Forwarded spam - a new headache

[dwmtractor]

I wonder if anyone else is seeing this behavior. I have one user who's getting consistent spam emails forwarded from an external account--that is, the spam is sent from the spammer (JC Penney, it looks like) to an account at charter.net, which in turn is forwarding the messages to my user. We've marked as "junk" nearly a dozen of these mostly-html images, with unsubscribe language and the works, and still the Bayes filter in the header is giving them a Bayes_50 score. There are almost no other headers in the spam filter. This leads me to suspect that Spamassassin doesn't look beyond the last message body, and completely ignores anything that's forwarded.

Does anyone know if this is true, and more importantly, what I can do about it? Bayes is accomplishing zilch in this situation. I know if all else fails I can just blacklist the sender, but I was hoping for a more systemic solution.

Here's a sample with only my user's email obfuscated:

Quote:

Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.domain.net (Postfix) with ESMTP id C6D853D400F
for <user@domain.net>; Mon, 26 Nov 2007 20:54:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.274
X-Spam-Level:
X-Spam-Status: No, score=0.274 tagged_above=-10 required=4.8
tests=[BAYES_50=0.001, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001,
RDNS_NONE=0.1]
Received: from mail.domain.net ([127.0.0.1])
by localhost (mail.domain.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id EmO-c0V+KhOv for <user@domain.net>;
Mon, 26 Nov 2007 20:54:02 -0800 (PST)
Received: from mail.domain.net (localhost.localdomain [127.0.0.1])
by mail.domain.net (Postfix) with ESMTP id A28853D400E
for <user@domain.net>; Mon, 26 Nov 2007 20:54:02 -0800 (PST)
Received: from domain.com
by mail.domain.net with POP3 (fetchmail-6.3.2)
for <user@domain.net> (single-drop); Mon, 26 Nov 2007 20:54:02 -0800 (PST)
Received: from mtao04.charter.net ([209.225.8.178]) by domain.com for <user@domain.com>; Mon, 26 Nov 2007 20:53:15 -0800
Received: from aarprv06.charter.net ([10.20.200.76]) by mtao04.charter.net
(InterMail vM.7.08.02.00 201-2186-121-20061213) with ESMTP
id <20071127045310.IZPW2230.mtao04.charter.net@aarprv 06.charter.net>
for <user@domain.com>; Mon, 26 Nov 2007 23:53:10 -0500
Received: from IBM1CFF8757EA5 ([71.84.13.81]) by aarprv06.charter.net
with SMTP
id <20071127045308.DQIF14098.aarprv06.charter.net@IBM 1CFF8757EA5>
for <user@domain.com>; Mon, 26 Nov 2007 23:53:08 -0500
Message-ID: <001d01c830b1$62107710$0a00a8c0@IBM1CFF8757EA5>
From: "klanknan" <klanknan@charter.net>
To: "Nanci Wilborn" <user@domain.com>
Subject: Fw: We've Extended Our Offer for FREE Shipping
Date: Mon, 26 Nov 2007 20:52:52 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001A_01C8306E.51B373B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Chzlrs: 0

This is a multi-part message in MIME format.

------=_NextPart_000_001A_01C8306E.51B373B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

We've Extended Our Offer for FREE Shipping
----- Original Message -----=20
From: JCPenney=20
To: klanknan@charter.net=20
Sent: Sunday, November 25, 2007 11:45 PM
Subject: We've Extended Our Offer for FREE Shipping


