spam bypass spamassassin - SpamAssassin

This is a discussion on spam bypass spamassassin - SpamAssassin ; Why this spam scored with 5.1 (requered 5.0) bypass spamassassin?? (clamdscan: 0.93/8144. spamassassin: 3.2.5. Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):. Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000 X-Spam-Status: Yes, score=5.1 required=5.0 X-Spam-Level: +++++...

+ Reply to Thread
Results 1 to 11 of 11

Thread: spam bypass spamassassin

  1. spam bypass spamassassin


    Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??

    (clamdscan: 0.93/8144. spamassassin: 3.2.5.
    Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
    Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
    X-Spam-Status: Yes, score=5.1 required=5.0
    X-Spam-Level: +++++


  2. Re: spam bypass spamassassin

    On 03.09.08 09:18, Rejaine Monteiro wrote:
    > Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??


    Why do you think it bypassed spamassassin? The whole fact the spam was
    tagged means it did NOT bypass it, don't you think?

    > (clamdscan: 0.93/8144. spamassassin: 3.2.5.
    > Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
    > Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
    > X-Spam-Status: Yes, score=5.1 required=5.0
    > X-Spam-Level: +++++


    I see no X-Spam-Version, maybe it was scored by SA on other machine.
    But, always, it's not spamassassin question why some mail are not passsed
    through it...
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Remember half the people you know are below average.


  3. Re: spam bypass spamassassin

    On Wed, Sep 03, 2008 at 09:18:53AM -0300, Rejaine Monteiro wrote:
    >
    > Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??
    >
    > (clamdscan: 0.93/8144. spamassassin: 3.2.5.
    > Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
    > Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
    > X-Spam-Status: Yes, score=5.1 required=5.0
    > X-Spam-Level: +++++


    It did not bypass Spamassassin. Spamassassin did it's job by
    classifying the message as spam. The rest is up to your mta.

    Regards
    Johann

    --
    Johann Spies Telefoon: 021-808 4036
    Informasietegnologie, Universiteit van Stellenbosch

    "And he said unto his disciples, Therefore I say unto
    you, Take no thought for your life, what ye shall eat:
    neither for the body, what ye shall put on. The life
    is more than meat, and the body is more than raiment.
    Consider the ravens: for they neither sow nor reap;
    which neither have storehouse nor barn; and God
    feedeth them: how much more are ye better than the fowls!
    Consider the lilies, how they grow: they toil
    not, they spin not; and yet I say unto you, that
    Solomon in all his glory was not arrayed like one of
    these. If then God so clothe the grass, which is to
    day in the field, and to morrow is cast into the oven;
    how much more will he clothe you, O ye of little
    faith? And seek not what ye shall eat, or what ye
    shall drink, neither be ye of doubtful mind.
    But rather seek ye the kingdom of God; and all these
    things shall be added unto you."
    Luke 12:22-24; 27-29; 31.


  4. Re: spam bypass spamassassin

    Jason Esman wrote:
    >
    >> -----Original Message-----
    >> From: Rejaine Monteiro [mailto:rejaine@bhz.jamef.com.br]
    >> Sent: Wednesday, September 03, 2008 7:19 AM
    >> To: users@spamassassin.apache.org
    >> Subject: spam bypass spamassassin
    >>
    >>
    >> Why this spam scored with 5.1 (requered 5.0) bypass spamassassin??
    >>
    >> (clamdscan: 0.93/8144. spamassassin: 3.2.5.
    >> Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):.
    >> Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
    >> X-Spam-Status: Yes, score=5.1 required=5.0
    >> X-Spam-Level: +++++

    >
    > I'm also seeing this, it is not that it bypass Spamassassin but that it is not adding the Subject. I've lately been getting a lot of spam that score 5.1 the spam threshold is 5.0 but at 5.1 it does not change the subject.
    >
    > An example:
    >
    > Subject: Aaca aaiiuo
    > Date: Mon, 1 Sep 2008 06:18:26 -0500
    > Message-ID:
    > MIME-Version: 1.0
    > Content-Type: multipart/mixed;
    > boundary="----=_NextPart_000_0018_01C90D17.8D566C70"
    > X-Mailer: Microsoft Office Outlook 11
    > Thread-Index: AckMJHQQXzDI+JlySi+ENdpaQUGHHQAAAAM+
    > content-class: urn:content-classes:dsn
    > x-originalarrivaltime: 01 Sep 2008 11:18:25.0639 (UTC) FILETIME=[73B55770:01C90C24]
    > x-spam-level: +++++
    > x-spam-status: Yes, score=5.1 required=5.0
    > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
    > x-dsncontext: 7ce717b1 - 1391 - 00000002 - C00402D1
    >
    > This is a multi-part message in MIME format.
    >
    >
    > Notice the subject does not say *****SPAM***** which is what we have rewrite subject set to.
    >



    How do you call SA? if you call SA from a program that adds its own
    header (notice the case in the x-spam-* headers. here, they are
    X-Spam-...), then the same program is probably responsible for changing
    the subject. in which case, this is not an SA issue.


