Mail with spam and score 50 still delivered?

Remco Barendse mailscanner at BARENDSE.TO
Mon Oct 13 17:50:51 IST 2003


I have an idea where I would need to look, I have disabled MCP checking
(wasn't doing anything anyways) and have not seen any spam slipping
through since.

Could it be that there is a bug in MCP handling, that a message that makes
it through MCP doesn't get spam killed??

On Fri, 10 Oct 2003, Remco Barendse wrote:

> Yes, very sure. The header is marked by only one gateway and there is only
> one header in the mail. Also MS would have reported any white or
> blacklisting in the header.
>
> Also I have very small black/whitelists and the user in question is not on
> any list and the spammer certainly isn't whitelisted!
>
> On Thu, 9 Oct 2003, Ken Anderson wrote:
>
> > Are you sure they aren't getting whitelisted?
> > You can't always tell who the original envelope recipient was by looking
> > at the mail headers. You have to check the maillog. Just a thought...
> >
> > Ken
> > Pacific.Net
> >
> >
> > Remco Barendse wrote:
> >
> > > Nobody else seeing this behaviour, we are still getting quite some spam
> > > mails with extremely high scores that should not have made it past the
> > > scoring rules, but still get delivered.
> > >
> > > This mail did get tagged with {Spam} but somehow the high scoring spam
> > > action is not triggered.
> > >
> > > This is the header from another mail that got through:
> > > X-MailScanner-SpamCheck: spam, SpamAssassin (score=27.2, required 6,
> > >         CLICK_BELOW 0.00, CLICK_TO_REMOVE_1 1.10, DATE_SPAMWARE_Y2K 4.40,
> > >         DNS_FROM_RFCI_DSN 1.39, EXCUSE_10 0.14, EXCUSE_14 0.15,
> > >         EXCUSE_15 0.71, EXCUSE_3 0.10, FORGED_MUA_OUTLOOK 1.58,
> > >         FORGED_OUTLOOK_HTML 1.10, FORGED_RCVD_NET_HELO 3.02, FREE_QUOTE
> > > 2.80,
> > >         FROM_ENDS_IN_NUMS 0.87, FRONTPAGE 1.63, HTML_50_60 0.18,
> > >         HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> > >         HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> > >         HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
> > >         MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, NO_REAL_NAME
> > > 0.28,
> > >         OFFERS_ETC 0.20, SAVINGS 0.40, WE_HONOR_ALL 4.30)
> > > X-MailScanner-SpamScore: sssssssssssssssssssssssssss
> > >
> > >
> > > On Tue, 7 Oct 2003, Remco Barendse wrote:
> > >
> > >
> > >>Today one of my users received two identical e-mails (with subject
> > >>Mortgage rates just got better 3.55% Fixed).
> > >>
> > >>One e-mail was filtered out correctly although with a very weird message
> > >>in the spam score at the bottom of the scored rules (spam (blacklisted)).
> > >>Nothing in that e-mail would match my blacklisting rules!
> > >>
> > >>Anybody else seeing this behaviour? I have my max score set to 9 and the
> > >>other e-mail got blocked (possibly only because it was marked blacklisted
> > >>altho I don't know why) but this e-mail got through.
> > >>
> > >>This the header from the mail that made it through (Exchange header):
> > >>
> > >>From: "" <drflojosi at spray.se>
> > >>Reply-To: "" <drflojosi at spray.se>
> > >>To: <xxx at xxx>
> > >>Subject: {Spam?} xxxxx,Mortgage rates just got better 3.55% Fixed
> > >>Date: Tue, 07 Oct 03 02:55:35 GMT
> > >>X-Mailer: Microsoft Outlook, Build 10.0.2616
> > >>MIME-Version: 1.0
> > >>Content-Type: multipart/alternative;
> > >>      boundary=".BE9.DB781B6"
> > >>X-Priority: 3
> > >>X-MSMail-Priority: Normal
> > >>X-MailScanner-Information: Please contact the ISP for more information
> > >>X-MailScanner: Found to be clean
> > >>X-MailScanner-SpamCheck: spam, SpamAssassin (score=50.249, required 6,
> > >>      BAD_CREDIT 0.16, BANG_MORE 1.17, CLICK_BELOW_CAPS 0.57,
> > >>      CONSOLIDATE_DEBT 4.30, DATE_IN_FUTURE_03_06 2.83,
> > >>      DATE_SPAMWARE_Y2K 4.40, DCC_CHECK 1.81, EXCUSE_14 0.15,
> > >>      FORGED_MUA_OUTLOOK 1.58, FORGED_OUTLOOK_HTML 1.10,
> > >>      FORGED_RCVD_NET_HELO 3.02, FRONTPAGE 1.63, HTML_90_100 1.07,
> > >>      HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> > >>      HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> > >>      HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10,
> > >>      HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HTML 0.41, LOW_PAYMENT 1.26,
> > >>      MAILTO_TO_SPAM_ADDR 1.05, MIME_HTML_ONLY 0.10,
> > >>      MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, MORTGAGE_PITCH
> > >>1.54,
> > >>      MORTGAGE_RATES 1.10, NO_REAL_NAME 0.28, RCVD_IN_BL_SPAMCOP_NET
> > >>2.25,
> > >>      RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10,
> > >>      RCVD_IN_OPM 4.30, RCVD_IN_OPM_HTTP 4.30, RCVD_IN_OPM_HTTP_POST
> > >>4.30)
> > >>X-MailScanner-SpamScore:
> > >>ssssssssssssssssssssssssssssssssssssssssssssssssss
> > >>Return-Path: drflojosi at spray.se
> > >>X-OriginalArrivalTime: 06 Oct 2003 21:02:51.0727 (UTC)
> > >>FILETIME=[3479BDF0:01C38C4D]
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
>
>



More information about the MailScanner mailing list