Keep JCPenney emails coming! Add =
JCPenney-support@jcpenneyem.com to your address book now.
If you have trouble viewing this email, click here.=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
How to get free shipping throughout jcp.com:=20
1. After adding items to your shopping bag, proceed =
to the shopping bag page. Select "yes" under "Discounts" to indicate =
that you are using a promotional code.=20
2. Enter code EXTEND2 in the "promotional code" box =
on the following page. Your discount, if applicable, will be reflected =
on the order summary page at final checkout.=20
3. Shop now! Offer ends November 28, 2007=20
=20
=20
=20
*Offer good on merchandise orders of $25 or more delivered =
within the 48 contiguous United States (excludes Alaska, Hawaii & Puerto =
Rico) by standard delivery to your home, office, or a jcp.com | Catalog =
Desk. The following purchases do not qualify for this offer nor toward =
the $25 purchase amount required: truck or express deliveries; taxes; =
clearance/outlet prices; Services; prior purchases; orders currently =
being processed and cannot be used with any other offers. Offer good =
through November 28, 2007.=20
Heard it from a friend? Be on the inside track, and opt-in =
to receive JCPenney email. Click here to be the first to know.=20
=20
This email was sent to: klanknan@charter.net. If you wish to =
unsubscribe from JCPenney email, or change your email profile, click =
here.

=A9 2007 J.C. Penney Company, Inc. and/or JCP Media L.P., =
6501 Legacy Drive, Plano, Texas, United States of America. All rights =
reserved.

=20
=20


------=_NextPart_000_001A_01C8306E.51B373B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>We=92ve Extended Our Offer for FREE Shipping</TITLE>
<html truncated>

[mdeneen]

Do they always come from klanknan@charter.net or does it change?

[dwmtractor]

Quote:

Originally Posted by mdeneen

Do they always come from klanknan@charter.net or does it change?

So far, yes. I know this means I could blacklist that address, but that is a band-aid, which doesn't address the real problem of the spam filters not properly examining forwarded messages.

[Rich Graves]

Wrong assumptions. SpamAssassin is seeing the whole message, including the full forwarded content and the headers. Message-Id, the Received: path traversed, etc.

Why the fetchmail/POP from domain.com to domain.net? Have your user remove that hop, and do a proper forward direct from comcast.

You can see the tokens that are considered spammy (or not) by dropping in a debug.cf with the below and piping the message through spamassassin -t

Code:

add_header all Spammy _SPAMMYTOKENS(5,long)_
add_header all Hammy _HAMMYTOKENS(5,long)_
add_header all Bayes _TOKENSUMMARY_

As for this particular message, what you should do is (click here) to unsubscribe her. It is absolutely correct to teach users never to follow directions in UBE, but this is mainsleaze from a company from which your user bought something some time ago (if not from JCP itself, then from an "affiliate" with whom they share information; how many people read the fine print?). JCP Media will honor unsubscribes. Don't tell your user that she is mistaken in considering it spam; there's no point in doing that. But following the (click here) link is a more productive use of *your* time than fiddling with SA.

[dwmtractor]

Quote:

Originally Posted by Rich Graves

Wrong assumptions. SpamAssassin is seeing the whole message, including the full forwarded content and the headers. Message-Id, the Received: path traversed, etc.

How sure can you be of this? SA headers do not indicate that it has even noticed the heavy html content, the unsubscribe line, or other trash that would normally be recognized as spammy. I'll try the debug suggestion to be sure, but the incredible amount of html that I truncated from the posted message should have triggered something. . .

Quote:

Why the fetchmail/POP from domain.com to domain.net? Have your user remove that hop, and do a proper forward direct from comcast.

That's from my user's old account. We have fetchmail pulling messages from users' old pop accounts in order not to negate the several thousand business cards that have been distributed with the old addresses on them. The vast majority of spam that comes in goes through that pathway, and SpamAssassin has zero problem with it.

Quote:

As for this particular message, what you should do is (click here) to unsubscribe her. It is absolutely correct to teach users never to follow directions in UBE, but this is mainsleaze from a company from which your user bought something some time ago (if not from JCP itself, then from an "affiliate" with whom they share information; how many people read the fine print?). JCP Media will honor unsubscribes. Don't tell your user that she is mistaken in considering it spam; there's no point in doing that. But following the (click here) link is a more productive use of *your* time than fiddling with SA.

Unfortunately, that link is for the klankan address, not my user ntw's. So it may or may not work; there is no clear unsubscription path for the forwarding of UBE from charter.net to us.

