Bug 99408 - spamassassin fails to detect MS executables
spamassassin fails to detect MS executables
Status: CLOSED UPSTREAM
Product: Red Hat Linux
Classification: Retired
Component: spamassassin (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chip Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-18 15:09 EDT by Piet E Barber
Modified: 2007-04-18 12:55 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-02-28 17:31:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to detect application/x-msdownload attachments (728 bytes, patch)
2003-07-18 15:13 EDT, Piet E Barber
no flags Details | Diff

  None (edit)
Description Piet E Barber 2003-07-18 15:09:26 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701

Description of problem:
It appears that certain types of e-mail virii including windows file executables
(specifically, with the content-type of "application/x-msdownload") are getting
through the spam assassin content checking unscathed. 





Version-Release number of selected component (if applicable):
spamassassin-2.44-11.8.x

How reproducible:
Always

Steps to Reproduce:
1. Send a sobig virus e-mail  (I think this is the type of virus that was sent
to me)
2. Watch spam assassin NOT tag it with MICROSOFT_EXECUTABLE, as it should have. 

    

Actual Results:  The message passed the spam assassin checks as a false
negative. The x-spam status reads: 

X-Spam-Status: No, hits=1.7 required=5.0
        tests=MISSING_HEADERS,RESENT_TO,SPAM_PHRASE_00_01
        version=2.44


Expected Results:  I should have seen it flagged as spam: 

X-Spam-Status: Yes, hits=11.6 required=5.0
        tests=MICROSOFT_EXECUTABLE,MISSING_HEADERS,RESENT_TO,
              SPAM_PHRASE_00_01
        version=2.44
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Checker-Version: SpamAssassin 2.44 (1.115.2.24-2003-01-30-exp)
X-Spam-Prev-Content-Type: multipart/mixed;
    boundary="----------O7B04P869TLF5U"
                                                                                
SPAM: -------------------- Start SpamAssassin results 
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (11.60 hits, 5 required)
SPAM: RESENT_TO          (-0.2 points) Found a Resent-To header
SPAM: SPAM_PHRASE_00_01  (0.8 points)  BODY: Spam phrases score is 00 to 01
(low)
SPAM: MICROSOFT_EXECUTABLE (10.0 points) RAW: Message includes Microsoft
executable program
SPAM: MISSING_HEADERS    (1.0 points)  Missing To: header
SPAM:
SPAM: -------------------- End of SpamAssassin results                         
                                                       


Additional info:

I had to set the /etc/mail/spamassassin/local.cf to score these as 10 points in
order for it to get flagged as spam.  The point of the bug report is to fix the
Eval to catch application/x-msdownload attachments. 

I have found the perl code that needs fixing.  I will be attaching a patch.
Comment 1 Piet E Barber 2003-07-18 15:13:28 EDT
Created attachment 93009 [details]
patch to detect application/x-msdownload attachments

This patch changes
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm to detect
attachemnts with the content-type of 'application/x-msdownload'

This will allow spam assassin to correctly detect the newest type of e-mail
virii going around.
Comment 2 Warren Togami 2004-02-28 17:31:34 EST
Please test if this is still an issue with rawhide's latest
spamassassin.  If it is still problematic, then you need to talk to
the upstream spamassassin.org developers and get them to merge this
functionality.  They will determine if it is safe to do so in this way
or not.

Note You need to log in before you can comment on or make changes to this bug.