens for *RT = " "
debug: tokenize: header tokens for *RU = " [ ip=220.166.39.177
rdns=vm.vonage.com helo=vm.vonage.com by=amsfep14-int.chello.nl ident= envfrom=
intl=0 [EMAIL PROTECTED] auth= ]"
debug: tokenize: header tokens for *r = " vm.vonage.com ([220.166.39
ip*220.166.39.177 ]) by amsfep14-int.chello.nl (InterMail vM.6.01.04
ip*6.01.04.04 201-2131-118-104-20050224) id <[EMAIL PROTECTED]> <[EMAIL
PROTECTED]>; "
debug: tokenize: header tokens for *r = " vm.vonage.com ([220.166.39
ip*220.166.39.177 ]) by amsfep14-int.chello.nl (InterMail vM.6.01.04
ip*6.01.04.04 201-2131-118-104-20050224) id <[EMAIL PROTECTED]> <[EMAIL
PROTECTED]>; mail.chello.nl [213.46.243 ip*213.46.243.2 ] by localhost
POP3 (fetchmail-5.8.0) [EMAIL PROTECTED] (single-drop); "
debug: bayes token 'H*r:ip*213.46.243.2' => 0.998790266670248
debug: bayes token 'HX-UPC-BM-SpamWall:True' => 0.997045280883626
debug: bayes token 'H*r:fetchmail-5.8.0' => 0.996938365357587
debug: bayes token 'H*r:mail.chello.nl' => 0.996938365357587
debug: bayes token 'H*r:POP3' => 0.996938365357587
debug: bayes token 'H*r:single-drop' => 0.996938365357587
debug: bayes token 'H*r:213.46.243' => 0.993431472487533
debug: bayes token 'H*M:OEA0019' => 0.00881967213114754
debug: bayes token 'H*r:[EMAIL PROTECTED]' => 0.986316832424208
debug: bayes token 'H*c:flowed' => 0.0158139386787253
debug: bayes token 'H*c:format' => 0.0158197821280287
debug: bayes token 'H*r:sk:amsfep1' => 0.975437651025731
debug: bayes token 'H*MI:OEA0019' => 0.0256190476190476
debug: bayes token 'H*r:InterMail' => 0.969946976264983
debug: bayes token 'HTo:D*chello.nl' => 0.967613627312294
debug: bayes token 'H*r:ip*6.01.04.04' => 0.961901087815827
debug: bayes token 'H*Ad:U*p.boven' => 0.959757083754674
debug: bayes token 'HTo:U*p.boven' => 0.958965620063704
debug: bayes token 'HTo:D*nl' => 0.958003810002251
debug: bayes token 'H*r:vM.6.01.04' => 0.954967154517012
debug: bayes token 'H*r:sk:201-213' => 0.947124529298923
debug: bayes token 'H*Ad:D*chello.nl' => 0.939306679162186
debug: bayes token 'H*r:sk:p.boven' => 0.935136275229994
debug: bayes token 'H*Ad:D*nl' => 0.925771682577208
debug: bayes token 'H*r:sk:2006071' => 0.924330279310048
debug: bayes token 'H*c:reply-type' => 0.0810777210592274
debug: bayes token 'H*c:original' => 0.112315344918479
debug: bayes token 'H*p:D*com' => 0.871031264990193
debug: bayes: score = 0.928631185883117
debug: bayes: 10770 untie-ing
debug: bayes: 10770 untie-ing db_toks
debug: bayes: 10770 untie-ing db_seen
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d2fc4) implements
'check_tick'
debug: running raw-body-text per-line regexp tests; score so far=-92.927
debug: running full-text regexp tests; score so far=-92.927
debug: Running tests for priority: 500
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d2fc4) implements
'check_post_dnsbl'
debug: running meta tests; score so far=-92.927
debug: running header regexp tests; score so far=-92.927
debug: running body-text per-line regexp tests; score so far=-92.927
debug: running uri tests; score so far=-92.927
debug: running raw-body-text per-line regexp tests; score so far=-92.927
debug: running full-text regexp tests; score so far=-92.927
debug: Running tests for priority: 1000
debug: running meta tests; score so far=-92.927
debug: running header regexp tests; score so far=-92.927
debug: running body-text per-line regexp tests; score so far=-92.927
debug: running uri tests; score so far=-92.927
debug: running raw-body-text per-line regexp tests; score so far=-92.927
debug: running full-text regexp tests; score so far=-92.927
debug: auto-learn: currently using scoreset 2, recomputing score based on
scoreset 0.
