Results 1 to 10 of 11

Thread: Forwarded spam - a new headache

Hybrid View

  1. #1
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default Forwarded spam - a new headache

    I wonder if anyone else is seeing this behavior. I have one user who's getting consistent spam emails forwarded from an external account--that is, the spam is sent from the spammer (JC Penney, it looks like) to an account at charter.net, which in turn is forwarding the messages to my user. We've marked as "junk" nearly a dozen of these mostly-html images, with unsubscribe language and the works, and still the Bayes filter in the header is giving them a Bayes_50 score. There are almost no other headers in the spam filter. This leads me to suspect that Spamassassin doesn't look beyond the last message body, and completely ignores anything that's forwarded.

    Does anyone know if this is true, and more importantly, what I can do about it? Bayes is accomplishing zilch in this situation. I know if all else fails I can just blacklist the sender, but I was hoping for a more systemic solution.

    Here's a sample with only my user's email obfuscated:
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.domain.net (Postfix) with ESMTP id C6D853D400F
    for <user@domain.net>; Mon, 26 Nov 2007 20:54:09 -0800 (PST)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: NO
    X-Spam-Score: 0.274
    X-Spam-Level:
    X-Spam-Status: No, score=0.274 tagged_above=-10 required=4.8
    tests=[BAYES_50=0.001, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001,
    RDNS_NONE=0.1]
    Received: from mail.domain.net ([127.0.0.1])
    by localhost (mail.domain.net [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id EmO-c0V+KhOv for <user@domain.net>;
    Mon, 26 Nov 2007 20:54:02 -0800 (PST)
    Received: from mail.domain.net (localhost.localdomain [127.0.0.1])
    by mail.domain.net (Postfix) with ESMTP id A28853D400E
    for <user@domain.net>; Mon, 26 Nov 2007 20:54:02 -0800 (PST)
    Received: from domain.com
    by mail.domain.net with POP3 (fetchmail-6.3.2)
    for <user@domain.net> (single-drop); Mon, 26 Nov 2007 20:54:02 -0800 (PST)
    Received: from mtao04.charter.net ([209.225.8.178]) by domain.com for <user@domain.com>; Mon, 26 Nov 2007 20:53:15 -0800
    Received: from aarprv06.charter.net ([10.20.200.76]) by mtao04.charter.net
    (InterMail vM.7.08.02.00 201-2186-121-20061213) with ESMTP
    id <20071127045310.IZPW2230.mtao04.charter.net@aarprv 06.charter.net>
    for <user@domain.com>; Mon, 26 Nov 2007 23:53:10 -0500
    Received: from IBM1CFF8757EA5 ([71.84.13.81]) by aarprv06.charter.net
    with SMTP
    id <20071127045308.DQIF14098.aarprv06.charter.net@IBM 1CFF8757EA5>
    for <user@domain.com>; Mon, 26 Nov 2007 23:53:08 -0500
    Message-ID: <001d01c830b1$62107710$0a00a8c0@IBM1CFF8757EA5>
    From: "klanknan" <klanknan@charter.net>
    To: "Nanci Wilborn" <user@domain.com>
    Subject: Fw: We've Extended Our Offer for FREE Shipping
    Date: Mon, 26 Nov 2007 20:52:52 -0800
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_001A_01C8306E.51B373B0"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    X-Chzlrs: 0

    This is a multi-part message in MIME format.

    ------=_NextPart_000_001A_01C8306E.51B373B0
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    We've Extended Our Offer for FREE Shipping
    ----- Original Message -----=20
    From: JCPenney=20
    To: klanknan@charter.net=20
    Sent: Sunday, November 25, 2007 11:45 PM
    Subject: We've Extended Our Offer for FREE Shipping


    Keep JCPenney emails coming! Add =
    JCPenney-support@jcpenneyem.com to your address book now.
    If you have trouble viewing this email, click here.=20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    =20
    How to get free shipping throughout jcp.com:=20
    1. After adding items to your shopping bag, proceed =
    to the shopping bag page. Select "yes" under "Discounts" to indicate =
    that you are using a promotional code.=20
    2. Enter code EXTEND2 in the "promotional code" box =
    on the following page. Your discount, if applicable, will be reflected =
    on the order summary page at final checkout.=20
    3. Shop now! Offer ends November 28, 2007=20
    =20
    =20
    =20
    *Offer good on merchandise orders of $25 or more delivered =
    within the 48 contiguous United States (excludes Alaska, Hawaii & Puerto =
    Rico) by standard delivery to your home, office, or a jcp.com | Catalog =
    Desk. The following purchases do not qualify for this offer nor toward =
    the $25 purchase amount required: truck or express deliveries; taxes; =
    clearance/outlet prices; Services; prior purchases; orders currently =
    being processed and cannot be used with any other offers. Offer good =
    through November 28, 2007.=20
    Heard it from a friend? Be on the inside track, and opt-in =
    to receive JCPenney email. Click here to be the first to know.=20
    =20
    This email was sent to: klanknan@charter.net. If you wish to =
    unsubscribe from JCPenney email, or change your email profile, click =
    here.

