SA bypassed?

S

Splet

Verified User
Joined
Oct 17, 2007
Messages
36
Some spam messages (example below) are never handed over to SA to even check them. I see the fake spam/AV scan headers were inserted. Is there a directive for Exim, so that it would strip or ignore all headers like these? Is this normal behaviour for SB3?

Using SpamBlocker3, default config.


Code: 
Return-path: <[email protected]>
Envelope-to: system-filter
Delivery-date: Sun, 24 Aug 2008 03:47:18 +0200
Received: from mail.conecta.it ([195.43.161.220])
	by XXX with esmtp (Exim 4.68)
	(envelope-from <[email protected]>)
	id 1KX4hH-00037n-LS
	for XXX; Sun, 24 Aug 2008 03:47:16 +0200
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.conecta.it (Postfix) with ESMTP id EDB661E40BE6
	for <XXX>; Sun, 24 Aug 2008 03:47:11 +0200 (CEST)
X-Virus-Scanned: amavisd-new at 
X-Spam-Flag: NO
X-Spam-Score: -4.371
X-Spam-Level: 
X-Spam-Status: No, score=-4.371 tagged_above=-10 required=4
	tests=[ALL_TRUSTED=-1.8, AWL=0.028, BAYES_00=-2.599]
Received: from mail.conecta.it ([127.0.0.1])
	by localhost (mail.conecta.it [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id cVf9icIAHdEj for 
...
 
Quick workaround, a little bit security through obscurity, until there's something better...

1. add custom SA header in your local.cf:

add_header all SA-Test123 Active

2. change in your exim.conf "h_X-Spam-Flag" to this new custom header, "h_X-Spam-SA-Test123" in our example:

Code: 
spamcheck_director:
  driver = accept
  condition = "${if and { \
            {!def:h_X-Spam-[B]SA-Test123[/B]:} \
            {!eq {$received_protocol}{spam-scanned}} \
            {!eq {$received_protocol}{local}} \
            {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
            {<{$message_size}{500k}} \
        } {1}{0}}"
  retry_use_local_part
  transport = spamcheck
  no_verify

3. restart exim, done!

Idea is, exim will check our custom header to see if the message had already been scanned or not. This way, spammers can only fool it if they know this new header of ours.
 
Interesting idea; however I can't make it the default in SpamBlocker if we keep using default SpamAssassin installations.

Any other ways to do it?

Important enough for DirectAdmin to maintain it's own SpamAssassin distribution?

Jeff
 
Now I'm not completely sure this line is even needed. Try removing "{!def:h_X-Spam-SA-Test123:} \" from exim.conf, no local.cf mods, and we'll see if other two are enough.

Because we check for "spam-scanned" too and that is set only after SA scan.
 
Splet said:
Now I'm not completely sure this line is even needed. Try removing "{!def:h_X-Spam-SA-Test123:} \" from exim.conf, no local.cf mods, and we'll see if other two are enough.

Because we check for "spam-scanned" too and that is set only after SA scan.
Click to expand...
No, you try it :).

Jeff
 
I have had the same problem and had been trying to work out what was letting these messages through for the last few days.

All the emails in question where from @aim.com addresses - a red herring.
All of them were "envelope-to" a local address but were "to" a random address - also a red herring.

Eventualy I spotted that they had a header of "X-Spam-Flag: Yes" set. Sneaky! Actually I am suprised that this hasn't been a more common trick (unless this only effects the spamblocker exim conf on DA?).

I have implemented Splet's suggestion of adding a unique header in my local.cf and changing the exim.conf file to look for this header rather than the normal one. Will post back here in a few days to confirm whether this worked for me (just in case anyone else is having the problem and isn't sure if this is the solution to use)...

Thanks!
 
Yes, the spammers have figured out the "X-Spam-Flag" trick, and no, it's not just for SpamAssassin on DirectAdmin; it's standard SpamAssassin code.

I like user Splet's suggestion. Please do post back; we may want to change DirectAdmin to use a custom header the spammers won't figure out. SpamBlocker Version3 is going to go gold shortly so now is the best time to do it :).

Jeff
 
Working nicely here thanks!

Was getting about 20 a day slipping through unscanned, and since putting this in place none have been missed. I have also had a good look through my logs and I can't see that there have been any negative implications of doing this (not that there should be).

One thing I did do which may be of use I think...

In my local.cf file I have included the following (replace "MyCustomHeader" as applicable):

bayes_ignore_header X-Spam-"MyCustomHeader"

I have also worked out a few spamassassin rules to push up the scores of the particular emails which were sneaking past (as they don't tend score that highly even when scanned). I will post them in the email forum.
 
You must log in or register to reply here.
Back
Top