Some e-mails not being scanned? {Scanned}

Julian Field mailscanner at ecs.soton.ac.uk
Sun Feb 22 13:20:24 GMT 2004 

All I can really say at this point is that scanning is not governed by the
contents of the headers in any way, so looking at the AntiAbuse headers is
a red herring.

I still think it's a webmail configuration interface problem, as the
"www at localhost" statements imply. I still think your webmail is not
delivering by SMTP to your MailScanner, but is invoking sendmail directly.
Take a good look at your webmail configuration.

At 09:31 22/02/2004, you wrote:
>Julian,
>
>Sorry didn't see you reply until tonight. Ops! In regards to your reply,
>these e-mails that bypass MS/SA don't in no way come from any place which I
>have whitelisted. We use openwebmail but I'm not sure how this spammer is
>using that to by pass MS/SA.
>
>The strange thing is that only e-mails with the 'X-AntiAbuse' header seem to
>bypass MS/SA. Can anyone see a pattern and possibilites of how this spammer
>is bypassing MS/SA.Here are some more header info. of some recent e-mails
>all from the same spammer:
>
>Return-Path: <shelhaxr at tamil.com>
>Received: from 1stbulkemail.com (pD9504F54.dip.t-dialin.net [217.80.79.84])
>  by wppi.com (8.10.2/8.10.2) with SMTP id i1M7FWf10235
>  for <sales at wppi.com>; Sun, 22 Feb 2004 02:15:33 -0500
>Received: (from www at localhost)
>     by 1stbulkemail.com (8.11.6p2/8.11.3) with ESMTP id J87Gz028030521
>     for <sales at wppi.com>; Sun, 22 Feb 2004 07:15:07 +0000 (GMT)
>     (envelope-from www)
>Message-ID: <697663289192.4DuK9L6i87y3H4 at localhost>
>From: "Shara Montoya" <shelhaxr at tamil.com>
>To: sales at wppi.com
>Subject: Design Your Logo {Scanned}
>Date: Sun, 22 Feb 2004 07:15:07 +0000 (GMT)
>X-AntiAbuse: This header was added to track abuse, please include it with
>any abuse report
>X-AntiAbuse: Primary Hostname - 1stbulkemail.com
>X-AntiAbuse: Original Domain - 1stbulkemail.com
>X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
>X-AntiAbuse: Sender Address Domain -
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"
>
>----------------------------------------------------------------------------
>----
>
>Return-Path: <hahgjkcr at gundamfan.com>
>Received: from eofficemail.com ([218.157.147.241])
>  by wash-photo.com (8.10.2/8.10.2) with SMTP id i1M13of25927
>  for <sales at wash-photo.com>; Sat, 21 Feb 2004 20:03:51 -0500
>Received: (from www at localhost)
>     by eofficemail.com (Vircom SMTPRS 2.1.258) with ESMTP id J87Gz030585292
>     for <sales at wash-photo.com>; Sat, 21 Feb 2004 20:04:42 -0500 (EST)
>     (envelope-from www)
>Message-ID: <380117213434.PbtrkS09esY7Q8 at localhost>
>From: "Laquita Ewing" <hahgjkcr at gundamfan.com>
>To: sales at wash-photo.com
>Subject: Custom Logo Creation {Scanned}
>Date: Sat, 21 Feb 2004 20:04:42 -0500 (EST)
>X-AntiAbuse: This header was added to track abuse, please include it with
>any abuse report
>X-AntiAbuse: Primary Hostname - eofficemail.com
>X-AntiAbuse: Original Domain - eofficemail.com
>X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
>X-AntiAbuse: Sender Address Domain -
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"
>
>
>
>----------------------------------------------------------------------------
>----
>
>Return-Path: <zpmdewwg at netsiam.com>
>Received: from emailphonebook.net
>(lsanca2-ar32-4-33-033-229.lsanca2.dsl-verizon.net [4.33.33.229])
>  by ultraphotos.com (8.10.2/8.10.2) with SMTP id i1LKDLf12864
>  for <sales at ultraphotos.com>; Sat, 21 Feb 2004 15:13:21 -0500
>Received: (from www at localhost)
>     by emailphonebook.net (8.12.8/8.10.0) with ESMTP id J87Gz028821499
>     for <sales at ultraphotos.com>; Sat, 21 Feb 2004 20:07:22 +0000 (GMT)
>     (envelope-from www)
>Message-ID: <548455242357.f8H0iBG31vW05g at localhost>
>From: "Sade Rowe" <zpmdewwg at netsiam.com>
>To: sales at ultraphotos.com
>Subject: Flash Logo Animation {Scanned}
>Date: Sat, 21 Feb 2004 20:07:22 +0000 (GMT)
>X-AntiAbuse: This header was added to track abuse, please include it with
>any abuse report