But that's not the reason I posted this thread. If my theory is correct, that passing spam through a forwarder totally disables SA's analysis, we could shortly have a big problem on our hands when the bad guys figure this out in greater numbers. It is not this particular email, but rather this pattern, that has me worried.

Dan

[Rich Graves]

Your theory is not correct. To get more verbose info about bayes classifications, try dropping in a debug.cf (above) and restart amavisd. All mail going through your system will then have additional headers. (Untested; or will amavisd remove them?)

To really debug what's hapening, run spamassassin -D -t. Zimbra installs SpamAssassin in zimbramon/lib/Mail/. Just get the spamassassin script for the same version of SA and use lib '/opt/zimbra/zimbramon/lib';.

[dwmtractor]

I believe you're not correct, Rich. I just ran the following tests (by the way, amavisd may strip out the headers from your debug.cf; I just inserted it, stopped & restarted the whole zmcontrol bunch (which, of course, includes spamassassin) and the headers were unchanged. But more importantly, I did this test:

I have an email account which I have used for years as a throwaway for registrations, so it gets a lot of spam. For purposes of the example below it is shown as mymail2@mydomain.com. It's messages are retrieved from the mydomain.com hosted account and sent to my main email address, here shown as mymail1@mydomain.net.

I went to the junk folder of mymail1, pulled out a message that had been put there solely on its Bayes classification--this is a guy who swears he can't get my address out of his database--and the message headers clearly show that it got a Bayes_99 classification. I forwarded that message from mymail1@mydomain.net to mymail2@mydomain.com (remember that mydomain.com is hosted on a different server) where, three minutes later, fetchmail retrieved it, pumped it through spamassassin again, and with NO CHANGE to the message other than a forwarding line, it now has a Bayes rating of only 50. Here are both headers, taken from the second message. Spamassassin is clearly not whitelisting it based upon my address; you see several X-Spam header lines that would not be there on a whitelisted message:

Code:

Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.mydomain.net (Postfix) with ESMTP id 3663B3D400F
    for <mymail1@mydomain.net>; Thu, 29 Nov 2007 10:24:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at 
X-Spam-Flag: NO
X-Spam-Score: 1.707
X-Spam-Level: *
X-Spam-Status: No, score=1.707 tagged_above=-10 required=4.8
    tests=[BAYES_50=0.001, DEAR_SOMETHING=1.605, HTML_MESSAGE=0.001,
    RDNS_NONE=0.1]
Received: from mail.mydomain.net ([127.0.0.1])
    by localhost (mail.mydomain.net [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 6xQ8ade6v5pz for <mymail1@mydomain.net>;
    Thu, 29 Nov 2007 10:24:02 -0800 (PST)
Received: from mail.mydomain.net (localhost.localdomain [127.0.0.1])
    by mail.mydomain.net (Postfix) with ESMTP id 3AA703D400E
    for <mymail1@mydomain.net>; Thu, 29 Nov 2007 10:24:02 -0800 (PST)
Received: from mydomain.com
    by mail.mydomain.net with POP3 (fetchmail-6.3.2)
    for <mymail1@mydomain.net> (single-drop); Thu, 29 Nov 2007 10:24:02 -0800 (PST)
Received: from mail.mydomain.net ([12.181.168.155]) by mydomain.com for <mymail2@mydomain.com>; Thu, 29 Nov 2007 10:22:36 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.mydomain.net (Postfix) with ESMTP id 712843D400F
    for <mymail2@mydomain.com>; Thu, 29 Nov 2007 10:22:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at 
Received: from mail.mydomain.net ([127.0.0.1])
    by localhost (mail.mydomain.net [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id wZJBZZqfQsTp for <mymail2@mydomain.com>;
    Thu, 29 Nov 2007 10:22:35 -0800 (PST)
Received: from [192.168.0.38] (unknown [192.168.0.38])
    by mail.mydomain.net (Postfix) with ESMTP id 72B2F3D400E
    for <mymail2@mydomain.com>; Thu, 29 Nov 2007 10:22:35 -0800 (PST)
Message-ID: <474F036B.7030401@mydomain.net>
Date: Thu, 29 Nov 2007 10:22:35 -0800
From: "Daniel W. Martin" <mymail1@mydomain.net>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: mymail2@mydomain.com
Subject: [Fwd: CAT14G S/No. 96U08478 Yr : 1991]
Content-Type: multipart/alternative;
 boundary="------------070208040806010906000009"

