Hi, I've noticed what seems to be unexpected behaviour with the Freemail
plugin, which I'm hoping someone can shed some light on.
I'm using SpamAssassin 3.2.5, and the "FreeMail.pm" plugin v2.001 from
http://sa.hege.li, along with the rules from the 20_freemail.cf file at the
same location.
Example #1:
Yesterday I spotted the following within the headers of a very spammy spam
email that I received (total score 23.5 points):
---------------------
Return-path: <mr.anthonywalter2...@gmail.com>
X-Spam-Report:
* 0.0 FREEMAIL_FROM Sender email is freemail (financediamond[at]gmail.com)
* (mr.anthonywalter2010[at]gmail.com)
* (mr.anthonywalter2010[at]gmail.com)
<SNIP>
From: "MR. ANTHONY WALTER"<mr.anthonywalter2...@gmail.com>
---------------------
(I've removed the other headers which aren't relevant here)
As you can see, this spam used mr.anthonywalter2...@gmail.com as the
envelope sender address (MAIL FROM during the SMTP transaction, which also
appears in the Return-Path header). And it used the same address in the From
header of the message too.
My first question is why does (mr.anthonywalter2010[at]gmail.com) appear
twice within the FREEMAIL_FROM entry inside the X-Spam-Report header? Is it
there twice because this address was used for both the Return-Path and the
From headers? In other words, should I expect the FREEMAIL_FROM entry to
list any freemail address which is used as the envelope sender, *as well as*
any freemail address used in the From header of the message? I had assumed
the FREEMAIL_FROM rule only looked at the From header but maybe that's
incorrect.
My second question is regarding the reference to
(financediamond[at]gmail.com) in the FREEMAIL_FROM results. That email
address does not appear *anywhere* in the entire message! Not in any of the
headers, nor in any part of the body. I've opened up the raw email file from
my mail server and searched the entire thing in a plain text editor, and
there is no reference anywhere to 'financediamond' at all. So why is the
FREEMAIL_FROM rule referring to that address? Is it a bug maybe? Could it
perhaps be crossing wires with another email which my SpamAssassin was
scanning at the same time, or something like that??
Example #2:
Here is the FREEMAIL_FROM results from another email that was scanned by my
SpamAssassin recently. This one was not spam - it was a legitimate email
sent to a mailing list which is managed by my mail server:
---------------------
X-Spam-Report:
* 0.0 FREEMAIL_FROM Sender email is freemail (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com) (munged[at]gmail.com)
* (munged[at]gmail.com)
From: Joe Citizen <mun...@gmail.com>
---------------------
I've munged the sender's name and email address, but as you can see, the
sender's email address was listed multiple times within the FREEMAIL_FROM
results there (that's the exact same address each time). But the sender's
address definitely does not appear that many times within the headers and
body of the email! So this looks very odd to me.
One possible explanation: the sender was sending an email to a mailing list
on my server. My server then generates one copy of the email for each
recipient on the mailing list, and sends all of those copies through
SpamAssassin before sending them out to the recipients. So SpamAssassin is
scanning multiple copies of the same message at the same time (only the TO
field is different in each one). So perhaps, somehow, as the FREEMAIL_FROM
rule is scanning all these messages at once from the same sender, the rule
is sending its results back to the SpamAssassin engine in such a way that SA
mistakenly thinks they all relate to the same message rather than to
multiple messages, and so SA puts all the results into the one FREEMAIL_FROM
entry in the headers, as shown above. If you know what I mean. However that
still seems like there's a bug or something, because I've never had a
similar problem with any other rules at all, even with emails sent through a
mailing list like this. It's only the FREEMAIL_FROM rule that does this.
Any ideas?
Cheers,
Jeremy
