got an email with bad 8 bit (spam)
spammers uses decimal 240 in place of space in subject line.
clamav sees spam: (sane security) but sa doesnt' (I don't think amavisd
passed it to spamassassin)
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char A0 hex):
Subject: Her\240night\240moans\240gua[...]
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5
tests=[AV:Sanesecurity.Junk.15877.UNOFFICIAL=0] autolearn=unavailable
I strip out the 8 bit header, and run it again, and I get this:
even given the possibility that the rbl's now see it, the 'From
postmaster' should have triggered at least the vbounce rule.
sorry, cut/ paste takes out the 8 bit subject line, so pastebin is useless.
pts rule name description
---- ----------------------
--------------------------------------------------
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?62.234.165.29>]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: zojbojep.cn]
10 BOUNCE_MESSAGE MTA bounce message
0.0 RELAY_COUNTRY_NL Relayed through Netherlands
0.2 TW_OJ BODY: Odd Letter Triples with OJ
0.2 TW_JB BODY: Odd Letter Triples with JB
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5001]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
1.5 DCC_CHECK Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.0 DIGEST_MULTIPLE Message hits more than one network digest check
0.1 ST_WEEKEND email was received on weekend
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
