Red Hat Bugzilla – Bug 99408
spamassassin fails to detect MS executables
Last modified: 2007-04-18 12:55:45 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701
Description of problem:
It appears that certain types of e-mail virii including windows file executables
(specifically, with the content-type of "application/x-msdownload") are getting
through the spam assassin content checking unscathed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Send a sobig virus e-mail (I think this is the type of virus that was sent
2. Watch spam assassin NOT tag it with MICROSOFT_EXECUTABLE, as it should have.
Actual Results: The message passed the spam assassin checks as a false
negative. The x-spam status reads:
X-Spam-Status: No, hits=1.7 required=5.0
Expected Results: I should have seen it flagged as spam:
X-Spam-Status: Yes, hits=11.6 required=5.0
X-Spam-Checker-Version: SpamAssassin 2.44 (220.127.116.11-2003-01-30-exp)
SPAM: -------------------- Start SpamAssassin results
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM: Content analysis details: (11.60 hits, 5 required)
SPAM: RESENT_TO (-0.2 points) Found a Resent-To header
SPAM: SPAM_PHRASE_00_01 (0.8 points) BODY: Spam phrases score is 00 to 01
SPAM: MICROSOFT_EXECUTABLE (10.0 points) RAW: Message includes Microsoft
SPAM: MISSING_HEADERS (1.0 points) Missing To: header
SPAM: -------------------- End of SpamAssassin results
I had to set the /etc/mail/spamassassin/local.cf to score these as 10 points in
order for it to get flagged as spam. The point of the bug report is to fix the
Eval to catch application/x-msdownload attachments.
I have found the perl code that needs fixing. I will be attaching a patch.
Created attachment 93009 [details]
patch to detect application/x-msdownload attachments
This patch changes
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm to detect
attachemnts with the content-type of 'application/x-msdownload'
This will allow spam assassin to correctly detect the newest type of e-mail
virii going around.
Please test if this is still an issue with rawhide's latest
spamassassin. If it is still problematic, then you need to talk to
the upstream spamassassin.org developers and get them to merge this
functionality. They will determine if it is safe to do so in this way