Bug 99408 - spamassassin fails to detect MS executables
Summary: spamassassin fails to detect MS executables
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: spamassassin
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Chip Turner
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2003-07-18 19:09 UTC by Piet E Barber
Modified: 2007-04-18 16:55 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2004-02-28 22:31:34 UTC

Attachments (Terms of Use)
patch to detect application/x-msdownload attachments (728 bytes, patch)
2003-07-18 19:13 UTC, Piet E Barber
no flags Details | Diff

Description Piet E Barber 2003-07-18 19:09:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701

Description of problem:
It appears that certain types of e-mail virii including windows file executables
(specifically, with the content-type of "application/x-msdownload") are getting
through the spam assassin content checking unscathed. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Send a sobig virus e-mail  (I think this is the type of virus that was sent
to me)
2. Watch spam assassin NOT tag it with MICROSOFT_EXECUTABLE, as it should have. 


Actual Results:  The message passed the spam assassin checks as a false
negative. The x-spam status reads: 

X-Spam-Status: No, hits=1.7 required=5.0

Expected Results:  I should have seen it flagged as spam: 

X-Spam-Status: Yes, hits=11.6 required=5.0
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Checker-Version: SpamAssassin 2.44 (
X-Spam-Prev-Content-Type: multipart/mixed;
SPAM: -------------------- Start SpamAssassin results 
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM: Content analysis details:   (11.60 hits, 5 required)
SPAM: RESENT_TO          (-0.2 points) Found a Resent-To header
SPAM: SPAM_PHRASE_00_01  (0.8 points)  BODY: Spam phrases score is 00 to 01
SPAM: MICROSOFT_EXECUTABLE (10.0 points) RAW: Message includes Microsoft
executable program
SPAM: MISSING_HEADERS    (1.0 points)  Missing To: header
SPAM: -------------------- End of SpamAssassin results                         

Additional info:

I had to set the /etc/mail/spamassassin/local.cf to score these as 10 points in
order for it to get flagged as spam.  The point of the bug report is to fix the
Eval to catch application/x-msdownload attachments. 

I have found the perl code that needs fixing.  I will be attaching a patch.

Comment 1 Piet E Barber 2003-07-18 19:13:28 UTC
Created attachment 93009 [details]
patch to detect application/x-msdownload attachments

This patch changes
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm to detect
attachemnts with the content-type of 'application/x-msdownload'

This will allow spam assassin to correctly detect the newest type of e-mail
virii going around.

Comment 2 Warren Togami 2004-02-28 22:31:34 UTC
Please test if this is still an issue with rawhide's latest
spamassassin.  If it is still problematic, then you need to talk to
the upstream spamassassin.org developers and get them to merge this
functionality.  They will determine if it is safe to do so in this way
or not.

Note You need to log in before you can comment on or make changes to this bug.