High scored spam still slipped through
Remco Barendse
mailscanner at BARENDSE.TO
Mon Mar 15 08:04:45 GMT 2004
Did you get the df/qf pair i sent you from my other mail address? It is
fairly consistent, one mailbox saw about 7 e-mails from the some
organization slip through this weekend.
Could they be doing something funny with the headers? The e-mail body
looks like plain html to me, no weird stuff (but I'm not an expert).
The always use different sender domains and mail relays making it
difficult to block (although the high spam scores should be enough).
Thanks!
On Fri, 12 Mar 2004, Julian Field wrote:
> At 09:47 12/03/2004, you wrote:
> >Sorry for replying to may own mail but I'm VERY annoyed.
> >
> >Every high scoring e-mail is blocked properly by MailScanner and forwarded
> >to the designated mail address but these bastards seem to have found a way
> >to punch through MailScanner. We are seeing lots of those annoying
> >messages slipping through regardless of how high their score is.
> >
> >Is anybody else seeing this behaviour? I have this on 3 different servers.
> >
> >I have a df/qf pair of the original mail available as received if it would
> >be of any help.
>
> Yes it would.
>
>
> >Thanks!
> >Remco
> >
> >
> >On Thu, 11 Mar 2004, Remco Barendse wrote:
> >
> > > This morning I received a spam mail that slipped through.
> > >
> > > For low scoring spam I do striphtml deliver
> > > high scoring spam : delete forward postmarter
> > >
> > > The mail was tagged correctly with spam but the html was not stripped and
> > > the mail was not deleted. This is the header of the mail from the client
> > > (Outlook under Exchange).
> > >
> > > My spam high score limit is set to 8, this mail scores way above that and
> > > also there is no mentioning of any whitelisting.
> > >
> > > Ideas anyone?
> > >
> > > Microsoft Mail Internet Headers Version 2.0
> > > Received: from x.x.x ([10.1.0.6]) by x.x.x with Microsoft
> > SMTPSVC(5.0.2195.6713);
> > > Wed, 10 Mar 2004 21:31:16 +0100
> > > Received: from maildrop10.xs4all.nl (maildrop10.xs4all.nl
> > > [194.109.127.140])
> > > by x.x.x (8.12.8/8.12.8) with ESMTP id i2AKUlSM012175
> > > for <x at x>; Wed, 10 Mar 2004 21:30:49 +0100
> > > Received: from mxzilla1.xs4all.nl (mxzilla1.xs4all.nl [194.109.24.201])
> > > by maildrop10.xs4all.nl (8.12.9/8.12.6) with ESMTP id
> > > i2AKUlXg056775
> > > for <x at x>; Wed, 10 Mar 2004 21:30:47 +0100 (CET)
> > > Received: from facemolality.com ([216.52.222.110])
> > > by mxzilla1.xs4all.nl (8.12.10/8.12.10) with SMTP id
> > > i2AKUjum084354
> > > for <x at x>; Wed, 10 Mar 2004 21:30:46 +0100 (CET)
> > > Message-Id: <200403102030.i2AKUjum084354 at mxzilla1.xs4all.nl>
> > > To: <x at x>
> > > From: Janet White <JanetWhite at facemolality.com>
> > > Reply-To: <JanetWhite at facemolality.com>
> > > Date: Wed, 10 Mar 2004 12:30:51 -0800
> > > X-Mailer: Microsoft Outlook Express 5.01.2764.4667
> > > MIME-version: 1.0
> > > Content-type: Text/HTML
> > > Subject: {Spam?} Record everything using stealth technology
> > > X-ecemgw-MailScanner-Information: Please contact the ISP for more
> > > information
> > > X-gw-MailScanner: Found to be clean
> > > X-gw-MailScanner-SpamCheck: spam, SpamAssassin (score=12.809, required
> > > 6,
> > > BAYES_99 5.40, FORGED_MUA_OUTLOOK 2.57, FORGED_OUTLOOK_TAGS 1.00,
> > > HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32,
> > > RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_SPAM 1.21, RCVD_IN_SBL 1.11)
> > > X-gw-MailScanner-SpamScore: ssssssssssss
> > > X-MailScanner-From: janetwhite at facemolality.com
> > > Return-Path: JanetWhite at facemolality.com
> > > X-OriginalArrivalTime: 10 Mar 2004 20:31:16.0293 (UTC)
> > > FILETIME=[A3267750:01C406DE]
> > >
> > >
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
More information about the MailScanner
mailing list