  5. Re: spam bypass spamassassin



    Matus UHLAR - fantomas escreveu:
    > Why do you think it bypassed spamassassin? The whole fact the spam was
    > tagged means it did NOT bypass it, don't you think?
    >
    >

    Because I received this email in my mailbox (and many others like this)
    , so the spam was not blocked by spamassasin, although to receive
    score 5.1 (required 5.0)

    > I see no X-Spam-Version, maybe it was scored by SA on other machine.
    > But, always, it's not spamassassin question why some mail are not passsed
    > through it...
    >

    I did not send the complete header of the message, therefore it did not
    appear the SA version.

    My intention was to only show that the message had score enough to be
    blocked, however it was delivered (not blocked)

    He follows all header below (I modified some confidential information) :

    Received: (qmail 4400 invoked by alias); 3 Sep 2008 08:32:21 -0300
    Delivered-To: user@mydomain
    Received: (qmail 4371 invoked by uid 368); 3 Sep 2008 08:32:21 -0300
    Received: from 209.85.217.31 by server1 (envelope-from ,
    uid 365) with qmail-scanner-2.01
    (clamdscan: 0.93/8144. spamassassin: 3.2.5.
    Clear:RC:0(209.85.217.31):SA:1(5.1/5.0):.
    Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
    X-Spam-Status: Yes, score=5.1 required=5.0
    X-Spam-Level: +++++
    Received: from mail-gx0-f31.google.com (209.85.217.31)
    by mailserver.mydomain.com with SMTP; 3 Sep 2008 08:32:19 -0300
    Received-SPF: pass (mailserver.mydomain.com: SPF record at
    _spf.google.com designates 209.85.217.31 as permitted sender)
    Received: by gxk12 with SMTP id 12so2889720gxk.18
    for ; Wed, 03 Sep 2008 04:32:16 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=gmail.com; s=gamma;
    h=domainkey-signature:received:received:message-id:date:from:to
    :subject:in-reply-to:mime-version:content-type:references;
    bh=coZ1EmMjtIS0cmUKIQXRvZC31Xpo+lwlfWJOdLjsVZQ=;
    b=NmZuyJkV18ruiec999Su1vuQO5NH4xGJRK2VOF9gYqb1pH4o GTPBvr14AYHiI13f8v

    wEIeh140B1OfNKMDe2129sClZVdGtOhZPtf7SATI1/79AxBQ2b/vYb+DAuekl/N04xie
    cyobOumkw0kMyGiusVZcmtiBvAuJ51TsGtgCQ=
    DomainKey-Signature: a=rsa-sha1; c=nofws;
    d=gmail.com; s=gamma;
    h=message-id:date:from:to:subject:in-reply-to:mime-version
    :content-type:references;
    b=hyah72fhk0lmrwpOG9cXDT2K93HGA02C5vy7GKaLjnlCcBmO iRYi9tbttKQ3qt/hKf

    c7YAjfUmM7p9UYgqt7YY9ePmK334WNilEo34H8hY10bSe/LwGaXU1N5D6xzWvU07kL6u
    10qNGdhMCUjrd+MD5lWg7kbRX1c/ZJW3hOZNw=
    Received: by 10.142.180.11 with SMTP id c11mr2999448wff.113.1220440859878;
    Wed, 03 Sep 2008 04:20:59 -0700 (PDT)
    Received: by 10.142.154.1 with HTTP; Wed, 3 Sep 2008 04:20:59 -0700 (PDT)
    Message-ID: <584634110809030420q4bfdd512y9bc2a64c1ddca8c7@mail. gmail.com>
    Date: Wed, 3 Sep 2008 08:20:59 -0300
    From: "User Sender"
    To: user@mydomain.com
    Subject: Nova modalidade de FURTO DE DIESEL!
    In-Reply-To: <584634110809030410p72d024a7oa7ba7c0ce4cee3f8@mail. gmail.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_Part_25106_5226581.1220440859861"
    References: <584634110809030401w4ecd1b0iead0491ac35b9952@mail.g mail.com>
    <584634110809030410p72d024a7oa7ba7c0ce4cee3f8@mail. gmail.com>


  6. Re: spam bypass spamassassin

    maybe the problem is qmail-scanner and not spamassassin

    my sa_quarantine_over is 0.1 (my $sa_quarantine_over='0.1'

    and qmail-scanner have a line like this:



    if ($sa_quarantine_over > 0 && ($sa_score - $sa_required_hits) >=
    $sa_quarantine_over) {
    &debug("SA: seriously spammy - quarantine and don't deliver");
    $destring="SPAM";
    $quarantine_description="SPAM content refused by this network
    ($sa_score/$sa_required_hits)";
    $quarantine_spam="SA:SPAM-QUARANTINED";
    $description .= "\n---spamassassin results ---\n$destring
    '$quarantine_description'\n ($sa_comment) found in message $ENV{'TMPDIR'}";



    5.1 - 5.0 = 0.1
    And 0.1 >= $sa_quarantine_over , so don't deliver and quarantine, but
    message *was* delivered ..

    Maybe this a bug on qmail-scanner (and not spamassasin)...
    Rejaine Monteiro escreveu:
    >
    >
    > Matus UHLAR - fantomas escreveu:
    >> Why do you think it bypassed spamassassin? The whole fact the spam was
    >> tagged means it did NOT bypass it, don't you think?
    >>
    >>

    > Because I received this email in my mailbox (and many others like
    > this) , so the spam was not blocked by spamassasin, although to
    > receive score 5.1 (required 5.0)
    >
    >> I see no X-Spam-Version, maybe it was scored by SA on other machine.
    >> But, always, it's not spamassassin question why some mail are not
    >> passsed
    >> through it...
    >>

    > I did not send the complete header of the message, therefore it did
    > not appear the SA version.
    >
    > My intention was to only show that the message had score enough to be
    > blocked, however it was delivered (not blocked)
    >
    > He follows all header below (I modified some confidential information) :
    >
    > Received: (qmail 4400 invoked by alias); 3 Sep 2008 08:32:21 -0300
    > Delivered-To: user@mydomain
    > Received: (qmail 4371 invoked by uid 368); 3 Sep 2008 08:32:21 -0300
    > Received: from 209.85.217.31 by server1 (envelope-from
    > , uid 365) with qmail-scanner-2.01
    > (clamdscan: 0.93/8144. spamassassin: 3.2.5.
    > Clear:RC:0(209.85.217.31):SA:1(5.1/5.0):.
    > Processed in 2.490743 secs); 03 Sep 2008 11:32:21 -0000
    > X-Spam-Status: Yes, score=5.1 required=5.0
    > X-Spam-Level: +++++
    > Received: from mail-gx0-f31.google.com (209.85.217.31)
    > by mailserver.mydomain.com with SMTP; 3 Sep 2008 08:32:19 -0300
    > Received-SPF: pass (mailserver.mydomain.com: SPF record at
    > _spf.google.com designates 209.85.217.31 as permitted sender)
    > Received: by gxk12 with SMTP id 12so2889720gxk.18
    > for ; Wed, 03 Sep 2008 04:32:16 -0700 (PDT)
    > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    > d=gmail.com; s=gamma;
    > h=domainkey-signature:received:received:message-id:date:from:to
    > :subject:in-reply-to:mime-version:content-type:references;
    > bh=coZ1EmMjtIS0cmUKIQXRvZC31Xpo+lwlfWJOdLjsVZQ=;
    >
    > b=NmZuyJkV18ruiec999Su1vuQO5NH4xGJRK2VOF9gYqb1pH4o GTPBvr14AYHiI13f8v
    >
    > wEIeh140B1OfNKMDe2129sClZVdGtOhZPtf7SATI1/79AxBQ2b/vYb+DAuekl/N04xie
    > cyobOumkw0kMyGiusVZcmtiBvAuJ51TsGtgCQ=
    > DomainKey-Signature: a=rsa-sha1; c=nofws;
    > d=gmail.com; s=gamma;
    > h=message-id:date:from:to:subject:in-reply-to:mime-version
    > :content-type:references;
    >
    > b=hyah72fhk0lmrwpOG9cXDT2K93HGA02C5vy7GKaLjnlCcBmO iRYi9tbttKQ3qt/hKf
    >
    > c7YAjfUmM7p9UYgqt7YY9ePmK334WNilEo34H8hY10bSe/LwGaXU1N5D6xzWvU07kL6u
    > 10qNGdhMCUjrd+MD5lWg7kbRX1c/ZJW3hOZNw=
    > Received: by 10.142.180.11 with SMTP id
    > c11mr2999448wff.113.1220440859878;
    > Wed, 03 Sep 2008 04:20:59 -0700 (PDT)
    > Received: by 10.142.154.1 with HTTP; Wed, 3 Sep 2008 04:20:59 -0700 (PDT)
    > Message-ID: <584634110809030420q4bfdd512y9bc2a64c1ddca8c7@mail. gmail.com>
    > Date: Wed, 3 Sep 2008 08:20:59 -0300
    > From: "User Sender"
    > To: user@mydomain.com
    > Subject: Nova modalidade de FURTO DE DIESEL!
    > In-Reply-To:
    > <584634110809030410p72d024a7oa7ba7c0ce4cee3f8@mail. gmail.com>
    > MIME-Version: 1.0
    > Content-Type: multipart/alternative;
    > boundary="----=_Part_25106_5226581.1220440859861"
    > References: <584634110809030401w4ecd1b0iead0491ac35b9952@mail.g mail.com>
    > <584634110809030410p72d024a7oa7ba7c0ce4cee3f8@mail. gmail.com>
    >
    >



