Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Master Untangler scot1967's Avatar
    Join Date
    Jan 2008
    Posts
    293

    Question An image file causes spam quarantine?

    I have an image file of a shipping document a user is sending to a client company. I am filtering spam outbound on my network with no exeptions made so all systems sending email are scanned.

    I can send this message with only the embedded image (no other text) and a generic subject, same deal. If the image is replaced with a simlar sized image of the same type (say a Dilbert cartoon) it goes through fine.

    I do have the spam threshold set to (Very High 3.3). The messages are quarantined with a spam score of between 4.6 and 6.2 depending on how the message is changed. Sent as is, it's a 6.2, stripping all but the image out it's a 4.6.

    I could change the threshold but even at the medium level it is still going to get quarantined.

    Any Ideas?

    Stock bridged install no enhancments at all:

    Summary:
    UID: d977-2981-d9d7-6a86
    Build: 7.0.1~svn20091019r24846release7.0-1lenny

    Java: 1.6.0_12
    Last edited by scot1967; 12-21-2009 at 01:19 PM.
    PCMonk
    Keeping the network safe one obsessive compulsive quirk at a time.

  2. #2
    Master Untangler scot1967's Avatar
    Join Date
    Jan 2008
    Posts
    293

    Question Mondo Bizaro...

    If I resize the image just a few pixels it does not trip the filter.

    What's up?
    PCMonk
    Keeping the network safe one obsessive compulsive quirk at a time.

  3. #3
    Untangle Ninja juank's Avatar
    Join Date
    Aug 2007
    Location
    Athens
    Posts
    1,413

    Default

    Add the spam headers and resend it again... Post the headers here to analyze them.
    --------------------------------
    Juan Machado
    --------------------------------

  4. #4
    Master Untangler scot1967's Avatar
    Join Date
    Jan 2008
    Posts
    293

    Default Spam headers

    Quote Originally Posted by juank View Post
    Add the spam headers and resend it again... Post the headers here to analyze them.
    Here are the headers on a message I released from the Quarantine... I just started an upgrade to 7.1 before I saw your response. That should muddy the waters or correct the issue.

    X-Apparently-To: scot1967@******.net via 67.195.8.97; Mon, 21 Dec 2009 13:38:15 -0800
    X-YMailISG: q.jA5SYWLDtM7cE2VWwmF3zSSZUCY90E1_.AQcJltvfgGsK4jxjZg75Fp4UgzWsLNyogO1vChvDBWhpwyVLx5GYrqbeYrcZlb3MZsJz43_w0r2_mywFj5UvdRQYN.zWCLJ4VDN0EA1BvqB974wVJsd8w4xjFa3ziKNgyFBvv5ve0Q6Loecfj7Y7amOrgMDTm6wulgbydNn7tQNmz5EW42ZKroqAERRCdPsLPHgbg52QHZqefDRYAy3WsSyNKG5VbgoqgyGN18O97ZR1SSEvBFQghkmiHhwwqscG1.qK0U8TAdh4YLWWCh34q8uaa3gEAhkCLGjnAFaVi_TRBpr21QRXzrTIvhvoRdPDilpLmba.mWkle_aZr3EJnaCEMh_ImSljxfYqyMH.feQL1ICie.sIv
    X-Originating-IP: [**.***.145.251]
    Authentication-Results: mta144.***.mail.mud.****.com from=********.com; domainkeys=neutral (no sig); from=********.com; dkim=neutral (no sig)
    Received: from **.***.145.251 (EHLO flpd122.prodigy.net) (207.115.20.132)
    by mta144.***.mail.mud.****.com with SMTP; Mon, 21 Dec 2009 13:38:15 -0800
    X-Originating-IP: [**.***.145.251]
    Received: from mail.********.com (mail.*********.com [**.***.145.251])
    by flpd122.prodigy.net (8.13.8 inb ipv6 jeff0203/8.13.8) with ESMTP id nBLLc1Le001747
    for <scot1967@*******.net>; Mon, 21 Dec 2009 13:38:12 -0800
    Received: from untangle.****.*** ([192.168.***.***]) by mail.********.com with Microsoft SMTPSVC(************);
    Mon, 21 Dec 2009 15:38:01 -0600
    Received: from localhost ([127.0.0.1])
    by untangle.******.*** with esmtp (Exim 4.69)
    (envelope-from <untangle@*******.***>)
    id 1NMpx3-0005zu-Ke
    for scot1967@*******.net; Mon, 21 Dec 2009 15:38:01 -0600
    Received: from mail.********.com (***.*****.**** [192.168.***.***])
    (envelope-from <scotth@******.com>)
    by ***************************************************************************************************; Mon, 21 Dec 2009 15:25:34 -0600
    Content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----_=_NextPart_001_01CA8284.2146C702"
    Subject: test 17
    X-MimeOLE: Produced By Microsoft Exchange V*********
    Date: Mon, 21 Dec 2009 15:25:33 -0600
    Message-ID: <B9BAF13384BCCB498FB2C1C4A66A4691340C87@***.****.***>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: test 17
    thread-index: AcqChCD5TK9dpwo+SHmurAPuR7hGSw==
    From: "Scott Holmes" <scotth@***********.com>
    To: <scot1967@******.net>
    X-Mailer: UVM MailSender
    X-OriginalArrivalTime: 21 Dec 2009 21:38:01.0707 (UTC) FILETIME=[DF0023B0:01CA8285]
    X-EsetId: 721C6D27B746B1132258
    X-EsetScannerBuild: 6221
    PCMonk
    Keeping the network safe one obsessive compulsive quirk at a time.

