Spam over the max allowed score still slips through!!! {Scanned}
Scott Silva
ssilva at SGVWATER.COM
Tue Jul 13 16:43:32 IST 2004
| An old topic but still very much alive. Guess this bug is still standing
| and not found?
|
| Mails well over the set limits still get delivered. It's even more
| annoying because you know that these buggers should have been filtered
| out. I still have the df/qf pair of that mail if anyone wants to test.
| Unfortunately I'm not much use as a programmer but willing to test :)
|
| Thanks!
|
| Microsoft Mail Internet Headers Version 2.0
| Received: from xxxx ([x.x.x.x]) by xxx with
| Microsoft SMTPSVC(5.0.2195.6713);
| Mon, 12 Jul 2004 22:08:10 +0200
| Received: from vi752.hivehost.net (MCNM1.TheMailConnection.net
| [66.239.207.52] (may be forged))
| by xxx (8.12.11/8.12.10) with SMTP id i6CK834g028903
| for <xxx at xxx.com>; Mon, 12 Jul 2004 22:08:04 +0200
| To: xxx at xxx.com
| Date: Mon, 12 Jul 2004 16:15:34 -0500
| Message-ID: <1089663334.1970486240 at vi752.hivehost.net>
| From: update at cybersmartinvesting.com
| Subject: {Spam?} your weekly update
This looks like it was caught! (marked spam)
Check your rules on "what to do with spam".
A "forward" rule does not stop delivery to the original recipient.
It is more like a "forward copy to" action.
| MIME-Version: 1.0
| Content-type: multipart/alternative; boundary="1089663334.197048"
| X-gw-MailScanner-Information: Please contact the ISP for more
| information
| X-gw-MailScanner: Found to be clean
| X-MailScanner-MCPCheck: MCP-Clean (MCP-Whitelisted), MCP-Checker (score=0,
| required 1)
| X-gw-MailScanner-SpamCheck: spam, SBL+XBL, spamhaus.org,
| SpamAssassin (score=16.448, required 6, DCC_CHECK 3.00,
| HTML_90_100 1.07, HTML_IMAGE_ONLY_02 2.24, HTML_MESSAGE 0.00,
| HTML_WEB_BUGS 0.59, HTTP_WITH_EMAIL_IN_URL 0.16, MIME_HTML_ONLY
| 0.10,
| MIME_HTML_ONLY_MULTI 1.10, MIME_MISSING_BOUNDARY 0.80,
| MY_SHRT_IMG 0.85, NO_REAL_NAME 0.28, RCVD_IN_BL_SPAMCOP_NET 2.25,
| RCVD_IN_SBL+XBL 4.00)
| X-gw-MailScanner-SpamScore: ssssssssssssssss
| X-MailScanner-From: update at cybersmartinvesting.com
| Return-Path: update at cybersmartinvesting.com
| X-OriginalArrivalTime: 12 Jul 2004 20:08:10.0397 (UTC)
| FILETIME=[F45084D0:01C4684B]
|
|
| On Mon, 17 May 2004, Remco Barendse wrote:
|
| > This is in my MailScanner.conf
| >
| > High SpamAssassin Score = 8
| > Spam Actions = striphtml deliver
| > High Scoring Spam Actions = striphtml forward root at mydomain.com
Will still get through, but will have html munged so it opens as text .
| > Non Spam Actions = deliver
| >
| > This is my MCP config:
| > MCP Checks = yes
| >
| > MCP Required SpamAssassin Score = 1
| > MCP High SpamAssassin Score = 10
| > MCP Error Score = 1
| >
| > MCP Header = X-MailScanner-MCPCheck:
| > Non MCP Actions = deliver
| > MCP Actions = delete
| > High Scoring MCP Actions = delete
| >
| > Is Definitely MCP = no
| > Is Definitely Not MCP = %rules-dir%/mcp.check.rules
| > Definite MCP Is High Scoring = no
| > Always Include MCP Report = yes
| > Detailed MCP Report = yes
| > Include Scores In MCP Report = yes
| > Log MCP = yes
| >
| > MCP Max SpamAssassin Timeouts = 20
| > MCP Max SpamAssassin Size = 100000
| > MCP SpamAssassin Timeout = 10
| >
| > MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
| > MCP SpamAssassin User State Dir =
| > MCP SpamAssassin Local Rules Dir = %mcp-dir%
| > MCP SpamAssassin Default Rules Dir = %mcp-dir%
| > MCP SpamAssassin Install Prefix = %mcp-dir%
| > Recipient MCP Report = %report-dir%/en/recipient.mcp.report.txt
| > Sender MCP Report = %report-dir%/en/sender.mcp.report.txt
| >
| >
| > I assumed that spam scanning and mcp scanning are completely different,
| > separated issues and that the mail would first be checked for MCP and
| > after that a spam check is done whereby either of the 2 scans can remove
| > the mail from the queue to be delivered. Judging by your e-mail my
| > assumption is wrong?
| >
| > On Mon, 17 May 2004, Julian Field wrote:
| >
| > > At 07:56 17/05/2004, you wrote:
| > > >OK, so I set my high scoring spam actions to forward
| > > >postmaster at mydomain.com
| > > >
| > > >Still those mails are being delivered grrrrrrrrr
| > > >
| > > >The headers are identical, no changes, the score is way above my
| > > >acceptable limit and it is delivered without a complaint, no
reference to
| > > >any whitelisting.