This is a multi-part message in MIME format.
--------------070208040806010906000009
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



-------- Original Message --------
Received:     from localhost (localhost.localdomain [127.0.0.1]) by 
mail.mydomain.net (Postfix) with ESMTP id 87DF93D400F for 
<mymail1@mydomain.net>; Thu, 29 Nov 2007 05:12:10 -0800 (PST)
X-Virus-Scanned:     amavisd-new at
X-Spam-Flag:     YES
X-Spam-Score:     10.395
X-Spam-Level:     **********
X-Spam-Status:     Yes, score=10.395 tagged_above=-10 required=4.8 
tests=[BAYES_99=6.5, DATE_IN_FUTURE_12_24=2.189, DEAR_SOMETHING=1.605, 
HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received:     from mail.mydomain.net ([127.0.0.1]) by localhost 
(mail.mydomain.net [127.0.0.1]) (amavisd-new, port 10024) with 
ESMTP id 97781pg0atym for <mymail1@mydomain.net>; Thu, 29 Nov 2007 
05:12:03 -0800 (PST)
Received:     from mail.mydomain.net (localhost.localdomain 
[127.0.0.1]) by mail.mydomain.net (Postfix) with ESMTP id 
CA7393D400E for <mymail1@mydomain.net>; Thu, 29 Nov 2007 05:12:02 
-0800 (PST)
Received:     from mydomain.com by mail.mydomain.net with POP3 
(fetchmail-6.3.2) for <mymail1@mydomain.net> (single-drop); Thu, 29 
Nov 2007 05:12:02 -0800 (PST)
Received:     from smtpgate1.pacific.net.sg ([203.120.90.31]) by 
mydomain.com for <mymail2@mydomain.com>; Thu, 29 Nov 2007 
05:09:17 -0800
Received:     (qmail 27611 invoked from network); 29 Nov 2007 13:09:16 -0000
Received:     from cm179.gamma182.maxonline.com.sg (HELO lenovo3000) 
(rizqim@202.156.182.179) by smtpgate1.pacific.net.sg with ESMTPA; 29 Nov 
2007 13:09:16 -0000
Message-ID:     <0c4401c83351$93a76d90$8f00a8c0@lenovo3000>
From:     Rizqi Makmur <rizqim@pacific.net.sg>
To:     <"Undisclosed-Recipient:;"@mydomain.com>
Subject:     CAT14G S/No. 96U08478 Yr : 1991
Date:     Fri, 30 Nov 2007 21:04:38 +0800
MIME-Version:     1.0
Content-Type:     multipart/alternative; 
boundary="----=_NextPart_000_0C41_01C83394.9E7EB6E0"
X-Priority:     3
X-MSMail-Priority:     Normal
X-Mailer:     Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE:     Produced By Microsoft MimeOLE V6.00.2900.3198

[Rich Graves]

Here's the step by step for running SA in debug mode from the command line. ZCS 4.5.10 includes SA 3.2.3. Other versions of ZCS might need another version of SA.

