1 |
Hello folks, |
2 |
|
3 |
I'm having a lot of problems with Spam passing through our Postfix+Amavisd-new solution. |
4 |
|
5 |
What happens: an phishing attack arrives, it is not detected as spam with the bayesian filter and since it was originated from an authenticated user (stolen password) and from a know MTA it receives an negative score from AWL and the spam/phishing attack get in the system and finally is relayed to our Exchange Server that uses our postfix as an Smarthost. |
6 |
|
7 |
The question is: how can I debug this? I'm getting tired to use sa-learn to train our bayesian filter without success. From months, the same message get passed through our system and it never get caught. |
8 |
|
9 |
This is weird since when we use spamassassin -r to report the message, it was detected with 100% of confidence that it is spam. |
10 |
|
11 |
Here are an example: |
12 |
|
13 |
Return-Path: <alert_news@××××××××××.net> |
14 |
Delivered-To: clean-quarantine |
15 |
X-Envelope-To: <********************************> |
16 |
X-Envelope-To-Blocked: |
17 |
X-Quarantine-ID: <vb4FI3WXpiqz> |
18 |
X-Spam-Flag: NO |
19 |
X-Spam-Score: 1.674 |
20 |
X-Spam-Level: * |
21 |
X-Spam-Status: No, score=1.674 tag=-99.9 tag2=6.2 kill=6.9 tests=[AWL=0.000, |
22 |
BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, |
23 |
MISSING_HEADERS=1.021, REPLYTO_WITHOUT_TO_CC=1.552] autolearn=no |
24 |
|
25 |
|
26 |
|
27 |
|
28 |
|
29 |
|
30 |
|
31 |
And when I run the spamassassin -r command I got this: |
32 |
|
33 |
Received: from localhost by ironforge.if.ufrj.br |
34 |
with SpamAssassin (version 3.3.1); |
35 |
Sat, 24 Nov 2012 11:38:50 -0200 |
36 |
From: "Webmail Administrador" <alert_news@××××××××××.net> |
37 |
Subject: Cuidado com o administrador - confirmar a infor=?ISO-8859-1?Q?ma=E7=E3o_webmail_abai?=xo |
38 |
Date: Fri, 23 Nov 2012 18:11:26 -0300 |
39 |
Message-Id: <20121123210616.M90948@××××××××××××.br> |
40 |
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on ironforge.if.ufrj.br |
41 |
X-Spam-Flag: YES |
42 |
X-Spam-Level: ****** |
43 |
X-Spam-Status: Yes, score=6.1 required=5.0 tests=AWL,BAYES_99,FREEMAIL_FROM, |
44 |
FREEMAIL_REPLYTO,MISSING_HEADERS,REPLYTO_WITHOUT_TO_CC autolearn=no |
45 |
version=3.3.1 |
46 |
MIME-Version: 1.0 |
47 |
Content-Type: multipart/mixed; boundary="----------=_50B0CDEA.C3BB593D" |
48 |
|
49 |
This is a multi-part message in MIME format. |
50 |
|
51 |
------------=_50B0CDEA.C3BB593D |
52 |
Content-Type: text/plain; charset=iso-8859-1 |
53 |
Content-Disposition: inline |
54 |
Content-Transfer-Encoding: 8bit |
55 |
|
56 |
Spam detection software, running on the system "ironforge.if.ufrj.br", has |
57 |
identified this incoming email as possible spam. The original message |
58 |
has been attached to this so you can view it (if it isn't spam) or label |
59 |
similar future email. If you have any questions, see |
60 |
the administrator of that system for details. |
61 |
|
62 |
Content preview: Caro usu?rio Webmail Sua cota de correio excedeu o conjunto |
63 |
quota / limite e voc? est? atualmente em execu??o no GB Baixa devido a arquivos |
64 |
ocultos e pastas em sua caixa postal. Voc? pode n?o ser capaz de receber |
65 |
ou enviar novos e-mails at? que voc? re- validar a permitir espa?o em suas |
66 |
pastas de webmail. Isso tamb?m pode ser causado por n?o validar o seu webmail |
67 |
como aconselhado anteriormente. [...] |
68 |
|
69 |
Content analysis details: (6.1 points, 5.0 required) |
70 |
|
71 |
pts rule name description |
72 |
---- ---------------------- -------------------------------------------------- |
73 |
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% |
74 |
[score: 1.0000] |
75 |
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider |
76 |
(alert_news[at]programmer.net) |
77 |
1.0 MISSING_HEADERS Missing To: header |
78 |
1.6 REPLYTO_WITHOUT_TO_CC REPLYTO_WITHOUT_TO_CC |
79 |
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different |
80 |
freemails |
81 |
-1.0 AWL AWL: From: address is in the auto white-list |
82 |
|
83 |
|
84 |
|
85 |
I'm looking for any help, since the solutions don't appears to be working as expected. |
86 |
|
87 |
Thanks in advance, |
88 |
|
89 |
|
90 |
|
91 |
Vinícius Ferrão: Administrador de Sistemas |
92 |
www.ferrao.eti.br |
93 |
|
94 |
|
95 |
|
96 |
Vinícius Ferrão: Administrador de Sistemas |
97 |
www.ferrao.eti.br | +55 (21) 8888-2169 |