Spam over the max allowed score still slips through!!!

Remco Barendse mailscanner at BARENDSE.TO
Tue Jul 13 07:34:12 IST 2004 

An old topic but still very much alive. Guess this bug is still standing
and not found?

Mails well over the set limits still get delivered. It's even more
annoying because you know that these buggers should have been filtered
out. I still have the df/qf pair of that mail if anyone wants to test.
Unfortunately I'm not much use as a programmer but willing to test :)

Thanks!

Microsoft Mail Internet Headers Version 2.0
Received: from xxxx ([x.x.x.x]) by xxx with
Microsoft SMTPSVC(5.0.2195.6713);
         Mon, 12 Jul 2004 22:08:10 +0200
Received: from vi752.hivehost.net (MCNM1.TheMailConnection.net
[66.239.207.52] (may be forged))
        by xxx (8.12.11/8.12.10) with SMTP id i6CK834g028903
        for <xxx at xxx.com>; Mon, 12 Jul 2004 22:08:04 +0200
To: xxx at xxx.com
Date: Mon, 12 Jul 2004 16:15:34 -0500
Message-ID: <1089663334.1970486240 at vi752.hivehost.net>
From: update at cybersmartinvesting.com
Subject: {Spam?} your weekly update
MIME-Version: 1.0
Content-type: multipart/alternative; boundary="1089663334.197048"
X-gw-MailScanner-Information: Please contact the ISP for more
information
X-gw-MailScanner: Found to be clean
X-MailScanner-MCPCheck: MCP-Clean (MCP-Whitelisted), MCP-Checker (score=0,
        required 1)
X-gw-MailScanner-SpamCheck: spam, SBL+XBL, spamhaus.org,
        SpamAssassin (score=16.448, required 6, DCC_CHECK 3.00,
        HTML_90_100 1.07, HTML_IMAGE_ONLY_02 2.24, HTML_MESSAGE 0.00,
        HTML_WEB_BUGS 0.59, HTTP_WITH_EMAIL_IN_URL 0.16, MIME_HTML_ONLY
0.10,
        MIME_HTML_ONLY_MULTI 1.10, MIME_MISSING_BOUNDARY 0.80,
        MY_SHRT_IMG 0.85, NO_REAL_NAME 0.28, RCVD_IN_BL_SPAMCOP_NET 2.25,
        RCVD_IN_SBL+XBL 4.00)
X-gw-MailScanner-SpamScore: ssssssssssssssss
X-MailScanner-From: update at cybersmartinvesting.com
Return-Path: update at cybersmartinvesting.com
X-OriginalArrivalTime: 12 Jul 2004 20:08:10.0397 (UTC)
FILETIME=[F45084D0:01C4684B]


On Mon, 17 May 2004, Remco Barendse wrote:

