Mail with spam and score 50 still delivered?

Remco Barendse mailscanner at BARENDSE.TO
Fri Oct 17 07:47:13 IST 2003 

Hmmm, I've completely disabled MCP checks and still se spam getting
through.

I really do not have a clue why these mails make it through MailScanner.
The score is way above the delete threshold and they are marked as spam.
It seems that somehow they are mistakenly treated as low scoring spam.

Also no whitelisting is applied on either the sender, receiver nor ip
(and there's no remark about it in the header either). The box is running
mailscanner-4.23-11

This is the header of one spam mail:

Received: from xxx.xxx.xxx ([10.1.0.3]) by xxxx.xxxx.xxx with
Microsoft SMTPSVC(5.0.2195.6713);
         Fri, 17 Oct 2003 00:05:37 +0200
Received: from fusemail.com (80.178.13.233.forward.012.net.il
[80.178.13.233])
        by xxx.xxx.xxx (8.12.8/8.12.8) with SMTP id h9GM5OED006248
        for <xxx at xxx.xxx>; Fri, 17 Oct 2003 00:05:29 +0200
Message-Id: <200310162205.h9GM5OED006248 at xxx.xxx.xxx>
From: International R/X <kCiV at rock.com>
To: xxx at xxx.xxx
Subject: {Spam?} Big Discounts on Medical Penis Enhancement
Date: Thu, 16 Oct 2003 15:05:56 -0700
Mime-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Content-type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-MCPCheck:
X-MailScanner-SpamCheck: spam, SpamAssassin (score=19.71, required 6,
        ALL_NATURAL 1.32, BANG_GUARANTEE 1.10, CLICK_BELOW 0.00,
        FORGED_MUA_EUDORA 1.91, GUARANTEE 2.15, HTML_60_70 0.10,
        HTML_FONTCOLOR_RED 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
        HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
        HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00,
        HTML_TAG_EXISTS_TBODY 0.10, MIME_HTML_ONLY 0.10,
        MISSING_MIMEOLE 1.15, MISSING_OUTLOOK_NAME 0.10, MONEY_BACK 4.30,
        MSGID_FROM_MTA_SHORT 3.31, NORMAL_HTTP_TO_IP 0.21,
        RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_DSBL 1.10)
X-MailScanner-SpamScore: sssssssssssssssssss
Return-Path: rO at rock.com
X-OriginalArrivalTime: 16 Oct 2003 22:05:37.0452 (UTC)
FILETIME=[A12746C0:01C39431]


Ideas anyone?

On Mon, 13 Oct 2003, Remco Barendse wrote:

