spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kris Deugau <kdeu...@vianet.ca>
Subject Re: FUZZY_XPILL FP hitting all Travelodge emails
Date Thu, 05 Apr 2018 13:59:15 GMT
Alex wrote:

> We're also seeing it hit mailer-daemon emails.
> 
> https://pastebin.com/raw/UXnzEN8U
> 
> This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
> and when I re-ran it here locally, FUZZY_DR_OZ.
> 
> The problem is that it's hitting on the mime attachments which are
> apparently treated as body text in mailer-daemon emails.
> 
> ran body rule FUZZY_AMBIEN ======> got hit: "GRm8iEn"
> ran body rule __FUZZY_DR_OZ ======> got hit: "DGCGS+"
> ran body rule FUZZY_XPILL ======> got hit: "xxgnoX"

If you look closely I expect you'll find that those are "poorly 
formatted" postmaster notices;  ie, any content from the original 
message is NOT actually wrapped up in a separate MIME part, it's just 
another blob of text stuffed in beside the actual postmaster notice info.

 From the pastebin:

 > Hi. This is the qmail-send program

... yep.  qmail is one of the MTAs that deliberately breaks MIME 
layering in its notices.

-kgd

Mime
View raw message