Bug 99408 - spamassassin fails to detect MS executables
Summary: spamassassin fails to detect MS executables
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: spamassassin
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Chip Turner
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-07-18 19:09 UTC by Piet E Barber
Modified: 2007-04-18 16:55 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-02-28 22:31:34 UTC
Embargoed:

Attachments (Terms of Use)
patch to detect application/x-msdownload attachments (728 bytes, patch)
2003-07-18 19:13 UTC, Piet E Barber 		no flags Details | Diff
View All

Description Piet E Barber 2003-07-18 19:09:26 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701

Description of problem:
It appears that certain types of e-mail virii including windows file executables
(specifically, with the content-type of "application/x-msdownload") are getting
through the spam assassin content checking unscathed. 





Version-Release number of selected component (if applicable):
spamassassin-2.44-11.8.x

How reproducible:
Always

Steps to Reproduce:
1. Send a sobig virus e-mail  (I think this is the type of virus that was sent
to me)
2. Watch spam assassin NOT tag it with MICROSOFT_EXECUTABLE, as it should have. 

    

Actual Results:  The message passed the spam assassin checks as a false
negative. The x-spam status reads: 

X-Spam-Status: No, hits=1.7 required=5.0
        tests=MISSING_HEADERS,RESENT_TO,SPAM_PHRASE_00_01
        version=2.44


Expected Results:  I should have seen it flagged as spam: 

X-Spam-Status: Yes, hits=11.6 required=5.0
        tests=MICROSOFT_EXECUTABLE,MISSING_HEADERS,RESENT_TO,
              SPAM_PHRASE_00_01
        version=2.44
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Checker-Version: SpamAssassin 2.44 (1.115.2.24-2003-01-30-exp)
X-Spam-Prev-Content-Type: multipart/mixed;
    boundary="----------O7B04P869TLF5U"
                                                                                
SPAM: -------------------- Start SpamAssassin results 
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (11.60 hits, 5 required)
SPAM: RESENT_TO          (-0.2 points) Found a Resent-To header
SPAM: SPAM_PHRASE_00_01  (0.8 points)  BODY: Spam phrases score is 00 to 01
(low)
SPAM: MICROSOFT_EXECUTABLE (10.0 points) RAW: Message includes Microsoft
executable program
SPAM: MISSING_HEADERS    (1.0 points)  Missing To: header
SPAM:
SPAM: -------------------- End of SpamAssassin results                         
                                                       


Additional info:

I had to set the /etc/mail/spamassassin/local.cf to score these as 10 points in
order for it to get flagged as spam.  The point of the bug report is to fix the
Eval to catch application/x-msdownload attachments. 

I have found the perl code that needs fixing.  I will be attaching a patch.
Comment 1 Piet E Barber 2003-07-18 19:13:28 UTC 
Created attachment 93009 [details]
patch to detect application/x-msdownload attachments

This patch changes
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm to detect
attachemnts with the content-type of 'application/x-msdownload'

This will allow spam assassin to correctly detect the newest type of e-mail
virii going around.
Comment 2 Warren Togami 2004-02-28 22:31:34 UTC 
Please test if this is still an issue with rawhide's latest
spamassassin.  If it is still problematic, then you need to talk to
the upstream spamassassin.org developers and get them to merge this
functionality.  They will determine if it is safe to do so in this way
or not.
Note You need to log in before you can comment on or make changes to this bug.