Create /opt/zimbra/conf/spamassassin/debug-bayes.cf described above.

curl -O http://apache.seekmeup.com/spamassas...n-3.2.3.tar.gz

tar zxf Mail-SpamAssassin-3.2.3.tar.gz Mail-SpamAssassin-3.2.3/spamassassin.raw

perl -i -pe 's|\@\@INSTALLSITELIB\@\@|/opt/zimbra/zimbramon/lib|g; s|\@\@DEF_RULES_DIR\@\@|/opt/zimbra/conf/spamassassin|g' Mail-SpamAssassin-3.2.3/spamassassin.raw

HOME=/opt/zimbra/amavisd sudo -u zimbra Mail-SpamAssassin-3.2.3/spamassassin.raw -D -t < original-rfc822-message-source.eml

[dwmtractor]

Since I'm not that familiar with SpamAssassin or its integration into Zimbra, a few questions before I try blindly to follow these instructions:

1) This looks like it is reinstalling a (more complete?) copy of SpamAssassin over the one that is in the Zimbra install. While I can certainly do a full backup & restore if I do this at night, it's a pain I'd like to avoid if I can. What, exactly, will this install change (besides grabbing a few more binaries) and does it in any way compromise the integration of SA and Zimbra?

2) I believe you said that the debug.cf should add additional lines to the message headers of an individual message. As I said in a previous post, I tried this and headers remained unchanged. Are you suggesting that it would be different with the install in (1)?

3) When running SA in debug mode as you have suggested, where do I look for output? At the command line, in a log file, in headers??

4) To pull a specific message through as you suggest, I need to know where individual messages are stored/named/identified in the Zimbra store. How do I reference a specific message (I'm guessing a combination of username and foldername like we use for zmtrainsa?) to pump it through SA?

5) If I do this after hours and take my server down to do it, is there any way with the way the software is installed in Zimbra, to start only the necessary SA processes (not all of Zimbra) so that I can restore my default installation when I'm done without losing any messages that come in while I'm testing? Alternatively, is there a way I could test the message without screwing up my production server (and I don't have an extra box to set up as a phantom server, I'm afraid)?

6) Has anyone tried to replicate the behavior I described in my last post?

[Rich Graves]

OK, starting from 10,000 feet:

For more theory on the tools involved, I suggest

sa-learn - train SpamAssassin's Bayesian classifier
spamassassin - simple front-end filtering script for SpamAssassin

SpamAssassin (henceforth SA) is a set of perl libraries. Zimbra puts *all* perl libraries in ~zimbra/zimbramon/lib, which in the case of SA doesn't make a lot of sense, but there it is. My guess of the history is that zimbramon started out as a home for the Swatch perl modules, and someone figured that it made sense to put other utility perl modules there, and it just sorta grew.

The canonical SpamAssassin distribution supports two ways to use the SA libraries. "spamassassin" (all lower case) is a small (< 1000 line) perl script that uses the SA libraries to process one message at a time. Historically, it was called from .procmailrc or somesuch. But forking a new process and loading all those libraries afresh for every new message is expensive, so nowadays, pretty much everyone uses the more efficient preforking spamd/spamc client-server architecture. spamassassin remains useful for one-off debugging, however.

ZCS uses neither spamassassin nor spamd/spamc. ZCS calls the SA libraries from the amavisd-new perl script, which until postfix started supporting sendmail's milter interface (still beta) was the best and easiest way to plug SA functionality into the delivery pipeline.

It is possible and (in my belief and personal experience) perfectly safe to use the spamassassin script with the ZCS-provided configuration. It's just another program using the same libraries and the same locking semantics.

The spamassassin script is nice for troubleshooting because it parses the config on the fly, without requiring you to restart amavisd or spamd, and you can interact directly with stdin/stderr/stdout. ZCS doesn't include the spamassassin script, but you can fetch and use *just that one file* from the upstream distribution.

"curl -O http://apache.seekmeup.com/spamassas...n-3.2.3.tar.gz" -- download the spamassassin distribution. For a list of mirrors go to SpamAssassin: Downloads

"tar zxf Mail-SpamAssassin-3.2.3.tar.gz Mail-SpamAssassin-3.2.3/spamassassin.raw" -- the second argument tells tar to unpack just that one file, not the whole tarball.

