Mail with spam and score 50 still delivered?

Thu Oct 9 15:56:28 IST 2003

Are you sure they aren't getting whitelisted?
You can't always tell who the original envelope recipient was by looking
at the mail headers. You have to check the maillog. Just a thought...

Ken
Pacific.Net

Remco Barendse wrote:

> Nobody else seeing this behaviour, we are still getting quite some spam
> mails with extremely high scores that should not have made it past the
> scoring rules, but still get delivered.
>
> This mail did get tagged with {Spam} but somehow the high scoring spam
> action is not triggered.
>
> This is the header from another mail that got through:
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=27.2, required 6,
>         CLICK_BELOW 0.00, CLICK_TO_REMOVE_1 1.10, DATE_SPAMWARE_Y2K 4.40,
>         DNS_FROM_RFCI_DSN 1.39, EXCUSE_10 0.14, EXCUSE_14 0.15,
>         EXCUSE_15 0.71, EXCUSE_3 0.10, FORGED_MUA_OUTLOOK 1.58,
>         FORGED_OUTLOOK_HTML 1.10, FORGED_RCVD_NET_HELO 3.02, FREE_QUOTE
> 2.80,
>         FROM_ENDS_IN_NUMS 0.87, FRONTPAGE 1.63, HTML_50_60 0.18,
>         HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
>         HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
>         HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
>         MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, NO_REAL_NAME
> 0.28,
>         OFFERS_ETC 0.20, SAVINGS 0.40, WE_HONOR_ALL 4.30)
> X-MailScanner-SpamScore: sssssssssssssssssssssssssss
>
>
> On Tue, 7 Oct 2003, Remco Barendse wrote:
>
>
>>Today one of my users received two identical e-mails (with subject
>>Mortgage rates just got better 3.55% Fixed).
>>
>>One e-mail was filtered out correctly although with a very weird message
>>in the spam score at the bottom of the scored rules (spam (blacklisted)).
>>Nothing in that e-mail would match my blacklisting rules!
>>
>>Anybody else seeing this behaviour? I have my max score set to 9 and the
>>other e-mail got blocked (possibly only because it was marked blacklisted
>>altho I don't know why) but this e-mail got through.
>>
>>This the header from the mail that made it through (Exchange header):
>>
>>From: "" <drflojosi at spray.se>
>>Reply-To: "" <drflojosi at spray.se>
>>To: <xxx at xxx>
>>Subject: {Spam?} xxxxx,Mortgage rates just got better 3.55% Fixed
>>Date: Tue, 07 Oct 03 02:55:35 GMT
>>X-Mailer: Microsoft Outlook, Build 10.0.2616
>>MIME-Version: 1.0
>>Content-Type: multipart/alternative;
>>      boundary=".BE9.DB781B6"
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-MailScanner-Information: Please contact the ISP for more information
>>X-MailScanner: Found to be clean
>>X-MailScanner-SpamCheck: spam, SpamAssassin (score=50.249, required 6,
>>      BAD_CREDIT 0.16, BANG_MORE 1.17, CLICK_BELOW_CAPS 0.57,
>>      CONSOLIDATE_DEBT 4.30, DATE_IN_FUTURE_03_06 2.83,
>>      DATE_SPAMWARE_Y2K 4.40, DCC_CHECK 1.81, EXCUSE_14 0.15,
>>      FORGED_MUA_OUTLOOK 1.58, FORGED_OUTLOOK_HTML 1.10,
>>      FORGED_RCVD_NET_HELO 3.02, FRONTPAGE 1.63, HTML_90_100 1.07,
>>      HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
>>      HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
>>      HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10,
>>      HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HTML 0.41, LOW_PAYMENT 1.26,
>>      MAILTO_TO_SPAM_ADDR 1.05, MIME_HTML_ONLY 0.10,
>>      MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, MORTGAGE_PITCH
>>1.54,
>>      MORTGAGE_RATES 1.10, NO_REAL_NAME 0.28, RCVD_IN_BL_SPAMCOP_NET
>>2.25,
>>      RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10,
>>      RCVD_IN_OPM 4.30, RCVD_IN_OPM_HTTP 4.30, RCVD_IN_OPM_HTTP_POST
>>4.30)
>>X-MailScanner-SpamScore:
>>ssssssssssssssssssssssssssssssssssssssssssssssssss
>>Return-Path: drflojosi at spray.se
>>X-OriginalArrivalTime: 06 Oct 2003 21:02:51.0727 (UTC)
>>FILETIME=[3479BDF0:01C38C4D]
>>
>>
>>
>
>
>