Re: I am getting all external domain emails subject tagged as SpamSpam

2009-10-02 Thread John Hardin 

On Thu, 1 Oct 2009, empiric wrote:


Oct  1 13:22:39 mail postfix/smtp[17579]: E0EAD19B349:
to=, relay=mail.example.com[10.65.200.72]:25, delay=7.1,
delays=0.09/0/0.01/7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
3DD1212B701)


None of that really logs useful information to troubleshoot this problem. 
You should try to see what the Subject: header is at each step of 
processing, including how it's coming into your MTA from outside.


Can you set up a sniffer on port 25 and send in a message from the 
Internet and see what the Subject: header says in the packet capture?


What programs is Amavis calling to process the message prior to SA?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You cannot bring about prosperity by discouraging thrift. You
  cannot help small men by tearing down big men. You cannot
  strengthen the weak by weakening the strong. You cannot lift the
  wage-earner by pulling down the wage-payer. You cannot help the
  poor man by destroying the rich. You cannot keep out of trouble by
  spending more than your income. You cannot further the brotherhood
  of man by inciting class hatred. You cannot establish security on
  borrowed money. You cannot build character and courage by taking
  away men's initiative and independence. You cannot help men
  permanently by doing for them what they could and should do for
  themselves.   -- William J. H. Boetcker
---
 Approximately 9081780 firearms legally purchased in the U.S. this year

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-10-01 Thread empiric 
KST)
> X-Virus-Scanned: Debian amavisd-new at domaon.com
> Received: from mail.domaon.com ([127.0.0.1])
>   by localhost (mail.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
>   with LMTP id el+R1y6R6iaa for ;
>   Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
> Received: from snt0-omc1-s35.snt0.hotmail.com
> (snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
>   by mail.domaon.com (Postfix) with ESMTP id D14C419B32D
>   for ; Wed, 30 Sep 2009 17:03:52 +0600 (PKST)
> Received: from SNT106-W54 ([65.55.90.7]) by snt0-omc1-s35.snt0.hotmail.com
> with Microsoft SMTPSVC(6.0.3790.3959);
>Wed, 30 Sep 2009 04:03:47 -0700
> Message-ID: 
> Content-Type: multipart/alternative;
>   boundary="_4abea601-ec42-4378-af03-83675013aef6_"
> X-Originating-IP: [125.209.118.102]
> From: mohsin alizai 
> To: 
> Subject: =?utf-8?Q?Spam?=
>  =?utf-8?Q?Spam=0D=0A=20test?= 
> Date: Wed, 30 Sep 2009 11:03:47 +
> Importance: Normal
> MIME-Version: 1.0
> X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
> FILETIME=[AF55A350:01CA41BD]
> X-SpamInfo: return-email, failed to obtain DNS record for domain
> hotmail.com
> X-SpamInfo: return-email, failed to obtain DNS record for domain
> hotmail.com
> 
> --_4abea601-ec42-4378-af03-83675013aef6_
> Content-Type: text/plain; charset="Windows-1252"
> Content-Transfer-Encoding: quoted-printable
> 
> 
> test=0A=
> 
> 

-- 
View this message in context: 
http://www.nabble.com/I-am-getting-all-external-domain-emails-subject-tagged-as-SpamSpam-tp25685055p25693451.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Charles Gregory 


Firstly, PLEASE DIRECT ALL REPLIES TO LIST, not my personal email.

On Wed, 30 Sep 2009, Nauman Yousuf wrote:
i dont know , how subject is filled with spaces , what i need to check 
am clue less this is happening from last 3 days


First question of troubleshooting: What changed?

If it worked 4 days ago, and didn't work 3 days ago, something changed
between 3 and 4 days to make it stop working. Isolate the time it stopped 
working, and check for ALL changes to the server at that time. Files, 
permissions, disk full, anything.


- C

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Nauman Yousuf 
what you mean dns not found. overloaded with ham means?


On Thu, Oct 1, 2009 at 12:01 AM, Benny Pedersen  wrote:

> On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote
>
>> So - what am I missing without wading through all the HTML?
>>
>
> dns is not found ?, overloaded with ham so it cant detect spam ?
>
> --
> xpoint
>
>


-- 
Regards

Nauman Yousuf
0312-2201455
E-Eager, N-Noble, G-Genuine, I-Intelligent, N-Natural, E-Enthusiastic,
E-Energetic, R-Resourcefull --- ENGINEER

Re: [sa] Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Mark Martinec 
On Wednesday 30 September 2009 19:25:52 Charles Gregory wrote:
>  On Wed, 30 Sep 2009, Nauman Yousuf wrote:
>  > Guys I am getting all my external domain emails tagged as SpamSpam
>  > mail headers
>  > X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely
>  > of whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
>  >=?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
>  
>  Well, according to this, amavis doesn't like the fact that the 'Subject'
>  header is made up of many spaces. Looks like the original subject was
>  'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but
>  AMAVIS considers this suspicious. Question would be, how did all those
>  spaces get in there in the first place? Are you running the message
>  through some sort of pre-process before sending it to SA?
>  
>  There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
>  This suggests again, something is trying to encapsulate your subject
>  before it gets to spamassassin. If this is happening on ALL your mail,
>  then it is something in your front end.

