1

Recently I've been getting a lot of spam emails with the DHL_Tracking,pdf.iso file attached. I checked the rules saved in local.cf, there is no problem. But I noticed that SpamAssassin is not able to detect some emails. I removed all the rules from local.cf and added a basic rawbody rule.

rawbody MIME_TEST /qwertyuasdfghjk/
describe MIME_TEST Test
score MIME_TEST 9

Then I sent test emails from my yahoo email account. In my first e-mail, I just sent the text and added the word qwertyuasdfghjk to be searched in the text. In my second e-mail, I sent the same text again, but I included the iso file that SpamAssassin could not detect. Surprise, although the body of the two e-mails is exactly the same, SpamAssassin did not detect the e-mail with the iso file attached as spam.

My first e-mail body is;

MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_747683_1439360458.1633988723397"
References: <[email protected]>
X-Mailer: WebService/1.1.19116 YMailNorrin
Content-Length: 673
X-Spam-Score: 68
X-Spam-Bar: ++++++
X-Spam-Report: Spam detection software, running on the system "bifra.com.tr",
 has identified this incoming email as possible spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew
   dew qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew dew 
 
 Content analysis details:   (6.8 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider (pcmgogo[at]yahoo.com)
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                             [74.6.132.124 listed in wl.mailspike.net]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  7.0 MIME_TEST              BODY: Test
  0.0 HTML_MESSAGE           BODY: HTML included in message
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
X-Spam-Status: Yes
X-Spam-Subject: [*SPAM=68*] Test posta 1
X-ACL-Warn: SpamAssassin detected spam (from ****[email protected] to t*****@b****.**m).
Subject: [*SPAM=68*] Test posta 1

------=_Part_747683_1439360458.1633988723397
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew dew

------=_Part_747683_1439360458.1633988723397
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div dir="ltr" data-setdir="false"><span>qer <span><span>qwertyuasdfghjk</span></span> fdfr frefre <span><span>qwertyuasdfghjk</span></span>dwedew dew dew</span><br></div></div></body></html>
------=_Part_747683_1439360458.1633988723397--

My second e-mail body which has attached iso file;

MIME-Version: 1.0
Content-Type: multipart/mixed; 
    boundary="----=_Part_890579_1702502143.1633988740660"
References: <[email protected]>
X-Mailer: WebService/1.1.19116 YMailNorrin
Content-Length: 1057995

------=_Part_890579_1702502143.1633988740660
Content-Type: multipart/alternative; 
    boundary="----=_Part_890578_767586642.1633988740652"

------=_Part_890578_767586642.1633988740652
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

qer qwertyuasdfghjk fdfr frefre qwertyuasdfghjkdwedew dew dew

------=_Part_890578_767586642.1633988740652
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div dir="ltr" data-setdir="false"><span>qer <span><span>qwertyuasdfghjk</span></span> fdfr frefre <span><span>qwertyuasdfghjk</span></span>dwedew dew dew</span><br></div></div></body></html>
------=_Part_890578_767586642.1633988740652--

------=_Part_890579_1702502143.1633988740660
Content-Type: application/x-cd-image
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="=?UTF-8?b?REhMXzExOTA0MCBhbMSxxZ8gaXJzYWxpeWVzaSBiZWxnZXNpLHBkZi5pc28=?="
Content-ID: <[email protected]>

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.........

Both e-mails have same body but why second one could not detected as spam?

Tolga TASTAN
  • 11
  • 1

1 Answers1

0

https://arstechnica.com/civis/viewtopic.php?t=409557 talks about a similar issue. It seems that attachments are not considered part of the body and are not scanned by this directive. Using "raw" rather then "rawbody" appears to be the answer.

davidgo
  • 68,623
  • 13
  • 106
  • 163