Fw: Antigen Notification: Antigen found a message matching a filter - SpamAssassin

This is a discussion on Fw: Antigen Notification: Antigen found a message matching a filter - SpamAssassin ; Got this after sending message earlier to this list. Could someone here explain it? Regards Lars Ebeling ----- Original Message ----- From: To: Sent: Tuesday, September 09, 2008 5:26 PM Subject: Antigen Notification: Antigen found a message matching a filter ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Fw: Antigen Notification: Antigen found a message matching a filter

  1. Fw: Antigen Notification: Antigen found a message matching a filter

    Got this after sending message earlier to this list. Could someone here
    explain it?

    Regards
    Lars Ebeling



    ----- Original Message -----
    From:
    To:
    Sent: Tuesday, September 09, 2008 5:26 PM
    Subject: Antigen Notification: Antigen found a message matching a filter


    > Microsoft Antigen for SMTP found a message matching a filter. The message
    > is currently Purged.
    > Message: "Can_t build spamassassin 3.2.4 on HP_UX"
    > Filter name: "KEYWORD= spam: porn"
    > Sent from: "Lars Ebeling"
    > Folder: "SMTP Messages\Inbound"
    > Location: "psp/TRACYSV05"
    >
    >
    >



  2. Re: Fw: Antigen Notification: Antigen found a message matching afilter

    Quoting Lars Ebeling :

    > Got this after sending message earlier to this list. Could someone
    > here explain it?


    The most apparent explanation would be that Antigen is being stupid.

    jp




    --
    Simple compliance is a hacker's best friend

    ----------------------------------------------------------------
    @fferent Security Labs: Isolate/Insulate/Innovate
    http://www.afferentsecurity.com


  3. Re: Fw: Antigen Notification: Antigen found a message matching afilter

    Lars Ebeling wrote:
    > Got this after sending message earlier to this list. Could someone here
    > explain it?


    explain what?

    - stop posting html to the list
    - avoid posting spammy content. instead, use your web server and post
    the URL here.

    even your server (apparently) said: PORN_URL_MISC.

    anyway, when you post mail, show FULL HEADERS.


  4. Re: Fw: Antigen Notification: Antigen found a message matching afilter

    On Tue, 2008-09-09 at 22:59 +0200, mouss wrote:
    > Lars Ebeling wrote:
    > > Got this after sending message earlier to this list. Could someone here
    > > explain it?

    >
    > explain what?


    Oh, come on, mouss, had a bad day?


    > - stop posting html to the list
    > - avoid posting spammy content. instead, use your web server and post
    > the URL here.


    What's got HTML to do with that? It's a lousy, braindead bare-word
    scanner, run by (or in front of) a subscriber to this list. It's known,
    and has been discussed before. (Too lazy to dig out the previous
    thread.)

    In Lars' case, Antigen triggered on the mere occurrence of the word
    'porn'. I bet it recursively triggered on his subsequent forwarding to
    this list, too, which effectively resulted in this very thread.

    Just like that Antigen will trigger on this mail, because I mentioned
    the bad, bad word 'porn'. It will bounce this messages as well.


    > even your server (apparently) said: PORN_URL_MISC.


    Where did you get that from?

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  5. Re: Fw: Antigen Notification: Antigen found a message matching afilter

    Karsten Bräckelmann wrote:
    >
    > What's got HTML to do with that?


    I believe mouss was talking about your prior message which likely was
    the trigger:

    Subject: Can't build spamassassin 3.2.4 on HP-UX

    Which was filled with HTML.

    HTML shouldn't be posted to this list (or any list, IMHO.)


  6. Re: Fw: Antigen Notification: Antigen found a message matching afilter

    On Tue, 2008-09-09 at 16:17 -0700, Evan Platt wrote:
    > Karsten Bräckelmann wrote:
    > >
    > > What's got HTML to do with that?

    >
    > I believe mouss was talking about your prior message which likely was
    > the trigger:


    Wait. That is *not* my post.

    I never, ever have been posting HTML to a mailing list. And I won't.
    Anyway, as I explained before, the trigger (still talking about the
    Antigen bounce, aren't we?) is not the HTML, but the occurrence of a
    blacklisted word.

    Yes, what Antigen does pretty much is everything what SA does not stand
    for. *sigh*

    > Subject: Can't build spamassassin 3.2.4 on HP-UX
    >
    > Which was filled with HTML.
    >
    > HTML shouldn't be posted to this list (or any list, IMHO.)


    Agreed, wholeheartedly.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  7. Re: Fw: Antigen Notification: Antigen found a message matching afilter

    On Wed, 10 Sep 2008, Karsten Bräckelmann wrote:

    > It's a lousy, braindead bare-word scanner, run by (or in front of) a
    > subscriber to this list. It's known, and has been discussed before. (Too
    > lazy to dig out the previous thread.)


    Can we get the offender unsubscribed?

    Is there a list policy to administratively unsubscribe people like that?

