High scored spam still slipped through

Remco Barendse mailscanner at BARENDSE.TO
Tue Mar 16 15:37:58 GMT 2004 

I think you have a different problem!

At my site the mails are correctly spam checked, they are positively
identified as spam, the subject is marked as spam but the appropriate spam
actions are never executed  (in my case delete forward)

It is strange because the subject is modified which means that mailscanner
is doing something with the mail but for some reason not everything I
asked it to do.

I looked at the body of the e-mails, just the usual html gibberish, maybe
they are doing something funny in the headers...


On Tue, 16 Mar 2004, Mailing List wrote:

> I'm seeing the same behavior, mails not tagged, but not only for
> HighSpam, but also for SPAM under the HighSpam limit.
>
> Updated to latest rev of MailScanner yesterday on both our mail
> gateways.
>
> Regards
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Remco Barendse
> Sent: Monday, March 15, 2004 03:05
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: High scored spam still slipped through
>
> Did you get the df/qf pair i sent you from my other mail address? It is
> fairly consistent, one mailbox saw about 7 e-mails from the some
> organization slip through this weekend.
>
> Could they be doing something funny with the headers? The e-mail body
> looks like plain html to me, no weird stuff (but I'm not an expert).
>
> The always use different sender domains and mail relays making it
> difficult to block (although the high spam scores should be enough).
>
> Thanks!
>
> On Fri, 12 Mar 2004, Julian Field wrote:
>
> > At 09:47 12/03/2004, you wrote:
> > >Sorry for replying to may own mail but I'm VERY annoyed.
> > >
> > >Every high scoring e-mail is blocked properly by MailScanner and
> forwarded
> > >to the designated mail address but these bastards seem to have found
> a way
> > >to punch through MailScanner. We are seeing lots of those annoying
> > >messages slipping through regardless of how high their score is.
> > >
> > >Is anybody else seeing this behaviour? I have this on 3 different
> servers.
> > >
> > >I have a df/qf pair of the original mail available as received if it
> would
> > >be of any help.
> >
> > Yes it would.
> >
> >
> > >Thanks!
> > >Remco
> > >
> > >
> > >On Thu, 11 Mar 2004, Remco Barendse wrote:
> > >
> > > > This morning I received a spam mail that slipped through.
> > > >
> > > > For low scoring spam I do striphtml deliver
> > > > high scoring spam : delete forward postmarter
> > > >
> > > > The mail was tagged correctly with spam but the html was not
> stripped and
> > > > the mail was not deleted. This is the header of the mail from the
> client
> > > > (Outlook under Exchange).
> > > >
> > > > My spam high score limit is set to 8, this mail scores way above
> that and
> > > > also there is no mentioning of any whitelisting.
> > > >
> > > > Ideas anyone?
> > > >
> > > > Microsoft Mail Internet Headers Version 2.0
> > > > Received: from x.x.x ([10.1.0.6]) by x.x.x with Microsoft
> > > SMTPSVC(5.0.2195.6713);
> > > >        Wed, 10 Mar 2004 21:31:16 +0100
> > > > Received: from maildrop10.xs4all.nl (maildrop10.xs4all.nl
> > > > [194.109.127.140])
> > > >       by x.x.x (8.12.8/8.12.8) with ESMTP id i2AKUlSM012175
> > > >       for <x at x>; Wed, 10 Mar 2004 21:30:49 +0100
> > > > Received: from mxzilla1.xs4all.nl (mxzilla1.xs4all.nl
> [194.109.24.201])
> > > >       by maildrop10.xs4all.nl (8.12.9/8.12.6) with ESMTP id
> > > > i2AKUlXg056775
> > > >       for <x at x>; Wed, 10 Mar 2004 21:30:47 +0100 (CET)
> > > > Received: from facemolality.com ([216.52.222.110])
> > > >       by mxzilla1.xs4all.nl (8.12.10/8.12.10) with SMTP id
> > > > i2AKUjum084354
> > > >       for <x at x>; Wed, 10 Mar 2004 21:30:46 +0100 (CET)
> > > > Message-Id: <200403102030.i2AKUjum084354 at mxzilla1.xs4all.nl>
> > > > To: <x at x>
> > > > From: Janet White <JanetWhite at facemolality.com>
> > > > Reply-To: <JanetWhite at facemolality.com>
> > > > Date: Wed, 10 Mar 2004 12:30:51 -0800
> > > > X-Mailer: Microsoft Outlook Express 5.01.2764.4667
> > > > MIME-version: 1.0
> > > > Content-type: Text/HTML
> > > > Subject: {Spam?} Record everything using stealth technology
> > > > X-ecemgw-MailScanner-Information: Please contact the ISP for more
> > > > information
> > > > X-gw-MailScanner: Found to be clean
> > > > X-gw-MailScanner-SpamCheck: spam, SpamAssassin (score=12.809,
> required
> > > > 6,
> > > >       BAYES_99 5.40, FORGED_MUA_OUTLOOK 2.57, FORGED_OUTLOOK_TAGS
> 1.00,
> > > >       HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10, MIME_HTML_ONLY
> 0.32,
> > > >       RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_SPAM 1.21, RCVD_IN_SBL
> 1.11)
> > > > X-gw-MailScanner-SpamScore: ssssssssssss
> > > > X-MailScanner-From: janetwhite at facemolality.com
> > > > Return-Path: JanetWhite at facemolality.com
> > > > X-OriginalArrivalTime: 10 Mar 2004 20:31:16.0293 (UTC)
> > > > FILETIME=[A3267750:01C406DE]
> > > >
> > > >
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
>

More information about the MailScanner mailing list