Spam over the max allowed score still slips through!!!

Remco Barendse mailscanner at BARENDSE.TO
Fri May 14 08:15:37 IST 2004


OK, this seems to be consistent.

I have two different MailScanner boxes all acting as mail gateways for one
server. Both servers are behaving the same, they are letting spam from one
spammer too.

The mails are all stripped from html and their layout is identical only
the domains/content they spamvertise is different. It seems that these
guys have found a way to let spam slip through.

If anybody is interested in some df/qf pairs of these mails please let me
know.

I am doing a delete forward to the local postmaster on that box for high
scoring spam. Could this be causing this behaviour?? I think that some
extra (re-processing) of the mail on the same box would have caused an
additional header to be added right??


On Thu, 13 May 2004, Remco Barendse wrote:
> Hmmm, I did not sanitize all of the header indeed
>
> My mistake but it is a 1:1 delivery from the spammer straight into our
> system, I did not cut anything from the header otherwise. If other servers
> would have been in between extra headers would appear, would it?
>
> Could it be the weird return path?
>
> This is the exact full header from the qf file:
> V6
> T1084429399
> K0
> N0
> P32506
> Fbs
> $_[66.249.106.147]
> $rSMTP
> $supliftingease.com
> ${daemon_flags}
> ${if_addr}195.x.x.x
> S<AngelaJackson at upliftingease.com>
> rRFC822; xxx at xxx.com
> RPFD:<xxx at xxx.com>
> H?P?Return-Path: <<81>g>
> H??Received: from upliftingease.com ([66.249.106.147])
>         by xxxx (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
>         for <xxx at xxxm.com>; Thu, 13 May 2004 08:23:19 +0200
> H?M?Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> H??To: <xxx at xxx.com>
> H??From: Angela Jackson <AngelaJackson at upliftingease.com>
> H??Reply-To: <AngelaJackson at upliftingease.com>
> H??Date: Wed, 12 May 2004 23:23:23 -0700
> H??X-Mailer: Version 5.01.2764.4667
> H??MIME-version: 1.0
> H??Content-type: Text/HTML
> H??Subject: Date-a-Teen (18+over-only)
>
>
> On Thu, 13 May 2004, Desai, Jason wrote:
>
> > Is this message going through 2 different mailscanner systems?  I notice
> > that there could be two different %org% settings in the headers.  Notice
> > "X-xxxx-MailScanner:" and "X-ecemlgw-MailScanner-SpamCheck:".  So maybe one
> > system is detecting it as spam, but yours is not?  Or did you just not
> > completely sanitize the headers?
> >
> > Jase
> >
> > Remco Barendse wrote:
> > > I have already reported this problem a number of times but am still
> > > having this problem.
> > >
> > > There are a number of spammers that send e-mails that are still passed
> > > through by MailScanner even though the score of the mail is way above
> > > the defined limits.
> > >
> > > I use a delete striphtlm forward postmaster rule for high scoring
> > > spam, yet the mail gets delivered to the recipient. For most mails it
> > > works as it should, but for some it doesn't.
> > >
> > > Is anyone else seeing this problem? There are no remarks about
> > > whitelisting or anything in the mail headers and I am confident my
> > > rulesets are OK since the other spams are trapped correctly.
> > >
> > > The weird thing is that the mails are stripped from HTML as they
> > > should.
> > >
> > > I *suspect* that they are being treated by MS as low scoring spam for
> > > which I have striphtml deliver in my rulesets. Could there be an
> > > error in the MS script that is checking the score? Or are they doing
> > > black magic in the mail headers?? I have a qf/df pair to send.
> > >
> > > The upper limit for spam is 8, this is the header of a mail that
> > > slipped through.
> > >
> > > Microsoft Mail Internet Headers Version 2.0
> > > Received: from xxxxxx ([10.x.x.x]) by x.x.x with
> > > Microsoft SMTPSVC(5.0.2195.6713);
> > >          Thu, 13 May 2004 08:50:38 +0200
> > > Received: from upliftingease.com ([66.249.106.147])
> > >         by x (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
> > >         for <xxxx at xxx>; Thu, 13 May 2004 08:23:19 +0200
> > > Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> > > To: <xxxxx at xxx>
> > > From: Angela Jackson <AngelaJackson at upliftingease.com>
> > > Reply-To: <AngelaJackson at upliftingease.com>
> > > Date: Wed, 12 May 2004 23:23:23 -0700
> > > X-Mailer: Version 5.01.2764.4667
> > > MIME-version: 1.0
> > > Content-type: text/plain
> > > Subject: {Spam?} Date-a-Teen (18+over-only)
> > > X-xxxx-MailScanner-Information: Please contact the ISP for more
> > > information
> > > X-xxxx-MailScanner: Found to be clean
> > > X-MailScanner-MCPCheck: MCP-Clean (MCP-Whitelisted), MCP-Checker
> > >         (score=0, required 1)
> > > X-ecemlgw-MailScanner-SpamCheck: spam, SBL+XBL, spamhaus.org,
> > >         SpamAssassin (score=13.451, required 6, DNS_FROM_RFCI_DSN
> > >         1.39, EXCUSE_19 0.50, HTML_IMAGE_ONLY_04 1.53, HTML_MESSAGE
> > >         0.00, HTML_TAG_EXISTS_TBODY 0.10, MIME_HTML_ONLY 0.10,
> > >         MSGID_FROM_MTA_SHORT 3.31, MY_SPACER 0.25, RCVD_IN_AHBL 1.27,
> > >         RCVD_IN_SBL+XBL 4.00, RCVD_IN_SORBS 1.00)
> > > X-xxxx-MailScanner-SpamScore: sssssssssssss
> > > X-MailScanner-From: angelajackson at upliftingease.com
> > > Return-Path: AngelaJackson at upliftingease.com
> > > X-OriginalArrivalTime: 13 May 2004 06:50:38.0656 (UTC)
> > > FILETIME=[99AB4C00:01C438B6]
> > >
> > > -------------------------- MailScanner list ----------------------
> > > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > > Before posting, please see the Most Asked Questions at
> > > http://www.mailscanner.biz/maq/     and the archives at
> > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list