Spam mail undetected.
Derek Winkler
dwinkler at ALGORITHMICS.COM
Tue Nov 18 15:06:49 GMT 2003
Another way to go, in your SpamAssassin preferences file...
uri LOCAL_GRPHSFRM_somedomain /https?:\/\/.*\.somedomain\.tld/i
describe LOCAL_GRPHSFRM_somedomain Has "http://somedomain.tld" in uri
score LOCAL_GRPHSFRM_somedomain 5
Lots of variations of this.
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
Behalf Of Plant, Dean
Sent: Tuesday, November 18, 2003 5:19 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Spam mail undetected.
Hello list
Currently using:
MailScanner 4.21-9
Redhat 8.0
Sendmail
F-prot
ClamAV
Dcc 1.214
Razor 2.36
SpamAssassin 2.6
I have a user that is receiving a porn spam mail on a daily occurrence that
is not being picked up by MailScanner/Spamassassin.
The mail seems to consist only of an HTML image and comes from a different
IP address every time. I have fed the missed mails into the Spamassassin
database using sa-learn but the mails still pass through.
Are there any changes I can make to help stop this type of mail? (3 Sample
Headers Below).
Thanks in advance
Dean Plant
Sample Header 1
Received: from mail.ielectoral.com (ip-206-169-149-87.relia-network.net
[206.169.149.87] (may be forged))
by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAI1vPoE013167
for <xxxxx.xxxxx at roke.co.uk>; Tue, 18 Nov 2003 01:57:26 GMT
Message-Id: <200311180157.hAI1vPoE013167 at rsys001x.roke.co.uk>
Received: by mail.ielectoral.com; Mon, 17 Nov 2003 18:51:33 -0700
(envelope-from <xxxxx.xxxxx at igigantic.com>)
X-Mailer: PowerMail v7018439
Content-Type: multipart/alternative; boundary="----=_Lksi8rwBA_ojetw3g_E"
Subject: Hey dude
MIME-Version: 1.0
From: "Brian" <xxxxx.xxxxx at igigantic.com>
To: xxxxx.xxxxx at roke.co.uk
Date: Mon, 17 Nov 2003 18:51:33 -0700
X-MailScanner-rsys001x: Found to be clean
X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=2.134,
required 5, BAYES_44 -0.00, HTML_70_80 0.10, HTML_IMAGE_ONLY_02
1.23,
HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)
X-MailScanner-rsys001x-SpamScore: ss
Sample Header 2
Received: from mail.inumberone.com (el-2-mx-111.relia-network.net
[216.190.157.111])
by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAGMw0oF029554
for <xxxxx.xxxxx at roke.co.uk>; Sun, 16 Nov 2003 22:58:00 GMT
Message-Id: <200311162258.hAGMw0oF029554 at rsys001x.roke.co.uk>
Received: by mail.inumberone.com; Sun, 16 Nov 2003 15:57:43 -0700
(envelope-from <xxxxx.xxxxx at ienough.com>)
X-Mailer: PowerMail v7018439
Content-Type: multipart/alternative; boundary="----=_Jnhd6HDt5_osk6GE4_B"
Subject: To be continued
MIME-Version: 1.0
From: "John" <xxxxx.xxxxx at ienough.com>
To: xxxxx.xxxxx at roke.co.uk
Date: Sun, 16 Nov 2003 15:57:43 -0700
X-MailScanner-rsys001x: Found to be clean
X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=1.905,
required 5, BAYES_44 -0.00, HTML_50_60 0.10, HTML_IMAGE_ONLY_04
1.00,
HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)
X-MailScanner-rsys001x-SpamScore: s
Sample Header 3
Received: from mail.icommital.com (xo-3-mx-4.relia-network.net [67.108.2.4])
by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAG3MPoE007214
for <xxxxx.xxxxx at roke.co.uk>; Sun, 16 Nov 2003 03:22:26 GMT
Message-Id: <200311160322.hAG3MPoE007214 at rsys001x.roke.co.uk>
Received: by mail.icommital.com; Sat, 15 Nov 2003 20:22:20 -0700
(envelope-from <xxxxx.xxxxx at transpondent.com>)
X-Mailer: PowerMail v7018439
Content-Type: multipart/alternative; boundary="----=_Y7urNjsLp_9is4Rntj_E"
Subject: Hey
MIME-Version: 1.0
From: "Jim" <xxxxx.xxxxx at transpondent.com>
To: xxxxx.xxxxx at roke.co.uk
Date: Sat, 15 Nov 2003 20:22:20 -0700
X-MailScanner-rsys001x: Found to be clean
X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=4.814,
required 5, BAYES_50 0.00, DCC_CHECK 2.91, HTML_50_60 0.10,
HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10,
MSGID_FROM_MTA_HEADER 0.70)
X-MailScanner-rsys001x-SpamScore: ssss
--
Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury,
Bracknell,
Berkshire. RG12 8FZ
The information contained in this e-mail and any attachments is confidential
to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create
or
change any contractual relationship.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031118/2f160745/attachment.html
More information about the MailScanner
mailing list