> I have an idea where I would need to look, I have disabled MCP checking
> (wasn't doing anything anyways) and have not seen any spam slipping
> through since.
>
> Could it be that there is a bug in MCP handling, that a message that makes
> it through MCP doesn't get spam killed??
>
> On Fri, 10 Oct 2003, Remco Barendse wrote:
>
> > Yes, very sure. The header is marked by only one gateway and there is only
> > one header in the mail. Also MS would have reported any white or
> > blacklisting in the header.
> >
> > Also I have very small black/whitelists and the user in question is not on
> > any list and the spammer certainly isn't whitelisted!
> >
> > On Thu, 9 Oct 2003, Ken Anderson wrote:
> >
> > > Are you sure they aren't getting whitelisted?
> > > You can't always tell who the original envelope recipient was by looking
> > > at the mail headers. You have to check the maillog. Just a thought...
> > >
> > > Ken
> > > Pacific.Net
> > >
> > >
> > > Remco Barendse wrote:
> > >
> > > > Nobody else seeing this behaviour, we are still getting quite some spam
> > > > mails with extremely high scores that should not have made it past the
> > > > scoring rules, but still get delivered.
> > > >
> > > > This mail did get tagged with {Spam} but somehow the high scoring spam
> > > > action is not triggered.
> > > >
> > > > This is the header from another mail that got through:
> > > > X-MailScanner-SpamCheck: spam, SpamAssassin (score=27.2, required 6,
> > > >         CLICK_BELOW 0.00, CLICK_TO_REMOVE_1 1.10, DATE_SPAMWARE_Y2K 4.40,
> > > >         DNS_FROM_RFCI_DSN 1.39, EXCUSE_10 0.14, EXCUSE_14 0.15,
> > > >         EXCUSE_15 0.71, EXCUSE_3 0.10, FORGED_MUA_OUTLOOK 1.58,
> > > >         FORGED_OUTLOOK_HTML 1.10, FORGED_RCVD_NET_HELO 3.02, FREE_QUOTE
> > > > 2.80,
> > > >         FROM_ENDS_IN_NUMS 0.87, FRONTPAGE 1.63, HTML_50_60 0.18,
> > > >         HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> > > >         HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> > > >         HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
> > > >         MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, NO_REAL_NAME
> > > > 0.28,
> > > >         OFFERS_ETC 0.20, SAVINGS 0.40, WE_HONOR_ALL 4.30)
> > > > X-MailScanner-SpamScore: sssssssssssssssssssssssssss
> > > >
> > > >
> > > > On Tue, 7 Oct 2003, Remco Barendse wrote:
> > > >
> > > >
> > > >>Today one of my users received two identical e-mails (with subject
> > > >>Mortgage rates just got better 3.55% Fixed).
> > > >>
> > > >>One e-mail was filtered out correctly although with a very weird message
> > > >>in the spam score at the bottom of the scored rules (spam (blacklisted)).
> > > >>Nothing in that e-mail would match my blacklisting rules!
> > > >>
> > > >>Anybody else seeing this behaviour? I have my max score set to 9 and the
> > > >>other e-mail got blocked (possibly only because it was marked blacklisted
> > > >>altho I don't know why) but this e-mail got through.
> > > >>
> > > >>This the header from the mail that made it through (Exchange header):
> > > >>
> > > >>From: "" <drflojosi at spray.se>
> > > >>Reply-To: "" <drflojosi at spray.se>
> > > >>To: <xxx at xxx>
> > > >>Subject: {Spam?} xxxxx,Mortgage rates just got better 3.55% Fixed
> > > >>Date: Tue, 07 Oct 03 02:55:35 GMT
> > > >>X-Mailer: Microsoft Outlook, Build 10.0.2616
> > > >>MIME-Version: 1.0
> > > >>Content-Type: multipart/alternative;
> > > >>      boundary=".BE9.DB781B6"
> > > >>X-Priority: 3
> > > >>X-MSMail-Priority: Normal
> > > >>X-MailScanner-Information: Please contact the ISP for more information
> > > >>X-MailScanner: Found to be clean
> > > >>X-MailScanner-SpamCheck: spam, SpamAssassin (score=50.249, required 6,
> > > >>      BAD_CREDIT 0.16, BANG_MORE 1.17, CLICK_BELOW_CAPS 0.57,
> > > >>      CONSOLIDATE_DEBT 4.30, DATE_IN_FUTURE_03_06 2.83,
> > > >>      DATE_SPAMWARE_Y2K 4.40, DCC_CHECK 1.81, EXCUSE_14 0.15,
> > > >>      FORGED_MUA_OUTLOOK 1.58, FORGED_OUTLOOK_HTML 1.10,
> > > >>      FORGED_RCVD_NET_HELO 3.02, FRONTPAGE 1.63, HTML_90_100 1.07,
> > > >>      HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_RED 0.10,
> > > >>      HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10,
> > > >>      HTML_LINK_CLICK_CAPS 0.50, HTML_LINK_CLICK_HERE 0.10,
> > > >>      HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HTML 0.41, LOW_PAYMENT 1.26,
> > > >>      MAILTO_TO_SPAM_ADDR 1.05, MIME_HTML_ONLY 0.10,
> > > >>      MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, MORTGAGE_PITCH
> > > >>1.54,
> > > >>      MORTGAGE_RATES 1.10, NO_REAL_NAME 0.28, RCVD_IN_BL_SPAMCOP_NET
> > > >>2.25,
> > > >>      RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 1.10,
> > > >>      RCVD_IN_OPM 4.30, RCVD_IN_OPM_HTTP 4.30, RCVD_IN_OPM_HTTP_POST
> > > >>4.30)
> > > >>X-MailScanner-SpamScore:
> > > >>ssssssssssssssssssssssssssssssssssssssssssssssssss
> > > >>Return-Path: drflojosi at spray.se
> > > >>X-OriginalArrivalTime: 06 Oct 2003 21:02:51.0727 (UTC)
> > > >>FILETIME=[3479BDF0:01C38C4D]
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > >
> >
> >
>
>

More information about the MailScanner mailing list