"perl -i -pe GOBBLEDZYGOOK" -- Um, that's an in-place edit to change a couple config parameters. Within the file spamassassin.raw, change all occurrences of @@INSTALLSITELIB@@ to /opt/zimbra/zimbramon/lib, and @@DEF_RULES_DIR@@ to /opt/zimbra/conf/spamassassin.

Decomposing the spamassassin command line:

"HOME=/opt/zimbra/amavisd" -- Set an environment variable telling SA where the Bayes databases and stuff are.

"sudo -u zimbra" -- needs to run as the Zimbra user.

"Mail-SpamAssassin-3.2.3/spamassassin.raw" -- where the script is, if you just unpacked it from the tarball as above.

"-D -t" -- Options to debut and append headers. Use --help for a lot more options.

" < original-rfc822-message-source.eml" -- The spamassassin script expects to get a message via standard input. This would be how to read an RFC822 message from a file. You can also simply copy-paste into a terminal from a "Show Original" window.

...and then you'll get a lot of gobbledygook.

Back to your questions:

1) No, you're just grabbing the spamassassin client script, nothing else. The ZCS installation of SA is used unmodified.

2) Yeah, amavisd does a clear_headers and won't pass the X-Spammy/X-Spammy stuff. But if you're running spamassasin interactively, here's an example of what you might see:

X-Spam-Bayes: Tokens: new, 4; hammy, 3; neutral, 6; spammy, 2.
X-Spam-Hammy: 0.000-1--83h-0s--0d--H*F:U*rgraves,
0.112-1451--919736h-3278s--0d--H*F*carleton.edu,
0.135-745--1008852h-4442s--0d--H*F*edu
X-Spam-Spammy: 0.998-5293--51h-829s--0d--******,
0.985-84--7h-14s--0d--enlargement

The Spammy: bits are fairly obvious. This tells you that "******" and "enlargement" are high-confidence (> 98%) indicators of spamminess. But SpamAssassin also weighs header tokens, stored with prefixes like H*F:U* that mean nothing to the uninitiated. What the above means is that messages with "rgraves" in the username part of the From: address are very likely ham. Then you see that our site has 1,008,852 ham and 4,442 spam messages from .edu addresses, so a *.edu address is a very good indicator of non-spamminess. So I send a message to myself with spammy body, and in the end it rates BAYES_50. You probably have something similar going on.

*DO NOT* worry if Bayes is going the "wrong way." Yes, it is "bad" if spammers can get bayes points simply by spoofing your From: line. But there are lots of other SA rules that discourage that. Bayes is intended to throw some experiential learning into the mix, not to be "the answer."

3) Output goes to stdout/stderr. Especially with -D, you probably want to tee to a file.

4) "Show Original" will suffice; you don't need to trace to the filesystem (though I too would be curious how to do that; I've sometimes done a grep -r of the user's blobs in /opt/zimbra/backup). Log on to https://server:7071/; View Mail for your "spam-XXXX" and "ham-YYYY" users; and "Show Original" for a few messages to get a better idea of how SA is rating things.

5) Forget my previous suggestion of restarting amavisd. Leave amavisd completely alone; it will continue running with the SA config as of boot time. Just remove the debug.cf or whatever when done fiddling with the spamassassin command line.

6) I'd expect that your Bayes database has seen more ham than spam from klanknan@charter.net to your local user. So it's natural for the Bayes db to give mail from klanknan@charter.net some positive boost, just in case they ever start talking about the economic situation in Nigeria. Bayes *should* mellow false positives like that.

Your user's fundamental problems are the odd forwarding From: line and the fetchmail hop. If you can get a normal flat forward from charter that leaves the original From: line intact, then the Bayes engine will behave more as you think it "should."

Btw, another good thing to know: when you hit the ZWC "Junk" or "Not Junk" buttons, this has precisely ***ZERO*** immediate effect. The mail is merely forwarded to the spam-XXXX or ham-YYYY account on your Zimbra server. The zmtrainsa program referenced from zimbra's crontab uses the contents of these accounts to train the Bayes database in nightly batches.