Hello folks, I'm having a lot of problems with Spam passing through our Postfix+Amavisd-new solution.
What happens: an phishing attack arrives, it is not detected as spam with the
bayesian filter and since it was originated from an authenticated user (stolen
password) and from a know MTA it receives an negative score from AWL and the
spam/phishing attack get in the system and finally is relayed to our Exchange
Server that uses our postfix as an Smarthost.
The question is: how can I debug this? I'm getting tired to use sa-learn to
train our bayesian filter without success. From months, the same message get
passed through our system and it never get caught.
This is weird since when we use spamassassin -r to report the message, it was
detected with 100% of confidence that it is spam.
Here are an example:
Return-Path: <alert_n...@programmer.net>
Delivered-To: clean-quarantine
X-Envelope-To: <********************************>
X-Envelope-To-Blocked:
X-Quarantine-ID: <vb4FI3WXpiqz>
X-Spam-Flag: NO
X-Spam-Score: 1.674
X-Spam-Level: *
X-Spam-Status: No, score=1.674 tag=-99.9 tag2=6.2 kill=6.9 tests=[AWL=0.000,
BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1,
MISSING_HEADERS=1.021, REPLYTO_WITHOUT_TO_CC=1.552] autolearn=no
And when I run the spamassassin -r command I got this:
Received: from localhost by ironforge.if.ufrj.br
with SpamAssassin (version 3.3.1);
Sat, 24 Nov 2012 11:38:50 -0200
From: "Webmail Administrador" <alert_n...@programmer.net>
Subject: Cuidado com o administrador - confirmar a
infor=?ISO-8859-1?Q?ma=E7=E3o_webmail_abai?=xo
Date: Fri, 23 Nov 2012 18:11:26 -0300
Message-Id: <20121123210616.m90...@ensp.fiocruz.br>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on ironforge.if.ufrj.br
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.1 required=5.0 tests=AWL,BAYES_99,FREEMAIL_FROM,
FREEMAIL_REPLYTO,MISSING_HEADERS,REPLYTO_WITHOUT_TO_CC autolearn=no
version=3.3.1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_50B0CDEA.C3BB593D"
This is a multi-part message in MIME format.
------------=_50B0CDEA.C3BB593D
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "ironforge.if.ufrj.br", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Caro usu?rio Webmail Sua cota de correio excedeu o conjunto
quota / limite e voc? est? atualmente em execu??o no GB Baixa devido a
arquivos
ocultos e pastas em sua caixa postal. Voc? pode n?o ser capaz de receber
ou enviar novos e-mails at? que voc? re- validar a permitir espa?o em suas
pastas de webmail. Isso tamb?m pode ser causado por n?o validar o seu webmail
como aconselhado anteriormente. [...]
Content analysis details: (6.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
(alert_news[at]programmer.net)
1.0 MISSING_HEADERS Missing To: header
1.6 REPLYTO_WITHOUT_TO_CC REPLYTO_WITHOUT_TO_CC
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
freemails
-1.0 AWL AWL: From: address is in the auto white-list
I'm looking for any help, since the solutions don't appears to be working as
expected.
Thanks in advance,
Vinícius Ferrão: Administrador de Sistemas
www.ferrao.eti.br
Vinícius Ferrão: Administrador de Sistemas
www.ferrao.eti.br | +55 (21) 8888-2169
smime.p7s
Description: S/MIME cryptographic signature
