Mail with spam and score 50 still delivered?

Mon Oct 13 19:19:50 IST 2003

The MCP stuff still isn't reliable, due mostly to a subtle bug in
SpamAssassin for which I haven't yet figured a decent workaround. It
doesn't like you having 2 SA objects in the same process :-(

At 17:50 13/10/2003, you wrote:
>I have an idea where I would need to look, I have disabled MCP checking
>(wasn't doing anything anyways) and have not seen any spam slipping
>through since.
>
>Could it be that there is a bug in MCP handling, that a message that makes
>it through MCP doesn't get spam killed??
>
>On Fri, 10 Oct 2003, Remco Barendse wrote:
>
> > Yes, very sure. The header is marked by only one gateway and there is only
> > one header in the mail. Also MS would have reported any white or
> > blacklisting in the header.
> >
> > Also I have very small black/whitelists and the user in question is not on
> > any list and the spammer certainly isn't whitelisted!
> >
> > On Thu, 9 Oct 2003, Ken Anderson wrote:
> >
> > > Are you sure they aren't getting whitelisted?
> > > You can't always tell who the original envelope recipient was by looking
> > > at the mail headers. You have to check the maillog. Just a thought...
> > >
> > > Ken
> > > Pacific.Net
> > >
> > >
> > > Remco Barendse wrote:
> > >
> > > > Nobody else seeing this behaviour, we are still getting quite some spam
> > > > mails with extremely high scores that should not have made it past the
> > > > scoring rules, but still get delivered.
> > > >
> > > > This mail did get tagged with {Spam} but somehow the high scoring spam
> > > > action is not triggered.
> > > >
> > > > This is the header from another mail that got through:
> > > > X-MailScanner-SpamCheck: spam, SpamAssassin (score=27.2, required 6,
> > > >         CLICK_BELOW 0.00, CLICK_TO_REMOVE_1 1.10, DATE_SPAMWARE_Y2K
> 4.40,
> > > >         DNS_FROM_RFCI_DSN 1.39, EXCUSE_10 0.14, EXCUSE_14 0.15,
> > > >         EXCUSE_15 0.71, EXCUSE_3 0.10, FORGED_MUA_OUTLOOK 1.58,
> > > >         FORGED_OUTLOOK_HTML 1.10, FORGED_RCVD_NET_HELO 3.02, FREE_QUOTE
> > > > 2.80,
> > > >         FROM_ENDS_IN_NUMS 0.87, FRONTPAGE 1.63, HTML_50_60 0.18,
> > > >         HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> > > >         HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> > > >         HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00,
> MIME_HTML_ONLY 0.10,
> > > >         MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, NO_REAL_NAME
> > > > 0.28,
> > > >         OFFERS_ETC 0.20, SAVINGS 0.40, WE_HONOR_ALL 4.30)
> > > > X-MailScanner-SpamScore: sssssssssssssssssssssssssss
> > > >
> > > >
> > > > On Tue, 7 Oct 2003, Remco Barendse wrote:
> > > >
> > > >
> > > >>Today one of my users received two identical e-mails (with subject
> > > >>Mortgage rates just got better 3.55% Fixed).
> > > >>
> > > >>One e-mail was filtered out correctly although with a very weird
> message
> > > >>in the spam score at the bottom of the scored rules (spam
> (blacklisted)).
> > > >>Nothing in that e-mail would match my blacklisting rules!
> > > >>
> > > >>Anybody else seeing this behaviour? I have my max score set to 9
> and the
> > > >>other e-mail got blocked (possibly only because it was marked
> blacklisted
> > > >>altho I don't know why) but this e-mail got through.
> > > >>
> > > >>This the header from the mail that made it through (Exchange header):
> > > >>
> > > >>From: "" <drflojosi at spray.se>
> > > >>Reply-To: "" <drflojosi at spray.se>
> > > >>To: <xxx at xxx>
> > > >>Subject: {Spam?} xxxxx,Mortgage rates just got better 3.55% Fixed
> > > >>Date: Tue, 07 Oct 03 02:55:35 GMT
> > > >>X-Mailer: Microsoft Outlook, Build 10.0.2616
> > > >>MIME-Version: 1.0
> > > >>Content-Type: multipart/alternative;
> > > >>      boundary=".BE9.DB781B6"
> > > >>X-Priority: 3
> > > >>X-MSMail-Priority: Normal
> > > >>X-MailScanner-Information: Please contact the ISP for more information
> > > >>X-MailScanner: Found to be clean
> > > >>X-MailScanner-SpamCheck: spam, SpamAssassin (score=50.249, required 6,
> > > >>      BAD_CREDIT 0.16, BANG_MORE 1.17, CLICK_BELOW_CAPS 0.57,
> > > >>      CONSOLIDATE_DEBT 4.30, DATE_IN_FUTURE_03_06 2.83,
> > > >>      DATE_SPAMWARE_Y2K 4.40, DCC_CHECK 1.81, EXCUSE_14 0.15,
> > > >>      FORGED_MUA_OUTLOOK 1.58, FORGED_OUTLOOK_HTML 1.10,
> > > >>      FORGED_RCVD_NET_HELO 3.02, FRONTPAGE 1.63, HTML_90_100 1.07,
> > > >>      HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> > > >>      HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> > > >>      HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10,
> > > >>      HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HTML 0.41, LOW_PAYMENT 1.26,
> > > >>      MAILTO_TO_SPAM_ADDR 1.05, MIME_HTML_ONLY 0.10,
> > > >>      MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, MORTGAGE_PITCH
> > > >>1.54,
> > > >>      MORTGAGE_RATES 1.10, NO_REAL_NAME 0.28, RCVD_IN_BL_SPAMCOP_NET
> > > >>2.25,
> > > >>      RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10,
> > > >>      RCVD_IN_OPM 4.30, RCVD_IN_OPM_HTTP 4.30, RCVD_IN_OPM_HTTP_POST
> > > >>4.30)
> > > >>X-MailScanner-SpamScore:
> > > >>ssssssssssssssssssssssssssssssssssssssssssssssssss
> > > >>Return-Path: drflojosi at spray.se
> > > >>X-OriginalArrivalTime: 06 Oct 2003 21:02:51.0727 (UTC)
> > > >>FILETIME=[3479BDF0:01C38C4D]
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > >
> >
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654