Mailing List Archive

Discovery (1), which is sendmail related, has already been posted.

(2) Spamassassin issue:

I submitted two sets of spam messages to closer inspection. In the
first, spamassassin behaves as expected. In the "stealth" one, things do
not seem to be behaving as they should.

Each of the messages managed to pass undetected and were processed as
follow:

(a) Grep the line where the Spam Status is reported.

(b) Run:

% spamassassin -t --mbox normal1

(c) Report, using:

% sa-learn --spam --mbox normal1

(d) Run step (b) again

The most puzzling outcome is that the "normal" group showed exactly the
same score in steps (a) and (b). This is intuitively right and expected.
However, the "stealth" spam shows a lower score in step (b).

TIA,

-Ramon F. Herrera


=============================================================================

Normal SPAM:

business:X-Spam-Status: No, score=3.3 required=5.0
tests=BAYES_00,DKIM_SIGNED,
Content analysis details:   (3.3 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (6.0 points, 5.0 required)

normal1:X-Spam-Status: No, score=1.0 required=5.0
tests=BAYES_50,DKIM_INVALID,
Content analysis details:   (1.0 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.9 points, 5.0 required)

normal2:X-Spam-Status: No, score=2.2 required=5.0
tests=BAYES_80,DKIM_INVALID,
Content analysis details:   (2.2 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.9 points, 5.0 required)

normal3:X-Spam-Status: No, score=3.6 required=5.0
tests=BAYES_50,DKIM_INVALID,
Content analysis details:   (3.6 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (6.5 points, 5.0 required)

normal5:X-Spam-Status: No, score=3.2 required=5.0
tests=BAYES_95,DKIM_INVALID,
Content analysis details:   (3.2 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.9 points, 5.0 required)

=============================================================================

Stealth SPAM:

sw1:X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
Content analysis details:   (-1.9 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.7 points, 5.0 required)

sw2:X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_20,DKIM_SIGNED,
Content analysis details:   (-1.9 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.7 points, 5.0 required)

sw3:X-Spam-Status: No, score=1.5 required=5.0 tests=BAYES_60,DKIM_SIGNED,
Content analysis details:   (0.0 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.7 points, 5.0 required)

sw4:X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,DKIM_SIGNED,
Content analysis details:   (-1.9 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.7 points, 5.0 required)

sw5:X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
Content analysis details:   (-1.9 points, 5.0 required)
Learned tokens from 1 message(s) (1 message(s) examined)
Content analysis details:   (3.7 points, 5.0 required)

=============================================================================

On Sat, 24 Oct 2020 10:51:14 -0500
Ramon F Herrera wrote:


> ... I have found
> two important items. One relates to sendmail...
>
> (1) My first line of defense is the access.db sendmail file. It turns
> out that the only header that is actually inspected is the top line,
> which begins with "From " (envelop sender).

I don't know sendmail, but I presume that's acting on the sender
address given in the [E]SMTP "MAIL FROM:", which isn't a header. At the
time that's received the MTA hasn't yet received any headers.