You missed the point, it's not about 'many spaces' or 'trailing spaces',
but there was an illegal all-whitespace line in the header section,
just following the Subject, as reported:

Subject: ...?Q?Spam?=\n =?utf-8?Q?Spam=0D=0A=20h\
elo123?=\n \n
^

  Mark

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Benny Pedersen 

On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote

So - what am I missing without wading through all the HTML?


dns is not found ?, overloaded with ham so it cant detect spam ?

--
xpoint

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Benny Pedersen 

On ons 30 sep 2009 18:55:28 CEST, empiric wrote


Guys I am getting all my external domain emails tagged as SpamSpam


next time dont repost contense from a pastebin, give the link to it

--
xpoint

Re: [sa] Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Charles Gregory 

On Wed, 30 Sep 2009, Nauman Yousuf wrote:

Guys I am getting all my external domain emails tagged as SpamSpam
mail headers
X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
   whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
   =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n


Well, according to this, amavis doesn't like the fact that the 'Subject' 
header is made up of many spaces. Looks like the original subject was 
'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but 
AMAVIS considers this suspicious. Question would be, how did all those 
spaces get in there in the first place? Are you running the message 
through some sort of pre-process before sending it to SA?


There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
This suggests again, something is trying to encapsulate your subject
before it gets to spamassassin. If this is happening on ALL your mail,
then it is something in your front end.

- C

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread John Hardin 

On Wed, 30 Sep 2009, Nauman Yousuf wrote:


Guys I am getting all my external domain emails tagged as SpamSpam

X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
  whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
  =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n

...

Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20helo123?=



spamassassin debug logs
#spamassassin -t -D 

Your SA is quite old, can you upgrade to 3.2.5?


X-Spam-Level: 
X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb


SA doesn't think it's spam.


Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20test?=


Amavis is apparently doing something bad to your email. Is it your amavis, 
or somebody else's?


I'd look at your upstream MTA (mail.domain.com? Did you obfuscate that? 
Please note best practice is to obfuscate using "example.com", it's 
intended for that purpose and people will recognize what you're doing) as 
well. See if you can capture a message in its raw form before any of your 
local tools have had an opportunity to modify it. Review your tool chain, 
to see if it's being scanned twice somehow.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  "A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority."-- Cringely, 4/8/2004
---
 Approximately 9021060 firearms legally purchased in the U.S. this year

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Evan Platt 

At 10:02 AM 9/30/2009, you wrote:

Guys
I am getting all my external domain emails tagged as SpamSpam
logs are attached.
mail headers


Once again, please don't post in HTML.

X-Spam-Status: No

So - what am I missing without wading through all the HTML?

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Nauman Yousuf 
Guys I am getting all my external domain emails tagged as SpamSpam

logs are attached.
mail headers

Return-Path: 
Delivered-To: u...@domain.com
Received: from localhost (localhost [127.0.0.1])
   by mail1.domain.com  (Postfix) with ESMTP id
39B3C12B71D
   for ; Tue, 29 Sep 2009 10:19:57 +0600 (PKST)
X-Quarantine-ID: 
X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
   whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
   =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
Received: from mail1.domain.com ([127.0.0.1])
   by localhost (mail2.domain.com [127.0.0.1]) (amavisd-new, port 10024)
   with LMTP id asR-LhZoxUsQ for ;
   Tue, 29 Sep 2009 10:19:56 +0600 (PKST)
Received: from mail.domain.com (unknown [203.101.170.27])
   by mail1.domain.com (Postfix) with ESMTP id C6CF512B701
   for ; Tue, 29 Sep 2009 10:19:54 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
   by muses.domain.com (Postfix) with ESMTP id 6982319B322
   for ; Tue, 29 Sep 2009 10:19:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domain.com
Received: from mail.domain.com  ([127.0.0.1])
   by localhost (mail.domain.com  [127.0.0.1])
(amavisd-new, port 10024)
   with LMTP id A1fSGV+XdA-K for ;
   Tue, 29 Sep 2009 10:19:49 +0600 (PKST)
Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com
 [209.85.221.191])
   by mail.domain.com (Postfix) with ESMTP id B3AB03BE38
   for ; Tue, 29 Sep 2009 10:19:44 +0600 (PKST)
Received: by qyk29 with SMTP id 29so3777375qyk.32
   for ; Mon, 28 Sep 2009 21:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
   d=gmail.com; s=gamma;
   h=domainkey-signature:mime-version:received:date:message-id:subject
:from:to:content-type;
   bh=WoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=;
   b=suj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2eXAzhd
/pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2WPPQMR70+77h7Bcfkir
IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
   d=gmail.com; s=gamma;
   h=mime-version:date:message-id:subject:from:to:content-type;
   b=mHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZqZUM1KVDv6u
dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHERQ0Y6ilLjzoZ7NRf69H3bKn
RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBWNP7M8=
MIME-Version: 1.0
Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062; Mon,
28
   Sep 2009 21:19:40 -0700 (PDT)
Date: Tue, 29 Sep 2009 10:19:40 +0600
Message-ID: 
Subject: =?utf-8?Q?Spam?=
 =?utf-8?Q?Spam=0D=0A=20helo123?=