  7. Re: spam bypass spamassassin

    Rejaine Monteiro wrote:
    > Because I received this email in my mailbox (and many others like
    > this) , so the spam was not blocked by spamassasin, although to
    > receive score 5.1 (required 5.0)

    Spamassassin doesn't "block" mails. You will still see messages with
    every score in your mailbox, unless you have some other device on your
    system saying "do not put messages with a score higher than X in my inbox."


  8. Re: spam bypass spamassassin

    correct..

    my problem have name:qmail-scanner-queue.pl

    ;o)

    thanks !


    Evan Platt escreveu:
    > Rejaine Monteiro wrote:
    >> Because I received this email in my mailbox (and many others like
    >> this) , so the spam was not blocked by spamassasin, although to
    >> receive score 5.1 (required 5.0)

    > Spamassassin doesn't "block" mails. You will still see messages with
    > every score in your mailbox, unless you have some other device on your
    > system saying "do not put messages with a score higher than X in my
    > inbox."



  9. Re: spam bypass spamassassin

    Rejaine Monteiro wrote:
    >
    >
    > Matus UHLAR - fantomas escreveu:
    >> Why do you think it bypassed spamassassin? The whole fact the spam was
    >> tagged means it did NOT bypass it, don't you think?
    >>
    >>

    > Because I received this email in my mailbox (and many others like this)
    > , so the spam was not blocked by spamassasin,


    so you installed spamassassin but you don't know what it does?

    > although to receive
    > score 5.1 (required 5.0)


    let's all get up and dance to a song that was hit before your mailer was
    born...

    SA does not block mail
    SA does not put mail in folders
    SA does not prepare dinner
    SA does not vote


  10. Re: spam bypass spamassassin


    was I sayed before,

    my problem was detected.. it a qmail-scanner-queue issue.. not
    spamassin problem !

    in addition, my bad English helped to get worse the things.

    I use it program sufficient the time, but really I made confusion
    involving qmail-scanner and I expressed myself badly.

    forgives me if I seemed ignorant!
    forgives me by *stupid* question!

    peace!

    mouss escreveu:
    >
    > let's all get up and dance to a song that was hit before your mailer
    > was born...
    >
    > SA does not block mail
    > SA does not put mail in folders
    > SA does not prepare dinner
    > SA does not vote
    >
    >



  11. Re: spam bypass spamassassin

    Rejaine Monteiro wrote:
    >
    > was I sayed before,
    >
    > my problem was detected.. it a qmail-scanner-queue issue.. not
    > spamassin problem !
    >
    > in addition, my bad English helped to get worse the things.
    >
    > I use it program sufficient the time, but really I made confusion
    > involving qmail-scanner and I expressed myself badly.
    >
    > forgives me if I seemed ignorant!
    > forgives me by *stupid* question!
    >
    > peace!


    peace? you'll have to wait for the next century for now, it's all war
    around...

    sorry if I sounded $(bad). but we see many posts asking why SA didn't
    block/quarantne/folder/...

    >
    > mouss escreveu:


    what? are you insulting me? I am not an escreveu

    ok, let's get to more serious stuff (email isn't serious, don't you think?).


+ Reply to Thread