| 1 |
Hello folks, |
| 2 |
|
| 3 |
I'm having a lot of problems with Spam passing through our Postfix+Amavisd-new solution. |
| 4 |
|
| 5 |
What happens: an phishing attack arrives, it is not detected as spam with the bayesian filter and since it was originated from an authenticated user (stolen password) and from a know MTA it receives an negative score from AWL and the spam/phishing attack get in the system and finally is relayed to our Exchange Server that uses our postfix as an Smarthost. |
| 6 |
|
| 7 |
The question is: how can I debug this? I'm getting tired to use sa-learn to train our bayesian filter without success. From months, the same message get passed through our system and it never get caught. |
| 8 |
|
| 9 |
This is weird since when we use spamassassin -r to report the message, it was detected with 100% of confidence that it is spam. |
| 10 |
|
| 11 |
Here are an example: |
| 12 |
|
| 13 |
Return-Path: <alert_news@××××××××××.net> |
| 14 |
Delivered-To: clean-quarantine |
| 15 |
X-Envelope-To: <********************************> |
| 16 |
X-Envelope-To-Blocked: |
| 17 |
X-Quarantine-ID: <vb4FI3WXpiqz> |
| 18 |
X-Spam-Flag: NO |
| 19 |
X-Spam-Score: 1.674 |
| 20 |
X-Spam-Level: * |
| 21 |
X-Spam-Status: No, score=1.674 tag=-99.9 tag2=6.2 kill=6.9 tests=[AWL=0.000, |
| 22 |
BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, |
| 23 |
MISSING_HEADERS=1.021, REPLYTO_WITHOUT_TO_CC=1.552] autolearn=no |
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
And when I run the spamassassin -r command I got this: |
| 32 |
|
| 33 |
Received: from localhost by ironforge.if.ufrj.br |
| 34 |
with SpamAssassin (version 3.3.1); |
| 35 |
Sat, 24 Nov 2012 11:38:50 -0200 |
| 36 |
From: "Webmail Administrador" <alert_news@××××××××××.net> |
| 37 |
Subject: Cuidado com o administrador - confirmar a infor=?ISO-8859-1?Q?ma=E7=E3o_webmail_abai?=xo |
| 38 |
Date: Fri, 23 Nov 2012 18:11:26 -0300 |
| 39 |
Message-Id: <20121123210616.M90948@××××××××××××.br> |
| 40 |
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on ironforge.if.ufrj.br |
| 41 |
X-Spam-Flag: YES |
| 42 |
X-Spam-Level: ****** |
| 43 |
X-Spam-Status: Yes, score=6.1 required=5.0 tests=AWL,BAYES_99,FREEMAIL_FROM, |
| 44 |
FREEMAIL_REPLYTO,MISSING_HEADERS,REPLYTO_WITHOUT_TO_CC autolearn=no |
| 45 |
version=3.3.1 |
| 46 |
MIME-Version: 1.0 |
| 47 |
Content-Type: multipart/mixed; boundary="----------=_50B0CDEA.C3BB593D" |
| 48 |
|
| 49 |
This is a multi-part message in MIME format. |
| 50 |
|
| 51 |
------------=_50B0CDEA.C3BB593D |
| 52 |
Content-Type: text/plain; charset=iso-8859-1 |
| 53 |
Content-Disposition: inline |
| 54 |
Content-Transfer-Encoding: 8bit |
| 55 |
|
| 56 |
Spam detection software, running on the system "ironforge.if.ufrj.br", has |
| 57 |
identified this incoming email as possible spam. The original message |
| 58 |
has been attached to this so you can view it (if it isn't spam) or label |
| 59 |
similar future email. If you have any questions, see |
| 60 |
the administrator of that system for details. |
| 61 |
|
| 62 |
Content preview: Caro usu?rio Webmail Sua cota de correio excedeu o conjunto |
| 63 |
quota / limite e voc? est? atualmente em execu??o no GB Baixa devido a arquivos |
| 64 |
ocultos e pastas em sua caixa postal. Voc? pode n?o ser capaz de receber |
| 65 |
ou enviar novos e-mails at? que voc? re- validar a permitir espa?o em suas |
| 66 |
pastas de webmail. Isso tamb?m pode ser causado por n?o validar o seu webmail |
| 67 |
como aconselhado anteriormente. [...] |
| 68 |
|
| 69 |
Content analysis details: (6.1 points, 5.0 required) |
| 70 |
|
| 71 |
pts rule name description |
| 72 |
---- ---------------------- -------------------------------------------------- |
| 73 |
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% |
| 74 |
[score: 1.0000] |
| 75 |
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider |
| 76 |
(alert_news[at]programmer.net) |
| 77 |
1.0 MISSING_HEADERS Missing To: header |
| 78 |
1.6 REPLYTO_WITHOUT_TO_CC REPLYTO_WITHOUT_TO_CC |
| 79 |
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different |
| 80 |
freemails |
| 81 |
-1.0 AWL AWL: From: address is in the auto white-list |
| 82 |
|
| 83 |
|
| 84 |
|
| 85 |
I'm looking for any help, since the solutions don't appears to be working as expected. |
| 86 |
|
| 87 |
Thanks in advance, |
| 88 |
|
| 89 |
|
| 90 |
|
| 91 |
Vinícius Ferrão: Administrador de Sistemas |
| 92 |
www.ferrao.eti.br |
| 93 |
|
| 94 |
|
| 95 |
|
| 96 |
Vinícius Ferrão: Administrador de Sistemas |
| 97 |
www.ferrao.eti.br | +55 (21) 8888-2169 |
Archives