Spam mail undetected.
Plant, Dean
dean.plant at ROKE.CO.UK
Tue Nov 18 11:21:21 GMT 2003
I thought, possibly incorrectly, that Spamassassin did RBL checks as
standard. On checking through some spam reports in high scoring spam they
show what I thought were positive RBL lookups. Here's one we received
earlier today that lists spamcop, should I have RBL's listed in MailScanner
as well.
X-MailScanner-rsys001x-SpamCheck: spam, Spamassassin (score=26.315,
required 5, BAYES_99 5.40, DATE_IN_PAST_03_06 0.42,
DATE_SPAMWARE_Y2K 4.20, DCC_CHECK 2.91, FORGED_MUA_OUTLOOK 2.57,
FORGED_OUTLOOK_HTML 1.00, HTML_50_60 0.10, HTML_MESSAGE 0.10,
MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE
1.59,
RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_NJABL 0.10,
RCVD_IN_NJABL_PROXY 0.50, UPPERCASE_25_50 0.00, USERPASS 3.81)
Dean
-----Original Message-----
From: Michele Neylon :: Blacknight Solutions
[mailto:michele at BLACKNIGHTSOLUTIONS.COM]
Sent: 18 November 2003 11:12
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Spam mail undetected.
Ah-ha
Add in spamcop.net and see what happens :) I would recommend you play around
with RBLs a bit until you find the right match. One is NOT enough
Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9139897
Lowest price domains in Ireland
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Plant, Dean
> Sent: 18 November 2003 11:08
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Spam mail undetected.
>
>
> Spam List = ORDB-RBL # MAPS-RBL+ costs money (except .ac.uk)
>
> Dean
>
> -----Original Message-----
> From: Michele Neylon :: Blacknight Solutions
> [mailto:michele at BLACKNIGHTSOLUTIONS.COM]
> Sent: 18 November 2003 10:43
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Spam mail undetected.
>
> In your MailScanner.conf which RBLs have you set?
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9139897
> Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Plant, Dean
> > Sent: 18 November 2003 10:35
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Spam mail undetected.
> >
> >
> > Only the standard RBL's that MailScanner/Spamassassin use. Our
> > current setup seems to work great identifying about 4k spam
> > messages out of 12.5K messages a day. This message seems to be a
> > 1-off, quite offensive porn mail that gets through the system.
> >
> > Dean.
> >
> > -----Original Message-----
> > From: Michele Neylon :: Blacknight Solutions
> > [mailto:michele at BLACKNIGHTSOLUTIONS.COM]
> > Sent: 18 November 2003 10:23
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Spam mail undetected.
> >
> > Are you using any RBLs?
> >
> > Mr. Michele Neylon
> > Blacknight Internet Solutions Ltd
> > http://www.blacknightsolutions.ie/
> > http://www.search.ie/
> > Tel. + 353 (0)59 9139897
> > Lowest price domains in Ireland
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > > Behalf Of Plant, Dean
> > > Sent: 18 November 2003 10:19
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Spam mail undetected.
> > >
> > >
> > > Hello list
> > >
> > > Currently using:
> > >
> > > MailScanner 4.21-9
> > > Redhat 8.0
> > > Sendmail
> > > F-prot
> > > ClamAV
> > > Dcc 1.214
> > > Razor 2.36
> > > SpamAssassin 2.6
> > >
> > > I have a user that is receiving a porn spam mail on a daily
> > > occurrence that
> > > is not being picked up by MailScanner/Spamassassin.
> > >
> > > The mail seems to consist only of an HTML image and comes from
> > a different
> > > IP address every time. I have fed the missed mails into the
> Spamassassin
> > > database using sa-learn but the mails still pass through.
> > >
> > > Are there any changes I can make to help stop this type of
> > mail? (3 Sample
> > > Headers Below).