debug: auto-learn: message score: -92.927, computed score for autolearn: 3.352
debug: auto-learn? ham=0.1, spam=12, body-points=1.812, head-points=1.54,
learned-points=3.608
debug: auto-learn? no: inside auto-learn thresholds, not considered ham or spam
debug: is spam? score=-92.927 required=5
debug:
tests=BAYES_80,CHINANET,DATE_IN_FUTURE_06_12,SARE_SPEC_REPLICA_OBFU,USER_IN_WHITELIST
debug:
subtests=__ANY_OUTLOOK_MUA,__CT,__CTE,__CTYPE_CHARSET_QUOTED,__CT_TEXT_PLAIN,__HAS_MIMEOLE,__HAS_MSGID,__HAS_MSMAIL_PRI,__HAS_OUTLOOK_IN_MAILER,__HAS_SUBJECT,__HAS_X_MAILER,__HAS_X_PRIORITY,__MIME_VERSION,__MSGID_OK_HEX,__MSGID_OK_HOST,__OE_MSGID_2,__OE_MUA,__OUTLOOK_DOLLARS_MSGID,__SANE_MSGID,__SARE_BODY_BLNK_5_100,__SARE_HEAD_SUBJ_RAND,__SARE_META_MURTY3,__SARE_SPEC_PROLEO5,__SARE_URI_ANY,__SARE_WHITELIST_FLAG
Return-Path: <[EMAIL PROTECTED]>
Received: from localhost (localhost [127.0.0.1])
by a48046.upc-a.chello.nl (8.13.6+Sun/8.13.6) with ESMTP id
k6D6gfSl010610
for <[EMAIL PROTECTED]>; Thu, 13 Jul 2006 08:42:43 +0200 (CEST)
Received: from mail.chello.nl [213.46.243.2]
by localhost with POP3 (fetchmail-5.8.0)
for [EMAIL PROTECTED] (single-drop); Thu, 13 Jul 2006 08:42:43 +0200
(CEST)
Received: from vm.vonage.com ([220.166.39.177]) by amsfep14-int.chello.nl
(InterMail vM.6.01.04.04 201-2131-118-104-20050224) with SMTP
id <[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Thu, 13 Jul 2006 08:33:46 +0200
Message-ID: <[EMAIL PROTECTED]>
From: "sufe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: zilyzetu
Date: Thu, 13 Jul 2006 14:33:46 0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-UPC-BM-SpamWall: True
X-Scanned-By: MIMEDefang 2.51 on 62.163.48.46
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
a48046.upc-a.chello.nl
X-Spam-Status: No, score=-92.9 required=5.0 tests=BAYES_80,CHINANET,
DATE_IN_FUTURE_06_12,SARE_SPEC_REPLICA_OBFU,USER_IN_WHITELIST
autolearn=no version=3.0.4
X-Spam-Level:
Do you like replica
joxaxajs http://www.conffortableoora.com
Spam detection software, running on the system "a48046.upc-a.chello.nl", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
SARA Servicedesk for details.
Content preview: Do you like replica joxaxajs
http://www.conffortableoora.com [...]
Content analysis details: (-92.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.5 CHINANET Chinanet - large provider in China
-100 USER_IN_WHITELIST From: address is in the user's white-list
1.2 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
1.8 SARE_SPEC_REPLICA_OBFU BODY: Rolex with obfuscated replica
3.6 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
[score: 0.9286]
