Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Spamassassin - false positives on forwarded messages
« previous next »
Pages: [1]   Go Down

Spamassassin - false positives on forwarded messages

  • 3 Replies
  • 1783 Views

jbath

Spamassassin - false positives on forwarded messages
« on: February 10, 2006, 10:23:15 PM »
This one is a peculiar one.

My boss and a few other people will get sent a forwarded message.  The message shows up in the junkmail folder.  The subject header does not get "SPAM [x.x OF 3.0] " preappended to it.  Instead there is the "X-Spam-Status: YES" line in the header of the message.

This then poses the question - why does it have the status flagged to yes?  The email message in one case is already on my white list.

My guess is that somewhere the message gets flagged with no alterations to the subject line.  Is it my server or someone else's server?

Alternatively, how do I change this around?  Do I need to change procmail rules to sort based on the altered subject line instead of the X-Spam-Status flag?  But this is merely a workaround, not the solution to the original problem.

More insight on the problem:  The message that gets sorted to junkmail has an attachment on it.  Most of the time the message also has "Fwd:" in the subject line - but not all the time.


Any elucidation would be greatly appreciated.
Thanks,
Logged

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Spamassassin - false positives on forwarded messages
« Reply #1 on: February 11, 2006, 11:57:25 AM »
What does the other SpamAssassin emails tags state?

X-Spam-Status

and

X-Spam-Checker-Version

The last will show whether the emai was tagged by your system or a previous server and that the tags haven't been stripped.

Which version of SA are you using?

Rgds,
Jesper
Logged

jbath

Spamassassin - false positives on forwarded messages
« Reply #2 on: February 11, 2006, 04:05:47 PM »
I'm running SA 3.1.0

Here's the headers from a true-positive piece of spam:
-------------------------------------------------------
Received: (qmail 23664 invoked by alias); 10 Feb 2006 23:32:34 -0000
Delivered-To: alias-localdelivery-jbath@ckua.org
Received: (qmail 23615 invoked from network); 10 Feb 2006 23:32:29 -0000
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ckuamain.ckua.com
X-Spam-Report:
        *  1.0 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis'
        *  0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
        *  0.7 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
        * -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.8 INFO_TLD URI: Contains an URL in the INFO top-level domain
        *  0.7 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
        *  2.4 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
        *  0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
        *      [URIs: shmaytt.info]
        *  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
        *      [URIs: shmaytt.info]
        *  2.6 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
        *      [URIs: shmaytt.info]
        *  3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
        *      [URIs: shmaytt.info]
        *  0.1 DRUGS_ERECTILE Refers to an erectile drug
        *  0.3 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
X-Spam-Status: Yes, score=14.2 required=3.0 tests=ALL_TRUSTED,
        DATE_IN_PAST_06_12,DRUGS_ERECTILE,EXTRA_MPART_TYPE,HTML_IMAGE_ONLY_08,
        HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,INFO_TLD,MIME_HTML_MOSTLY,
        MPART_ALT_DIFF,SUBJECT_DRUG_GAP_C,URIBL_JP_SURBL,URIBL_OB_SURBL,
        URIBL_SBL,URIBL_WS_SURBL autolearn=no version=3.1.0
X-Spam-Level: **************
X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on ckuamain.ckua.com
Received: from friend (cpe-065-190-179-253.nc.res.rr.com [65.190.179.253])
  by ckuamain.ckua.com ([10.2.1.1])
  with ESMTP via TCP; 10 Feb 2006 23:32:28 -0000
Message-ID: <000001c62e99$800f5400$0100007f@tripp-1>
From: "Gilbert" <richard@guitarra.biz>
To: <jbath@ckua.org>
Subject: [SPAM 14.2 of 3.0] Cialis 20 Pills 20 mg $129.95
Date: Fri, 10 Feb 2006 18:27:04 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="------------ms030602030901010506070400"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Prev-Subject: Cialis 20 Pills 20 mg $129.95
--------------------------------------------

... and here's an example of a false positive in the system:
--------------------------------------------
Received: (qmail 21939 invoked by alias); 9 Feb 2006 20:48:38 -0000
Delivered-To: alias-localdelivery-scott.stevenson@ckua.com
Received: (qmail 21927 invoked from network); 9 Feb 2006 20:48:37 -0000
X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on ckuamain.ckua.com
Received: from imo-m28.mx.aol.com (imo-m28.mx.aol.com [64.12.137.9])
  by ckuamain.ckua.com ([10.2.1.1])
  with ESMTP via TCP; 09 Feb 2006 20:48:34 -0000
Received: from IGray67074@aol.com
        by imo-m28.mx.aol.com (mail_out_v38_r6.3.) id u.291.560bec1 (57317);
        Thu, 9 Feb 2006 15:48:25 -0500 (EST)
From: IGray67074@aol.com
Message-ID: <291.560bec1.311d0498@aol.com>
Date: Thu, 9 Feb 2006 15:48:24 EST
Subject: Deer Cull with Audio
To: ken.regan@ ckua.com, scott.stevenson@ckua.com, newscasters@ckua.org,
          jspencer@ckua.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="part1_291.560bec1.311d0498_boundary"
X-Mailer: 8.0 for Windows sub 660
X-Spam-Flag: YES
---------------------------------

This second example is interesting because the sender's address is in my white list.  Yet he sends all sorts of stuff with attachments that get marked as clean by this X-Spam-Flag header

My guess as well was that some other system had flagged the message before my system got to it.  

The important difference is that when my system marks mail as spam, it has the X-Spam-Status header and X-Spam-Flag header inside; whereas the false-positive has only the X-Spam-Flag header.  
Procmail is sorting based on the X-Spam-Flag.  My best bet would be to change procmail to sort based on the X-Spam-Status header instead.
Logged

jbath

Spamassassin - false positives on forwarded messages
« Reply #3 on: February 11, 2006, 05:11:47 PM »
I noticed something else.  I have all email originating from outside my internal network scanned by spamassassin.  Mail originating from inside don't get scanned because my users complain about the length of time it takes to send as the mail gets scanned in the process of sending.  So all inbound mail gets marked by spamassassin with it's reports regardless of it being good or not.

Now in the case of the mail from the one person, they sometimes but not always have my mail server's X-Spam headers inserted into the message.  When they don't get inserted, there is the single X-Spam-Flag: No|Yes line.  

Is this a problem with my spamassassin not doing its job, or is it being ignored because it already has the X-Spam-Flag in the header already?
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Spamassassin - false positives on forwarded messages