>X-AntiAbuse: Primary Hostname - emailphonebook.net
>X-AntiAbuse: Original Domain - emailphonebook.net
>X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
>X-AntiAbuse: Sender Address Domain -
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"
>
>----- Original Message -----
>From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Sunday, February 15, 2004 1:08 PM
>Subject: Re: Some e-mails not being scanned? {Scanned}
>
>
> > I suspect from the headers that you have an email-generating app (a
>webmail
> > system perhaps?) that is sending mail by directly invoking the sendmail
> > binary. You need to get this app to send mail by talking SMTP to localhost
> > instead.
> > Either that or you have bypassed the MS host in some way for this mail. As
> > you don't say which of the systems involved is the MS host, it is
> > impossible to say for definite.
> >
> > At 15:42 15/02/2004, you wrote:
> > >Can someone tell me why some e-mails don't get scanned by MS/SA? I know
>they
> > >are not being scanned because they are missing the mailscanner header
>info.
> > >The only thing I can think of is that there is something in mailscanner
> > >which ignores e-mails that contain in the header 'X-AntiAbuse' and flags
> > >them as non-spam. Not sure if I'm right but hopefully someone here can
>help.
> > >
> > >Here is a sample e-mail header which does not get scanned by mailscanner:
> > >
> > >Return-Path: <txcqkkkg at boardermail.com>
> > >Received: from free-web-hosting-and-free-email.com
> > >(pcp07722622pcs.nrockv01.md.comcast.net [69.138.239.114])
> > >  by wppi.net (8.10.2/8.10.2) with SMTP id i1BMkQA01925
> > >  for <sales at wppi.net>; Wed, 11 Feb 2004 17:46:30 -0500
> > >Received: (from www at localhost)
> > >     by free-web-hosting-and-free-email.com (SMTPD32-7.00) with ESMTP id
> > >J87Gz037587771
> > >     for <sales at wppi.net>; Wed, 11 Feb 2004 17:44:37 -0500 (EST)
> > >     (envelope-from www)
> > >Message-ID: <823244444119.yyr36h3MgwRq8N at localhost>
> > >From: "Ruthie Nixon" <txcqkkkg at boardermail.com>
> > >To: sales at wppi.net
> > >Subject: Website Intros and Animated Logos {Scanned}
> > >Date: Wed, 11 Feb 2004 17:44:37 -0500 (EST)
> > >X-AntiAbuse: This header was added to track abuse, please include it with
> > >any abuse report
> > >X-AntiAbuse: Primary Hostname - free-web-hosting-and-free-email.com
> > >X-AntiAbuse: Original Domain - free-web-hosting-and-free-email.com
> > >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
> > >X-AntiAbuse: Sender Address Domain -
> > >MIME-Version: 1.0
> > >Content-Type: multipart/alternative;
> > >         boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"
> > >
> > >
> > >Thanks,
> > >
> > >SW
> > >
> > >
> > >
> > >-------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > >-------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > >-------------------------------------------------
> > >WPPi.com & WPPi.Net MailScanner Signature
> > >This message has been scanned for viruses
> > >and dangerous content by WPPi MailScanner,
> > >and has been found to be clean.
> > >-------------------------------------------------
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > -------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> > -------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> > -------------------------------------------------
> > WPPi.com & WPPi.Net MailScanner Signature
> > This message has been scanned for viruses
> > and dangerous content by WPPi MailScanner,
> > and has been found to be clean.
> > -------------------------------------------------
> >
> >
>
>
>
>-------------------------------------------------
>         WPPi.com        |        WPPi.Net
>-------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
>-------------------------------------------------
>WPPi.com & WPPi.Net MailScanner Signature
>This message has been scanned for viruses
>and dangerous content by WPPi MailScanner,
>and has been found to be clean.
>-------------------------------------------------

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list