  5. #5
    Master Untangler scot1967's Avatar
    Join Date
    Jan 2008
    Posts
    293

    Arrow A better header output...

    I set UT to mark instead of Quarantine. This gives the data we are looking for. The upgrade to 7.1 did not help. I also rebooted after the update (un-needed) but better to try everything.

    X-Apparently-To: scot1967@******.net via 67.195.8.101; Mon, 21 Dec 2009 15:08:32 -0800
    X-YahooFilteredBulk: **.**.145.251
    X-YMailISG: dWVczYcWLDtCQo5uvwXPV.UhjatUdPHbu7ADNzez13K0UrDht7Zd6rN8bF7b_h8Yo4JGyfSyBry2XYB_NXp9DeC2WvVnKoeB4wq1TELZ.MF7Iqj_xjug2QzqvP.60KtMHAGLyycu7JL5vN6gdEZG6jCFpjS20z7DOxJ7gCVkBX27RqUuBwSq634p1PwRnUjquWjrdOc2xfr_Wha.sLF7ae_Nr2eO09V8SmGsSgz_15edVh4SEoJjYfIpw7pnlNMplyoJLdjJ0j9s19GnKRn0iCgOci3YBRkj0I8rBBXq4HjIWcUXUKQ.ZLvPenSvERfYKeby9qfnkwu0iqCsAp2Mtmm7RIYBEDP40eWeuxczJy3NmID5Xtiz
    X-Originating-IP: [**.**.145.251]
    Authentication-Results: mta110.sbc.mail.mud.yahoo.com from=***************.com; domainkeys=neutral (no sig); from=******************.com; dkim=neutral (no sig)
    Received: from 207.115.36.155 (EHLO nlpi141.prodigy.net) (207.115.36.155)
    by mta110.sbc.mail.mud.yahoo.com with SMTP; Mon, 21 Dec 2009 15:08:32 -0800
    X-Originating-IP: [**.**.145.251]
    Received: from mail.*****************.com (mail.************.com [**.**.145.251])
    by nlpi141.prodigy.net (8.13.8 inb ipv6 jeff0203/8.13.8) with ESMTP id nBLN8Sw7029483
    for <scot1967@******.net>; Mon, 21 Dec 2009 17:08:28 -0600
    Content-class: urn:content-classes:message
    MIME-Version: 1.0
    Subject: [SPAM] Test 24
    X-MimeOLE: Produced By Microsoft Exchange V***********
    Date: Mon, 21 Dec 2009 17:08:27 -0600
    Message-ID: <B9BAF13384BCCB498FB2C1C4A66A4691340CA4@***.****.lan>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: Test 24
    thread-index: AcqCkoEHGKij8Q3WS2m6FrWCdkBltQ==
    From: "Scott Holmes" <scotth@*****************.com>
    To: <scot1967@******.net>
    X-spam-status: Yes, score=5.1 required=3.3 tests=EXTRA_MPART_TYPE,HTML_MESSAGE,HTML_IMAGE_RATIO_02,BAYES_00,FUZZY_OCR_KNOWN_HASH,AWL
    X-Spam-Flag: YES

    Content-Type: multipart/mixed; boundary=----26424716_060105_1261436910704
    Content-Transfer-Encoding: 7bit
    X-EsetId: 721C6D27B746B1132258
    X-EsetScannerBuild: 6221
    PCMonk
    Keeping the network safe one obsessive compulsive quirk at a time.

  6. #6
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,022

    Default

    EXTRA_MPART_TYPE,
    HTML_MESSAGE,
    HTML_IMAGE_RATIO_02,
    BAYES_00,
    FUZZY_OCR_KNOWN_HASH,
    AWL

    Your message got a little bit added to the spam score based on each test it failed (which are listed).

    3.3 is a very low threshold, you are guaranteed to get false positives at that point.
    m.
    <BR>
    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
    <BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com<B>

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    FUZZY OCR (optical character resolution) is matching something in the image.

    what words are in your image? does it talk about viagra?

    probably the easiest is to passlist the sender
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Master Untangler scot1967's Avatar
    Join Date
    Jan 2008
    Posts
    293

    Default

    Quote Originally Posted by dmorris View Post
    FUZZY OCR (optical character resolution) is matching something in the image.

    what words are in your image? does it talk about viagra?

    probably the easiest is to passlist the sender
    As for the image, it is nothing special, just a scan of a text doc with numbers in it and a few column headings. I have changed the image by blanking out most of the image and it still trips the filter. If I blank the entire image it passes and if I scale the image down it passes.

    As for the threshold setting. In this case I would have to go to atleast medium or low for this to pass.

    Safelisting the sender is not an option either. This allows spoofed email from the internet to be sent to the user. we always have issues with that type of spam.

    Odd thing here is the usual destination address for this email is on the safelist and it is being ignored.
    PCMonk
    Keeping the network safe one obsessive compulsive quirk at a time.

  9. #9
    Master Untangler scot1967's Avatar
    Join Date
    Jan 2008
    Posts
    293

    Default Suspect image

    Just for clarity, this is in an outbound message. It is creating a quarantine folder in Untangle using the destination address not the source. So, it creates a quarantine folder like user@otherdomain.com and then tries to send the quarantine digest there (is this normal?).

    PCMonk
    Keeping the network safe one obsessive compulsive quirk at a time.

  10. #10
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    If you use an internal smtp mail server, can disable outbound spam filter and create a rule to block port 25 , and allow only ip_of_smtp_internal to pass.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2