spamassassin debug logs
#spamassassin -t -D 
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on mail.domaon.com
X-Spam-Level: 
X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb
Delivered-To: u...@domaon.com
Received: from localhost (localhost [127.0.0.1])
by mail1.domaon.com (Postfix) with ESMTP id C13911B32DB
for ; Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail1.domaon.com ([127.0.0.1])
by localhost (mail1.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id p23bnIio88SC for ;
Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail.domaon.com (unknown [203.101.170.27])
by mail1.domaon.com (Postfix) with ESMTP id 22F7D1B32D7
for ; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
by mail.domaon.com (Postfix) with ESMTP id 976D319B330
for ; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domaon.com
Received: from mail.domaon.com ([127.0.0.1])
by localhost (mail.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id el+R1y6R6iaa for ;
Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from snt0-omc1-s35.snt0.hotmail.com
(snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
by mail.domaon.com (Postfix) with ESMTP id D14C419B32D
for ; Wed, 30 Sep 2009 17:03:52 +0600 (PKST)
Received: from SNT106-W54 ([65.55.90.7]) by
snt0-omc1-s35.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
 Wed, 30 Sep 2009 04:03:47 -0700
Message-ID: 
Content-Type: multipart/alternative;
boundary="_4abea601-ec42-4378-af03-83675013aef6_"
X-Originating-IP: [125.209.118.102]
From: mohsin alizai 
To: 
Subject: =?utf-8?Q?Spam?=
 =?utf-8?Q?Spam=0D=0A=20test?=
Date: Wed, 30 Sep 2009 11:03:47 +
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
FILETIME=[AF55A350:01CA41BD]
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com

--_4abea601-ec42-4378-af03-83675013aef6_
Content-Type: text/plain; charset="Windows-1252"
Content-T

Re: I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread Evan Platt 

At 09:55 AM 9/30/2009, you wrote:


   1.
  Guys I am getting all my external domain emails tagged as SpamSpam
   2.

   3.
  logs are attached.
   4.
  mail headers


Please make this post more readable. No HTML, Plain Text only, any 
large attachments should be on Pastebin or such, and... I don't even 
know what's up with the line numbering.


I read as far as:

X-Spam-Status: No

and stopped there.

I am getting all external domain emails subject tagged as SpamSpam

2009-09-30 Thread empiric 
e'>
 405.
  test  <br /><hr
/>Lauren found her dream laptop. <=
 406.
  a href=3D3D'http:=3D
 407.
  // 3D"http://www.microsoft.com/windows/choosepc/?ocid=3D3Dftp_val_wl=
www.microsoft.com/windows/choosepc/?ocid=3D3Dftp_val_wl_290 ' =
 409.
  target=3D3D'_new=3D
 410.
  '>Find the PC that=3D92s right for you.</a></body>
 411.
  </html>=3D
 412.
   
 413.
  --_4abea601-ec42-4378-af03-83675013aef6_--
 414.
   
 415.
  Spam detection software, running on the system " 3D"http://mail=
mail.domaon.com ", has
 417.
  identified this incoming email as possible spam.  The original message
 418.
  has been attached to this so you can view it (if it isn't spam) or
labe=
 419.
  l
 420.
  similar future email.  If you have any questions, see
 421.
  the administrator of that system for details.
 422.
   
 423.
  Content preview:  test Lauren found her dream laptop. Find the PC
that=92s
 424.
   right for you.
 425.
3D"http://www.microsoft.com/windows/choosepc/?ocid=3Dftp_val_wl_2=
http://www.microsoft.com/windows/choosepc/?ocid=3Dftp_val_wl_290  te=
 427.
  st
 428.
   [...]=20
 429.
   
 430.
  Content analysis details:   (4.8 points, 5.0 required)
 431.
   
 432.
   pts rule name  description
 433.
  ---- ------
-----------=
 434.
  ---
 435.
   1.5 SUBJECT_ENCODED_TWICE  Subject: MIME encoded twice
 436.
   0.0 HTML_MESSAGE   BODY: HTML included in message
 437.
   1.4 DCC_CHECK  Listed in DCC ( 3D"http://rhyolite.com/a=
http://rhyolite.com/anti-spam/dcc/ )
 439.
   0.5 DNS_FROM_RFC_ABUSE RBL: Envelope sender in  3D"http://abuse=
abuse.rfc-ignorant.org 
 441.
   1.4 DNS_FROM_RFC_POST  RBL: Envelope sender in
 442.
  3D"http://postmaster.rfc-ignorant.org"; =
 443.
  postmaster.rfc-ignorant.org 
 444.
   0.0 SUBJECT_EXCESS_QP  Subject: quoted-printable encoded
unnecessarily
 445.
  -- Regards
 448.
  



-- 
View this message in context: 
http://www.nabble.com/I-am-getting-all-external-domain-emails-subject-tagged-as-SpamSpam-tp25685055p25685055.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.