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    USMC Rules of Gunfighting #9: Accuracy is relative: most combat
    shooting standards will be more dependent on "pucker factor" than
    the inherent accuracy of the gun.
    -----------------------------------------------------------------------
    8 days until the 221st anniversary of the signing of the U.S. Constitution

  8. Re: Fw: Antigen Notification: Antigen found a message matching a filter

    I am sorry for being such a bad person. I am using Outlook Express as
    mailclient and was not aware of the HTML code. Why is it such a big problem?
    However after looking around in the mailclients setup I have changed it.

    My background: I started to study computers about 1973. It was specialized
    on Numerical analysis. I was programming in Algol and Cobol. Then we were
    using Saab D21 and later IBM 360 mainframes. My first job was
    cobolprogramming on Univac 1100 (1976) using TTY. After that databus (DB/C)
    on Datapoint minicomputers. I have never worked with C and know nothing
    about it.

    After advancing to technical responsible for Unix coumputers (Motorola and
    HP) (OS, Oracledatabases and SAP), I lost my job when the company moved.
    Then I got 2 obsolete HP-server with me home (D370 and D380). I am using the
    D380 running HP-UX 11.11 . There I have installed some software: Postfix,
    Apache, Qpopper, Clamav, Awstats, Hobbit, Spamassassin .....

    Most installations have been without problems. But if I had any problems I
    got answers on the mailingslists.

    --
    Regards
    Lars Ebeling

    http://leopg9.no-ip.org
    Hobbithobbyist

    "It is better to keep your mouth shut and appear stupid than to open it and
    remove all doubt."
    -- Mark Twain





    ----- Original Message -----
    From: "mouss"
    Cc:
    Sent: Tuesday, September 09, 2008 10:59 PM
    Subject: Re: Fw: Antigen Notification: Antigen found a message matching a
    filter


    > Lars Ebeling wrote:
    >> Got this after sending message earlier to this list. Could someone here
    >> explain it?

    >
    > explain what?
    >
    > - stop posting html to the list
    > - avoid posting spammy content. instead, use your web server and post the
    > URL here.
    >
    > even your server (apparently) said: PORN_URL_MISC.
    >
    > anyway, when you post mail, show FULL HEADERS.
    >
    >



  9. Re: Fw: Antigen Notification: Antigen found a message matching afilter

    Karsten Bräckelmann wrote:
    > On Tue, 2008-09-09 at 22:59 +0200, mouss wrote:
    >> Lars Ebeling wrote:
    >>> Got this after sending message earlier to this list. Could someone here
    >>> explain it?

    >> explain what?

    >
    > Oh, come on, mouss, had a bad day?
    >


    didn't eat enough headers (or too much?) ;-p
    sorry.

    >
    >> - stop posting html to the list
    >> - avoid posting spammy content. instead, use your web server and post
    >> the URL here.

    >
    > What's got HTML to do with that? It's a lousy, braindead bare-word
    > scanner, run by (or in front of) a subscriber to this list. It's known,
    > and has been discussed before. (Too lazy to dig out the previous
    > thread.)
    >
    > In Lars' case, Antigen triggered on the mere occurrence of the word
    > 'porn'. I bet it recursively triggered on his subsequent forwarding to
    > this list, too, which effectively resulted in this very thread.
    >


    Ah! that was that. but he has an SA in the path that fired the
    PORN_URL_MISC rule (because of 20_porn.cf??). so the word appears twice.

    > Just like that Antigen will trigger on this mail, because I mentioned
    > the bad, bad word 'porn'. It will bounce this messages as well.
    >


    let's see.

    >
    >> even your server (apparently) said: PORN_URL_MISC.

    >
    > Where did you get that from?
    >


    The post that supposedly generated the backscatter contains:

    X-Old-Spam-Status: No, score=-0.4 required=5.0
    tests=ALL_TRUSTED,AWL,BAYES_00,
    HTML_MESSAGE,PORN_URL_MISC autolearn=ham version=3.1.0


  10. Re: Fw: Antigen Notification: Antigen found a message matching a filter)

    So my mail was considered as Spam only and only because of it contained
    "opy/20_porn.cf" of this M$ Antigen.

    Lars


  11. Re: Fw: Antigen Notification: Antigen found a message matching afilter)

    Lars Ebeling wrote:
    > So my mail was considered as Spam only and only because of it contained
    > "opy/20_porn.cf" of this M$ Antigen.
    >



    or maybe also because it contained PORN_URL_MISC in the headers.

    but whether it considered it spam is less problematic than bouncing it
    to you. bounces should be sent to the envelope sender, which is the list
    address. if it bounces to the From header address, then it's borked.

    but it's more broken than that. It shouldn't bounce in the first place
    (spam generally uses forged addresses, so bouncing to the "sender" is
    bad unless you can guarantee that he really sent it). and even if it
    bounces, it should bounce to the envelope sender, which is the list
    address, and not to the From header address.

    If you post the headers of the bounce (under outllok, you need to find
    the "options" option), we could find more infos.


+ Reply to Thread