| > > >
| > > >The linux box I am forwarding the re-routed mails to is the same box
that
| > > >has a rule in mailertables to route all mail through to the exchange
| > > >server. Could this be the problem? I *suspect* MailScanner thinks
that the
| > > >mail has already been checked by this server and is passed on for
further
| > > >delivery.
| > >
| > > MailScanner doesn't use anything in the headers to determine what it
should do.
| > >
| > > >One would expect this to happen with virii too then, but this is not
the
| > > >case.
| > >
| > > MCP saying it should deliver the message? What are all your spam
actions
| > > and mcp actions settings?
| > > It's not trivial to work out what you actually want to do with the
message
| > > when the spam actions and mcp actions conflict.
| > >
| > >
| > > >Ideas anyone?
| > > >
| > > >
| > > >On Fri, 14 May 2004, Julian Field wrote:
| > > >
| > > > > At 14:41 14/05/2004, you wrote:
| > > > > >This makes sense too, sort of but MailScanner.conf clearly
states:
| > > > > ># forward user at domain.com - forward a copy of the message to
| > > > > >user at domain.com
| > > > > >
| > > > > >Forwarding a COPY implies that the original will still be
delivered?
| > > > >
| > > > > No. "deliver" is the only way of sending the (possibly mutated)
mail to the
| > > > > original recipient.
| > > > >
| > > > >
| > > > > >This is why I added the delete rule
| > > > > >
| > > > > >On Fri, 14 May 2004, Spicer, Kevin wrote:
| > > > > >
| > > > > > > Remco Barendse wrote:
| > > > > > > > OK, that makes sense, sort of.
| > > > > > > >
| > > > > > > > Do you mean I should reverse the actions order then or does
it mean
| > > > > > > > that a combination of delete and forward is never possible??
| > > > > > > >
| > > > > > > > Would :
| > > > > > > > striphtml forward root at mydomain.com delete
| > > > > > > > do what I want??
| > > > > > >
| > > > > > > No.
| > > > > > >
| > > > > > > Why are you stripping html if you are not delivering to users,
this is
| > > > > > surely creating unecessary load for your servers. Why not just
| > > > > > >
| > > > > > > forward root at mydomain.com
| > > > > > >
| > > > > > > If you _really_ want to striphtml then
| > > > > > >
| > > > > > > striphtml forward root at mydomain.com
| > > > > > >
| > > > > > > (even then I'm not sure that forward won't take effect before
the
| > > > > > striphtml) They should not be delivered to end users unless you
add
| > > > > > 'deliver' to the list of options.
| > > > > > >
| > > > > > >
| > > > > > >
| > > > > > > BMRB International
| > > > > > > http://www.bmrb.co.uk
| > > > > > > +44 (0)20 8566 5000
| > > > > > >
_________________________________________________________________
| > > > > > > This message (and any attachment) is intended only for the
| > > > > > > recipient and may contain confidential and/or privileged
| > > > > > > material. If you have received this in error, please contact
the
| > > > > > > sender and delete this message immediately. Disclosure,
copying
| > > > > > > or other action taken in respect of this email or in
| > > > > > > reliance on it is prohibited. BMRB International Limited
| > > > > > > accepts no liability in relation to any personal emails, or
| > > > > > > content of any email which does not directly relate to our
| > > > > > > business.
| > > > > > >
| > > > > > > -------------------------- MailScanner
list ----------------------
| > > > > > > To leave, send leave mailscanner to
jiscmail at jiscmail.ac.uk
| > > > > > > Before posting, please see the Most Asked Questions at
| > > > > > > http://www.mailscanner.biz/maq/ and the archives at
| > > > > > > http://www.jiscmail.ac.uk/lists/mailscanner.html
| > > > > > >
| > > > > >
| > > > > >-------------------------- MailScanner
list ----------------------
| > > > > >To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
| > > > > >Before posting, please see the Most Asked Questions at
| > > > > >http://www.mailscanner.biz/maq/ and the archives at
| > > > > >http://www.jiscmail.ac.uk/lists/mailscanner.html
| > > > >
| > > > > --
| > > > > Julian Field
| > > > > www.MailScanner.info
| > > > > MailScanner thanks transtec Computers for their support
| > > > >
| > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
| > > > >
| > > > > -------------------------- MailScanner list ----------------------
| > > > > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
| > > > > Before posting, please see the Most Asked Questions at
| > > > > http://www.mailscanner.biz/maq/ and the archives at
| > > > > http://www.jiscmail.ac.uk/lists/mailscanner.html
| > > > >
| > > >
| > > >-------------------------- MailScanner list ----------------------
| > > >To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
| > > >Before posting, please see the Most Asked Questions at
| > > >http://www.mailscanner.biz/maq/ and the archives at
| > > >http://www.jiscmail.ac.uk/lists/mailscanner.html
| > >
| > > --
| > > Julian Field
| > > www.MailScanner.info
| > > MailScanner thanks transtec Computers for their support
| > >
| > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
| > >
| > > -------------------------- MailScanner list ----------------------
| > > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
| > > Before posting, please see the Most Asked Questions at
| > > http://www.mailscanner.biz/maq/ and the archives at
| > > http://www.jiscmail.ac.uk/lists/mailscanner.html
| > >
| >
|
| -------------------------- MailScanner list ----------------------
| To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
| Before posting, please see the Most Asked Questions at
| http://www.mailscanner.biz/maq/ and the archives at
| http://www.jiscmail.ac.uk/lists/mailscanner.html
|
| --
| This message has been scanned for viruses and
| dangerous content by MailScanner, and is
| believed to be clean.
|
|
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list