On Sat, 28 Jun 2014, RW wrote:
On Fri, 27 Jun 2014 20:43:19 -0500 (CDT)
David B Funk wrote:
Looking at my mail streams I see evidence that spammers sometimes
add faked "SpamAssassin" headers to their messages (I assume to try
to trick recipients into thinking that the message has already been
given a clean bill-of-health).
I wrote a few test rules to look for these pre-existing "X-Spam-"
headers to test to see if it could be used as a spam detector.
However I got no hits on these rules even on hand crafted test
messages that contained such stuff.
Checking the SA source I found in PerMsgStatus.pm a line of code:
$self->{msg}->delete_header('X-Spam-.*');
that ran before any tests. So looking for SA headers inside of SA
is pointless.
So does anybody have any ideas how to test for evidence of a
prior SA pass?
You could simply rewrite "X-Spam-" to "X-Original-Spam-".
That's what I was afraid of. As I'm using a "milter" as my glue (so I
can SMTP reject high scoring spam) the usual MTA rewrite functions don't
do any good, so I'll have to hack the milter. I was hoping for something
more portable.
I doubt this is going to be very useful because too much legitimate
mail has X-Spam- headers. Most of the mailing lists I read have them.
Some servers add them to outgoing mail. You may have users that receive
scanned mail forwarded from ESPs etc.
I'm aware that by itself the presence of those headers aren't definitive
spam signs but I was hoping to combine that info with other clues to
create meta rules. However cannot test out this hypothesis with out the
ability to detect those headers.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
