Spam mail undetected.

Plant, Dean dean.plant at ROKE.CO.UK
Tue Nov 18 10:19:26 GMT 2003


Hello list

Currently using:

MailScanner 4.21-9
Redhat 8.0
Sendmail
F-prot
ClamAV
Dcc 1.214
Razor 2.36
SpamAssassin 2.6

I have a user that is receiving a porn spam mail on a daily occurrence that
is not being picked up by MailScanner/Spamassassin.

The mail seems to consist only of an HTML image and comes from a different
IP address every time. I have fed the missed mails into the Spamassassin
database using sa-learn but the mails still pass through.

Are there any changes I can make to help stop this type of mail? (3 Sample
Headers Below).

Thanks in advance

Dean Plant

Sample Header 1

Received: from mail.ielectoral.com (ip-206-169-149-87.relia-network.net
[206.169.149.87] (may be forged))
        by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAI1vPoE013167
        for <xxxxx.xxxxx at roke.co.uk>; Tue, 18 Nov 2003 01:57:26 GMT
Message-Id: <200311180157.hAI1vPoE013167 at rsys001x.roke.co.uk>
Received: by mail.ielectoral.com; Mon, 17 Nov 2003 18:51:33 -0700
(envelope-from <xxxxx.xxxxx at igigantic.com>)
X-Mailer: PowerMail v7018439
Content-Type: multipart/alternative; boundary="----=_Lksi8rwBA_ojetw3g_E"
Subject: Hey dude
MIME-Version: 1.0
From: "Brian" <xxxxx.xxxxx at igigantic.com>
To: xxxxx.xxxxx at roke.co.uk
Date: Mon, 17 Nov 2003 18:51:33 -0700
X-MailScanner-rsys001x: Found to be clean
X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=2.134,
        required 5, BAYES_44 -0.00, HTML_70_80 0.10, HTML_IMAGE_ONLY_02
1.23,
        HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)
X-MailScanner-rsys001x-SpamScore: ss

Sample Header 2

Received: from mail.inumberone.com (el-2-mx-111.relia-network.net
[216.190.157.111])
        by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAGMw0oF029554
        for <xxxxx.xxxxx at roke.co.uk>; Sun, 16 Nov 2003 22:58:00 GMT
Message-Id: <200311162258.hAGMw0oF029554 at rsys001x.roke.co.uk>
Received: by mail.inumberone.com; Sun, 16 Nov 2003 15:57:43 -0700
(envelope-from <xxxxx.xxxxx at ienough.com>)
X-Mailer: PowerMail v7018439
Content-Type: multipart/alternative; boundary="----=_Jnhd6HDt5_osk6GE4_B"
Subject: To be continued
MIME-Version: 1.0
From: "John" <xxxxx.xxxxx at ienough.com>
To: xxxxx.xxxxx at roke.co.uk
Date: Sun, 16 Nov 2003 15:57:43 -0700
X-MailScanner-rsys001x: Found to be clean
X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=1.905,
        required 5, BAYES_44 -0.00, HTML_50_60 0.10, HTML_IMAGE_ONLY_04
1.00,
        HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)
X-MailScanner-rsys001x-SpamScore: s

Sample Header 3

Received: from mail.icommital.com (xo-3-mx-4.relia-network.net [67.108.2.4])
        by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAG3MPoE007214
        for <xxxxx.xxxxx at roke.co.uk>; Sun, 16 Nov 2003 03:22:26 GMT
Message-Id: <200311160322.hAG3MPoE007214 at rsys001x.roke.co.uk>
Received: by mail.icommital.com; Sat, 15 Nov 2003 20:22:20 -0700
(envelope-from <xxxxx.xxxxx at transpondent.com>)
X-Mailer: PowerMail v7018439
Content-Type: multipart/alternative; boundary="----=_Y7urNjsLp_9is4Rntj_E"
Subject: Hey
MIME-Version: 1.0
From: "Jim" <xxxxx.xxxxx at transpondent.com>
To: xxxxx.xxxxx at roke.co.uk
Date: Sat, 15 Nov 2003 20:22:20 -0700
X-MailScanner-rsys001x: Found to be clean
X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=4.814,
        required 5, BAYES_50 0.00, DCC_CHECK 2.91, HTML_50_60 0.10,
        HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10,
        MSGID_FROM_MTA_HEADER 0.70)
X-MailScanner-rsys001x-SpamScore: ssss


--
Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
Berkshire. RG12 8FZ

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.



More information about the MailScanner mailing list