Mail with spam and score 50 still delivered?

Remco Barendse mailscanner at BARENDSE.TO
Fri Oct 10 06:38:49 IST 2003 

Yes, very sure. The header is marked by only one gateway and there is only
one header in the mail. Also MS would have reported any white or
blacklisting in the header.

Also I have very small black/whitelists and the user in question is not on
any list and the spammer certainly isn't whitelisted!

On Thu, 9 Oct 2003, Ken Anderson wrote:

> Are you sure they aren't getting whitelisted?
> You can't always tell who the original envelope recipient was by looking
> at the mail headers. You have to check the maillog. Just a thought...
>
> Ken
> Pacific.Net
>
>
> Remco Barendse wrote:
>
> > Nobody else seeing this behaviour, we are still getting quite some spam
> > mails with extremely high scores that should not have made it past the
> > scoring rules, but still get delivered.
> >
> > This mail did get tagged with {Spam} but somehow the high scoring spam
> > action is not triggered.
> >
> > This is the header from another mail that got through:
> > X-MailScanner-SpamCheck: spam, SpamAssassin (score=27.2, required 6,
> >         CLICK_BELOW 0.00, CLICK_TO_REMOVE_1 1.10, DATE_SPAMWARE_Y2K 4.40,
> >         DNS_FROM_RFCI_DSN 1.39, EXCUSE_10 0.14, EXCUSE_14 0.15,
> >         EXCUSE_15 0.71, EXCUSE_3 0.10, FORGED_MUA_OUTLOOK 1.58,
> >         FORGED_OUTLOOK_HTML 1.10, FORGED_RCVD_NET_HELO 3.02, FREE_QUOTE
> > 2.80,
> >         FROM_ENDS_IN_NUMS 0.87, FRONTPAGE 1.63, HTML_50_60 0.18,
> >         HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> >         HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> >         HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
> >         MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, NO_REAL_NAME
> > 0.28,
> >         OFFERS_ETC 0.20, SAVINGS 0.40, WE_HONOR_ALL 4.30)
> > X-MailScanner-SpamScore: sssssssssssssssssssssssssss
> >
> >
> > On Tue, 7 Oct 2003, Remco Barendse wrote:
> >
> >
> >>Today one of my users received two identical e-mails (with subject
> >>Mortgage rates just got better 3.55% Fixed).
> >>
> >>One e-mail was filtered out correctly although with a very weird message
> >>in the spam score at the bottom of the scored rules (spam (blacklisted)).
> >>Nothing in that e-mail would match my blacklisting rules!
> >>
> >>Anybody else seeing this behaviour? I have my max score set to 9 and the
> >>other e-mail got blocked (possibly only because it was marked blacklisted
> >>altho I don't know why) but this e-mail got through.
> >>
> >>This the header from the mail that made it through (Exchange header):
> >>
> >>From: "" <drflojosi at spray.se>
> >>Reply-To: "" <drflojosi at spray.se>
> >>To: <xxx at xxx>
> >>Subject: {Spam?} xxxxx,Mortgage rates just got better 3.55% Fixed
> >>Date: Tue, 07 Oct 03 02:55:35 GMT
> >>X-Mailer: Microsoft Outlook, Build 10.0.2616
> >>MIME-Version: 1.0
> >>Content-Type: multipart/alternative;
> >>      boundary=".BE9.DB781B6"
> >>X-Priority: 3
> >>X-MSMail-Priority: Normal
> >>X-MailScanner-Information: Please contact the ISP for more information
> >>X-MailScanner: Found to be clean
> >>X-MailScanner-SpamCheck: spam, SpamAssassin (score=50.249, required 6,
> >>      BAD_CREDIT 0.16, BANG_MORE 1.17, CLICK_BELOW_CAPS 0.57,
> >>      CONSOLIDATE_DEBT 4.30, DATE_IN_FUTURE_03_06 2.83,
> >>      DATE_SPAMWARE_Y2K 4.40, DCC_CHECK 1.81, EXCUSE_14 0.15,
> >>      FORGED_MUA_OUTLOOK 1.58, FORGED_OUTLOOK_HTML 1.10,
> >>      FORGED_RCVD_NET_HELO 3.02, FRONTPAGE 1.63, HTML_90_100 1.07,
> >>      HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> >>      HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> >>      HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10,
> >>      HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HTML 0.41, LOW_PAYMENT 1.26,
> >>      MAILTO_TO_SPAM_ADDR 1.05, MIME_HTML_ONLY 0.10,
> >>      MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, MORTGAGE_PITCH
> >>1.54,
> >>      MORTGAGE_RATES 1.10, NO_REAL_NAME 0.28, RCVD_IN_BL_SPAMCOP_NET
> >>2.25,
> >>      RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10,
> >>      RCVD_IN_OPM 4.30, RCVD_IN_OPM_HTTP 4.30, RCVD_IN_OPM_HTTP_POST
> >>4.30)
> >>X-MailScanner-SpamScore:
> >>ssssssssssssssssssssssssssssssssssssssssssssssssss
> >>Return-Path: drflojosi at spray.se
> >>X-OriginalArrivalTime: 06 Oct 2003 21:02:51.0727 (UTC)
> >>FILETIME=[3479BDF0:01C38C4D]
> >>
> >>
> >>
> >
> >
> >
>

More information about the MailScanner mailing list