MailScanner/SpamAssassin problem
Rick Cooper
rcooper at DWFORD.COM
Sun Mar 14 01:45:22 GMT 2004
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Dan Williamson
> Sent: Saturday, March 13, 2004 7:09 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: MailScanner/SpamAssassin problem
>
>
> Hi,
>
> I can't figure out why these emails from this very
> prolific spammer is
> getting through MailScanner without being scanned by
> SpamAssassin.
>
> I've tried adding the return address "moosq.com" to
> the blacklist, but they
> still continue to get through without being scanned.
>
> Other emails are being checked, except from this one.
> There is no mention
> of him in the whitelist. The IP address is not
> whitelisted either. Is
> there anything unusual from the mail headers from one
> of the emails? The
> received address, daemon at localhost looks like a problem to me.
>
> Thank-you for your time,
> -dan
>
>
Are you using the SA blacklist or the MS blacklist? Also note the
address funemails2 at 44.moosq.com would require you to black list
@44.moosq.com not @moosq.com. So in you local.cf you could put
blacklist_from *@44.moosq.com
To blacklist anything coming from 44.moosq.com or
funemails2 at 44.moosq.com to block this single address. Looking at
the subject I find it hard to believe that SA doesn't hit on
anything, as you mentioned that does seem odd.
You may want to turn on rbls also, a quick pass of 69.6.14.144
through rblookup
shows the following (he'd be dropped at rcpt to: on my systems):
144.14.6.69.dnsbl.sorbs.net A 127.0.0.6
144.14.6.69.dnsbl.sorbs.net TXT "Spam Received See:
http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=69.6.14.144"
144.14.6.69.sbl.spamhaus.org A 127.0.0.2
144.14.6.69.sbl.spamhaus.org TXT
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL6636"
144.14.6.69.sbl.spamhaus.org A 127.0.0.2
144.14.6.69.sbl.spamhaus.org TXT
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL6636"
144.14.6.69.bl.spamcop.net A 127.0.0.2
144.14.6.69.bl.spamcop.net TXT "Blocked - see
http://www.spamcop.net/bl.shtml?69.6.14.144"
144.14.6.69.dnsbl.njabl.org A 127.0.0.4
144.14.6.69.dnsbl.njabl.org TXT "WholesaleBandwidth, Inc.
spam house...lots of individual spammers, lots of bogus swips --
1066753285"
144.14.6.69.blackholes.five-ten-sg.com CNAME
wholesalebandwidth.com.spam.blackholes.five-ten-sg.com
wholesalebandwidth.com.spam.blackholes.five-ten-sg.com A
127.0.0.2
144.14.6.69.blackholes.five-ten-sg.com CNAME
wholesalebandwidth.com.spam.blackholes.five-ten-sg.com
wholesalebandwidth.com.spam.blackholes.five-ten-sg.com TXT
"added 2003-01-25; see http://spews.org/html/S2067.html"
>
> Return-Path:
> <b.funemails2.0-30d3198-6a59.gokenora.com.-apollo at 44.moosq.com>
> Received: from 44.moosq.com (44.moosq.com [69.6.14.144])
> by iberian.gokenora.com (8.12.8) with ESMTP id
> i2DLl4Ye013113
> for <apollo at gokenora.com>; Sat, 13 Mar 2004
> 15:47:04 -0600
> Received: (from daemon at localhost)
> by 44.moosq.com (8.8.8/8.8.8) id FAA04000;
> Sat, 13 Mar 2004 05:33:15 -0800 (PST)
> Date: Sat, 13 Mar 2004 05:45:27 -0800 (PST)
> Message-Id: <200403131333.FAA04000 at 44.moosq.com>
> From: Ladies Turn <funemails2 at 44.moosq.com>
> To: apollo at gokenora.com
> Subject: Enjoy your love life as much as he does
> MIME-Version: 1.0
> Content-Type: text/html; charset="iso-8859-1"
> X-Iberian-MailScanner-Information: Scanned by Norcom
> Lynx <Iberian>
> X-Iberian-MailScanner: Found to be clean
> X-Iberian-MailScanner-SpamCheck:
> X-MailScanner-From:
> b.funemails2.0-30d3198-6a59.gokenora.com.-apollo at 44.moosq.com
> X-MailScanner-To: apollo at gokenora.com
> Status: O
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
More information about the MailScanner
mailing list