> > >
> > > Thanks in advance
> > >
> > > Dean Plant
> > >
> > > Sample Header 1
> > >
> > > Received: from mail.ielectoral.com
> (ip-206-169-149-87.relia-network.net
> > > [206.169.149.87] (may be forged))
> > > by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id
> > > hAI1vPoE013167
> > > for <xxxxx.xxxxx at roke.co.uk>; Tue, 18 Nov 2003 01:57:26 GMT
> > > Message-Id: <200311180157.hAI1vPoE013167 at rsys001x.roke.co.uk>
> > > Received: by mail.ielectoral.com; Mon, 17 Nov 2003 18:51:33 -0700
> > > (envelope-from <xxxxx.xxxxx at igigantic.com>)
> > > X-Mailer: PowerMail v7018439
> > > Content-Type: multipart/alternative;
> > boundary="----=_Lksi8rwBA_ojetw3g_E"
> > > Subject: Hey dude
> > > MIME-Version: 1.0
> > > From: "Brian" <xxxxx.xxxxx at igigantic.com>
> > > To: xxxxx.xxxxx at roke.co.uk
> > > Date: Mon, 17 Nov 2003 18:51:33 -0700
> > > X-MailScanner-rsys001x: Found to be clean
> > > X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=2.134,
> > > required 5, BAYES_44 -0.00, HTML_70_80 0.10,
> HTML_IMAGE_ONLY_02
> > > 1.23,
> > > HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)
> > > X-MailScanner-rsys001x-SpamScore: ss
> > >
> > > Sample Header 2
> > >
> > > Received: from mail.inumberone.com (el-2-mx-111.relia-network.net
> > > [216.190.157.111])
> > > by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id
> > > hAGMw0oF029554
> > > for <xxxxx.xxxxx at roke.co.uk>; Sun, 16 Nov 2003 22:58:00 GMT
> > > Message-Id: <200311162258.hAGMw0oF029554 at rsys001x.roke.co.uk>
> > > Received: by mail.inumberone.com; Sun, 16 Nov 2003 15:57:43 -0700
> > > (envelope-from <xxxxx.xxxxx at ienough.com>)
> > > X-Mailer: PowerMail v7018439
> > > Content-Type: multipart/alternative;
> > boundary="----=_Jnhd6HDt5_osk6GE4_B"
> > > Subject: To be continued
> > > MIME-Version: 1.0
> > > From: "John" <xxxxx.xxxxx at ienough.com>
> > > To: xxxxx.xxxxx at roke.co.uk
> > > Date: Sun, 16 Nov 2003 15:57:43 -0700
> > > X-MailScanner-rsys001x: Found to be clean
> > > X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=1.905,
> > > required 5, BAYES_44 -0.00, HTML_50_60 0.10,
> HTML_IMAGE_ONLY_04
> > > 1.00,
> > > HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)
> > > X-MailScanner-rsys001x-SpamScore: s
> > >
> > > Sample Header 3
> > >
> > > Received: from mail.icommital.com (xo-3-mx-4.relia-network.net
> > > [67.108.2.4])
> > > by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id
> > > hAG3MPoE007214
> > > for <xxxxx.xxxxx at roke.co.uk>; Sun, 16 Nov 2003 03:22:26 GMT
> > > Message-Id: <200311160322.hAG3MPoE007214 at rsys001x.roke.co.uk>
> > > Received: by mail.icommital.com; Sat, 15 Nov 2003 20:22:20 -0700
> > > (envelope-from <xxxxx.xxxxx at transpondent.com>)
> > > X-Mailer: PowerMail v7018439
> > > Content-Type: multipart/alternative;
> > boundary="----=_Y7urNjsLp_9is4Rntj_E"
> > > Subject: Hey
> > > MIME-Version: 1.0
> > > From: "Jim" <xxxxx.xxxxx at transpondent.com>
> > > To: xxxxx.xxxxx at roke.co.uk
> > > Date: Sat, 15 Nov 2003 20:22:20 -0700
> > > X-MailScanner-rsys001x: Found to be clean
> > > X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=4.814,
> > > required 5, BAYES_50 0.00, DCC_CHECK 2.91, HTML_50_60 0.10,
> > > HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10,
> > > MSGID_FROM_MTA_HEADER 0.70)
> > > X-MailScanner-rsys001x-SpamScore: ssss
> > >
> > >
> > > --
> > > Registered Office: Roke Manor Research Ltd, Siemens House,
> > > Oldbury, Bracknell,
> > > Berkshire. RG12 8FZ
> > >
> > > The information contained in this e-mail and any attachments is
> > > confidential to
> > > Roke Manor Research Ltd and must not be passed to any third
> > party without
> > > permission. This communication is for information only and shall
> > > not create or
> > > change any contractual relationship.
> > >
> > >
> >
> >
> > #########################################################
> > This message (and any attachment) is intended only for the
> > recipient and may contain confidential and/or privileged
> > material. If you have received this in error, please contact the
> > sender and delete this message immediately. Disclosure, copying
> > or other action taken in respect of this email or in
> > reliance to it is prohibited.
> >
> > --
> > Registered Office: Roke Manor Research Ltd, Siemens House,
> > Oldbury, Bracknell,
> > Berkshire. RG12 8FZ
> >
> > The information contained in this e-mail and any attachments is
> > confidential to
> > Roke Manor Research Ltd and must not be passed to any third
> party without
> > permission. This communication is for information only and shall
> > not create or
> > change any contractual relationship.
> >
> >
>
>
> #########################################################
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material. If you have received this in error, please contact the
> sender and delete this message immediately. Disclosure, copying
> or other action taken in respect of this email or in
> reliance to it is prohibited.
>
> --
> Registered Office: Roke Manor Research Ltd, Siemens House,
> Oldbury, Bracknell,
> Berkshire. RG12 8FZ
>
> The information contained in this e-mail and any attachments is
> confidential to
> Roke Manor Research Ltd and must not be passed to any third party without
> permission. This communication is for information only and shall
> not create or
> change any contractual relationship.
>
>
#########################################################
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance to it is prohibited.
--
Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
Berkshire. RG12 8FZ
The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.
More information about the MailScanner
mailing list