Using this message as an example:
The following e-mails were found to have: Virus Detected
Sender: tpic831001@pec.istruzione.it
IP Address: 67.219.246.44
Recipient: poorvictim@example.com
Subject: Re: Salary [$1700 /week]
MessageID: 49Wvts68fLzMt7SX
Quarantine: /var/spool/MailScanner/quarantine/20200527/49Wvts68fLzMt7SX
Report: Clamd: msg-14193-22.html was infected: Porcupine.Junk.38714.UNOFFICIAL
1) decode for when you want to know what the virus is:
2) viewmsg for when you want to see what the message is[admin@efa4 bin]$ ./decode Porcupine.Junk.38714
==>
[porcupine.ndb] Porcupine.Junk.38714:3:*:706572736F6E6E656C206D616E61676572206F662061206C6172676520696E7465726E6174696F6E616C20636F6D70616E79*6F666665722C20706C656173652076697369742068747470
<==
VIRUS NAME: Porcupine.Junk.38714
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
personnel manager of a large international company{WILDCARD_ANY_STRING}offer, please visit http
3) Have you updated your spamassassin rulesets? Have you marked a message as spam? Do you want to know how a message will now be scored? Are you too lazy to remember the command yourself (I am!) then spamtest is for you:[admin@efa4 bin]$ ./viewmsg 49Wvts68fLzMt7SX
(message displays under "less")
They are just simple batch scripts. I present them as is without any guarantee that they won't destroy your computer, home and family life. In fact, I'm pretty sure that one of the previous bugs started WWII by accident.[admin@efa4 bin]$ ./spamtest 49Wvts68fLzMt7SX
(great amounts of spamassassin debug output omitted - press G to go to the very end)
Spam detection software, running on the system "efa4.local",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hello! My name is Carissa, I am the personnel manager of a
Large International Company. We are looking for employees working remotely.
Most of the work you can do from home, that is, at a distance.
Content analysis details: (24.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
blocklist
[URIs: t500track5.com]
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: t500track5.com]
2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
blocklist
[URIs: t500track5.com]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[180.180.86.151 listed in zen.spamhaus.org]
4.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
2.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
3.0 ML_SPAMINFO_EXISTS Messagelabs added a X-SpamInfo flag and
thinks it is spam
0.0 SPF_NONE SPF: sender does not publish an SPF Record
1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.3 DIGEST_MULTIPLE Message hits more than one network digest check
0.0 MXPF_TEST test don't change anything
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
0.0 RCVD_IN_MSPIKE_ZBI No description available.
-0.4 TXREP TXREP: Score normalizing based on sender's reputation
decode
Code: Select all
#!/bin/bash
echo "==>"
sigtool --find-sigs $1
echo "<=="
sigtool --find-sigs $1 | sigtool --decode-sigsCode: Select all
#!/bin/bash
MSG=$1
DIR=/var/spool/MailScanner/quarantine/
FILE=`find $DIR -name $1 -print`
if [ -f $FILE/message ] ; then
echo "viewing $FILE"
less $FILE/message
elif [ -f $FILE ] ; then
echo "viewing $FILE"
less $FILE
else
echo "cannot find $FILE or ./message"
fiCode: Select all
#!/bin/bash
MSG=$1
DIR=/var/spool/MailScanner/quarantine/
FILE=`find $DIR -name $1 -print`
echo $FILE
ls -l $FILE
if [ -f $FILE/message ] ; then
echo "found $FILE/message"
#spamassassin -D -t < $FILE/message 2>&1 |vim -
spamassassin -D -t < $FILE/message 2>&1 |less
elif [ -f $FILE ] ; then
echo "found $FILE"
#spamassassin -D -t < $FILE 2>&1 |vim -
spamassassin -D -t < $FILE 2>&1 |less
else
echo "cannot find $FILE or ./message"
fi