> This is in my MailScanner.conf
>
> High SpamAssassin Score = 8
> Spam Actions = striphtml deliver
> High Scoring Spam Actions =  striphtml forward root at mydomain.com
> Non Spam Actions = deliver
>
> This is my MCP config:
> MCP Checks = yes
>
> MCP Required SpamAssassin Score = 1
> MCP High SpamAssassin Score = 10
> MCP Error Score = 1
>
> MCP Header = X-MailScanner-MCPCheck:
> Non MCP Actions = deliver
> MCP Actions = delete
> High Scoring MCP Actions = delete
>
> Is Definitely MCP = no
> Is Definitely Not MCP = %rules-dir%/mcp.check.rules
> Definite MCP Is High Scoring = no
> Always Include MCP Report = yes
> Detailed MCP Report = yes
> Include Scores In MCP Report = yes
> Log MCP = yes
>
> MCP Max SpamAssassin Timeouts = 20
> MCP Max SpamAssassin Size = 100000
> MCP SpamAssassin Timeout = 10
>
> MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
> MCP SpamAssassin User State Dir =
> MCP SpamAssassin Local Rules Dir = %mcp-dir%
> MCP SpamAssassin Default Rules Dir = %mcp-dir%
> MCP SpamAssassin Install Prefix = %mcp-dir%
> Recipient MCP Report = %report-dir%/en/recipient.mcp.report.txt
> Sender MCP Report = %report-dir%/en/sender.mcp.report.txt
>
>
> I assumed that spam scanning and mcp scanning are completely different,
> separated issues and that the mail would first be checked for MCP and
> after that a spam check is done whereby either of the 2 scans can remove
> the mail from the queue to be delivered. Judging by your e-mail my
> assumption is wrong?
>
> On Mon, 17 May 2004, Julian Field wrote:
>
> > At 07:56 17/05/2004, you wrote:
> > >OK, so I set my high scoring spam actions to forward
> > >postmaster at mydomain.com
> > >
> > >Still those mails are being delivered grrrrrrrrr
> > >
> > >The headers are identical, no changes, the score is way above my
> > >acceptable limit and it is delivered without a complaint, no reference to
> > >any whitelisting.
> > >
> > >The linux box I am forwarding the re-routed mails to is the same box that
> > >has a rule in mailertables to route all mail through to the exchange
> > >server. Could this be the problem? I *suspect* MailScanner thinks that the
> > >mail has already been checked by this server and is passed on for further
> > >delivery.
> >
> > MailScanner doesn't use anything in the headers to determine what it should do.
> >
> > >One would expect this to happen with virii too then, but this is not the
> > >case.
> >
> > MCP saying it should deliver the message? What are all your spam actions
> > and mcp actions settings?
> > It's not trivial to work out what you actually want to do with the message
> > when the spam actions and mcp actions conflict.
> >
> >
> > >Ideas anyone?
> > >
> > >
> > >On Fri, 14 May 2004, Julian Field wrote:
> > >
> > > > At 14:41 14/05/2004, you wrote:
> > > > >This makes sense too, sort of but MailScanner.conf clearly states:
> > > > >#    forward user at domain.com - forward a copy of the message to
> > > > >user at domain.com
> > > > >
> > > > >Forwarding a COPY implies that the original will still be delivered?
> > > >
> > > > No. "deliver" is the only way of sending the (possibly mutated) mail to the
> > > > original recipient.
> > > >
> > > >
> > > > >This is why I added the delete rule
> > > > >
> > > > >On Fri, 14 May 2004, Spicer, Kevin wrote:
> > > > >
> > > > > > Remco Barendse wrote:
> > > > > > > OK, that makes sense, sort of.
> > > > > > >
> > > > > > > Do you mean I should reverse the actions order then or does it mean
> > > > > > > that a combination of delete and forward is never possible??
> > > > > > >
> > > > > > > Would :
> > > > > > > striphtml forward root at mydomain.com delete
> > > > > > > do what I want??
> > > > > >
> > > > > > No.
> > > > > >
> > > > > > Why are you stripping html if you are not delivering to users, this is
> > > > > surely creating unecessary load for your servers.  Why not just
> > > > > >
> > > > > > forward root at mydomain.com
> > > > > >
> > > > > > If you _really_ want to striphtml then
> > > > > >
> > > > > > striphtml forward root at mydomain.com
> > > > > >
> > > > > > (even then I'm not sure that forward won't take effect before the
> > > > > striphtml) They should not be delivered to end users unless you add
> > > > > 'deliver' to the list of options.
> > > > > >
> > > > > >
> > > > > >
> > > > > > BMRB International
> > > > > > http://www.bmrb.co.uk
> > > > > > +44 (0)20 8566 5000
> > > > > > _________________________________________________________________
> > > > > > This message (and any attachment) is intended only for the
> > > > > > recipient and may contain confidential and/or privileged
> > > > > > material.  If you have received this in error, please contact the
> > > > > > sender and delete this message immediately.  Disclosure, copying
> > > > > > or other action taken in respect of this email or in
> > > > > > reliance on it is prohibited.  BMRB International Limited
> > > > > > accepts no liability in relation to any personal emails, or
> > > > > > content of any email which does not directly relate to our
> > > > > > business.
> > > > > >
> > > > > > -------------------------- MailScanner list ----------------------
> > > > > > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > > > > > Before posting, please see the Most Asked Questions at
> > > > > > http://www.mailscanner.biz/maq/     and the archives at
> > > > > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> > > > > >
> > > > >
> > > > >-------------------------- MailScanner list ----------------------
> > > > >To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > > > >Before posting, please see the Most Asked Questions at
> > > > >http://www.mailscanner.biz/maq/     and the archives at
> > > > >http://www.jiscmail.ac.uk/lists/mailscanner.html
> > > >
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > MailScanner thanks transtec Computers for their support
> > > >
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > >
> > > > -------------------------- MailScanner list ----------------------
> > > > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > > > Before posting, please see the Most Asked Questions at
> > > > http://www.mailscanner.biz/maq/     and the archives at
> > > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> > > >
> > >
> > >-------------------------- MailScanner list ----------------------
> > >To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > >Before posting, please see the Most Asked Questions at
> > >http://www.mailscanner.biz/maq/     and the archives at
> > >http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list