    =A9 2007 J.C. Penney Company, Inc. and/or JCP Media L.P., =
    6501 Legacy Drive, Plano, Texas, United States of America. All rights =
    reserved.

    =20
    =20


    ------=_NextPart_000_001A_01C8306E.51B373B0
    Content-Type: text/html;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD><TITLE>We=92ve Extended Our Offer for FREE Shipping</TITLE>
    <html truncated>

  2. #2
    Join Date
    Jul 2007
    Posts
    45
    Rep Power
    8

    Default

    Do they always come from klanknan@charter.net or does it change?

  3. #3
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by mdeneen View Post
    Do they always come from klanknan@charter.net or does it change?
    So far, yes. I know this means I could blacklist that address, but that is a band-aid, which doesn't address the real problem of the spam filters not properly examining forwarded messages.

  4. #4
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Wrong assumptions. SpamAssassin is seeing the whole message, including the full forwarded content and the headers. Message-Id, the Received: path traversed, etc.

    Why the fetchmail/POP from domain.com to domain.net? Have your user remove that hop, and do a proper forward direct from comcast.

    You can see the tokens that are considered spammy (or not) by dropping in a debug.cf with the below and piping the message through spamassassin -t

    Code:
    add_header all Spammy _SPAMMYTOKENS(5,long)_
    add_header all Hammy _HAMMYTOKENS(5,long)_
    add_header all Bayes _TOKENSUMMARY_
    As for this particular message, what you should do is (click here) to unsubscribe her. It is absolutely correct to teach users never to follow directions in UBE, but this is mainsleaze from a company from which your user bought something some time ago (if not from JCP itself, then from an "affiliate" with whom they share information; how many people read the fine print?). JCP Media will honor unsubscribes. Don't tell your user that she is mistaken in considering it spam; there's no point in doing that. But following the (click here) link is a more productive use of *your* time than fiddling with SA.
    Last edited by Rich Graves; 11-28-2007 at 02:36 PM.

  5. #5
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by Rich Graves View Post
    Wrong assumptions. SpamAssassin is seeing the whole message, including the full forwarded content and the headers. Message-Id, the Received: path traversed, etc.
    How sure can you be of this? SA headers do not indicate that it has even noticed the heavy html content, the unsubscribe line, or other trash that would normally be recognized as spammy. I'll try the debug suggestion to be sure, but the incredible amount of html that I truncated from the posted message should have triggered something. . .

    Why the fetchmail/POP from domain.com to domain.net? Have your user remove that hop, and do a proper forward direct from comcast.
    That's from my user's old account. We have fetchmail pulling messages from users' old pop accounts in order not to negate the several thousand business cards that have been distributed with the old addresses on them. The vast majority of spam that comes in goes through that pathway, and SpamAssassin has zero problem with it.

    As for this particular message, what you should do is (click here) to unsubscribe her. It is absolutely correct to teach users never to follow directions in UBE, but this is mainsleaze from a company from which your user bought something some time ago (if not from JCP itself, then from an "affiliate" with whom they share information; how many people read the fine print?). JCP Media will honor unsubscribes. Don't tell your user that she is mistaken in considering it spam; there's no point in doing that. But following the (click here) link is a more productive use of *your* time than fiddling with SA.
    Unfortunately, that link is for the klankan address, not my user ntw's. So it may or may not work; there is no clear unsubscription path for the forwarding of UBE from charter.net to us.

    But that's not the reason I posted this thread. If my theory is correct, that passing spam through a forwarder totally disables SA's analysis, we could shortly have a big problem on our hands when the bad guys figure this out in greater numbers. It is not this particular email, but rather this pattern, that has me worried.

    Dan

  6. #6
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Your theory is not correct. To get more verbose info about bayes classifications, try dropping in a debug.cf (above) and restart amavisd. All mail going through your system will then have additional headers. (Untested; or will amavisd remove them?)

    To really debug what's hapening, run spamassassin -D -t. Zimbra installs SpamAssassin in zimbramon/lib/Mail/. Just get the spamassassin script for the same version of SA and use lib '/opt/zimbra/zimbramon/lib';.

Similar Threads

  1. Spam/Ham training under Outlook/Thunderbird/etc.
    By chuckm in forum Administrators
    Replies: 23
    Last Post: 03-18-2009, 11:01 AM
  2. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 08:59 AM
  3. Spam question (all related)
    By dlochart in forum Administrators
    Replies: 3
    Last Post: 07-24-2007, 08:58 AM
  4. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 02:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •