Completely wrong spam detection in SpamAssassin

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Completely wrong spam detection in SpamAssassin

Vinícius Ferrão-2
Hello folks,

I'm having a lot of problems with Spam passing through our Postfix+Amavisd-new solution.

What happens: an phishing attack arrives, it is not detected as spam with the bayesian filter and since it was originated from an authenticated user (stolen password) and from a know MTA it receives an negative score from AWL and the spam/phishing attack get in the system and finally is relayed to our Exchange Server that uses our postfix as an Smarthost.

The question is: how can I debug this? I'm getting tired to use sa-learn to train our bayesian filter without success. From months, the same message get passed through our system and it never get caught.

This is weird since when we use spamassassin -r to report the message, it was detected with 100% of confidence that it is spam.

Here are an example:

Return-Path: <[hidden email]>
Delivered-To: clean-quarantine
X-Envelope-To: <********************************>
X-Envelope-To-Blocked:
X-Quarantine-ID: <vb4FI3WXpiqz>
X-Spam-Flag: NO
X-Spam-Score: 1.674
X-Spam-Level: *
X-Spam-Status: No, score=1.674 tag=-99.9 tag2=6.2 kill=6.9 tests=[AWL=0.000,
        BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1,
        MISSING_HEADERS=1.021, REPLYTO_WITHOUT_TO_CC=1.552] autolearn=no







And when I run the spamassassin -r command I got this:

Received: from localhost by ironforge.if.ufrj.br
with SpamAssassin (version 3.3.1);
Sat, 24 Nov 2012 11:38:50 -0200
From: "Webmail Administrador" <[hidden email]>
Subject: Cuidado com o administrador - confirmar a infor=?ISO-8859-1?Q?ma=E7=E3o_webmail_abai?=xo
Date: Fri, 23 Nov 2012 18:11:26 -0300
Message-Id: <20121123210616.[hidden email]>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on ironforge.if.ufrj.br
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.1 required=5.0 tests=AWL,BAYES_99,FREEMAIL_FROM,
FREEMAIL_REPLYTO,MISSING_HEADERS,REPLYTO_WITHOUT_TO_CC autolearn=no
version=3.3.1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_50B0CDEA.C3BB593D"

This is a multi-part message in MIME format.

------------=_50B0CDEA.C3BB593D
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "ironforge.if.ufrj.br", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Caro usu?rio Webmail Sua cota de correio excedeu o conjunto
   quota / limite e voc? est? atualmente em execu??o no GB Baixa devido a arquivos
   ocultos e pastas em sua caixa postal. Voc? pode n?o ser capaz de receber
  ou enviar novos e-mails at? que voc? re- validar a permitir espa?o em suas
   pastas de webmail. Isso tamb?m pode ser causado por n?o validar o seu webmail
   como aconselhado anteriormente. [...] 

Content analysis details:   (6.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                            (alert_news[at]programmer.net)
 1.0 MISSING_HEADERS        Missing To: header
 1.6 REPLYTO_WITHOUT_TO_CC  REPLYTO_WITHOUT_TO_CC
 1.0 FREEMAIL_REPLYTO       Reply-To/From or Reply-To/body contain different
                            freemails
-1.0 AWL                    AWL: From: address is in the auto white-list



I'm looking for any help, since the solutions don't appears to be working as expected.

Thanks in advance,



Vinícius Ferrão: Administrador de Sistemas
www.ferrao.eti.br



Vinícius Ferrão: Administrador de Sistemas
www.ferrao.eti.br | +55 (21) 8888-2169


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Completely wrong spam detection in SpamAssassin

Kalin KOZHUHAROV
Hello Vinícius,

I have a generic solution for you:

1. Get some sound sleep
2. Make sure the mail that gets trough passes through your
spamassassin host/process
(hint: don't trust headers completely, look at logs for  Message-Id:
on client and serverS )
3. Drink <($your_favorite_drink) to celebrate

Cheers,
Kalin.