Spam over the max allowed score still slips through!!!

Remco Barendse mailscanner at BARENDSE.TO
Fri May 14 09:28:32 IST 2004


i'm not using surbl.org and tried several rules. currently i have
installed every ruleset that rulesdujour offers have not had any false
positives yet

but I don't think this is the problem, the spam score is sufficiently high

every mail that has a spam score of over 8 should never be delivered to
the original recipient, those mails typically score 10-12 points.

i think they are playing something wicked with the contents or header or
it is a bug in MailScanner that is not always checking the score and
acting correctly on it

On Fri, 14 May 2004, Martin Hepworth wrote:

> Remco
>
> are you using the surbl.org lookups? What extra rules do you use??
>
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Remco Barendse wrote:
> > OK, this seems to be consistent.
> >
> > I have two different MailScanner boxes all acting as mail gateways for one
> > server. Both servers are behaving the same, they are letting spam from one
> > spammer too.
> >
> > The mails are all stripped from html and their layout is identical only
> > the domains/content they spamvertise is different. It seems that these
> > guys have found a way to let spam slip through.
> >
> > If anybody is interested in some df/qf pairs of these mails please let me
> > know.
> >
> > I am doing a delete forward to the local postmaster on that box for high
> > scoring spam. Could this be causing this behaviour?? I think that some
> > extra (re-processing) of the mail on the same box would have caused an
> > additional header to be added right??
> >
> >
> > On Thu, 13 May 2004, Remco Barendse wrote:
> >
> >>Hmmm, I did not sanitize all of the header indeed
> >>
> >>My mistake but it is a 1:1 delivery from the spammer straight into our
> >>system, I did not cut anything from the header otherwise. If other servers
> >>would have been in between extra headers would appear, would it?
> >>
> >>Could it be the weird return path?
> >>
> >>This is the exact full header from the qf file:
> >>V6
> >>T1084429399
> >>K0
> >>N0
> >>P32506
> >>Fbs
> >>$_[66.249.106.147]
> >>$rSMTP
> >>$supliftingease.com
> >>${daemon_flags}
> >>${if_addr}195.x.x.x
> >>S<AngelaJackson at upliftingease.com>
> >>rRFC822; xxx at xxx.com
> >>RPFD:<xxx at xxx.com>
> >>H?P?Return-Path: <<81>g>
> >>H??Received: from upliftingease.com ([66.249.106.147])
> >>        by xxxx (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
> >>        for <xxx at xxxm.com>; Thu, 13 May 2004 08:23:19 +0200
> >>H?M?Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> >>H??To: <xxx at xxx.com>
> >>H??From: Angela Jackson <AngelaJackson at upliftingease.com>
> >>H??Reply-To: <AngelaJackson at upliftingease.com>
> >>H??Date: Wed, 12 May 2004 23:23:23 -0700
> >>H??X-Mailer: Version 5.01.2764.4667
> >>H??MIME-version: 1.0
> >>H??Content-type: Text/HTML
> >>H??Subject: Date-a-Teen (18+over-only)
> >>
> >>
> >>On Thu, 13 May 2004, Desai, Jason wrote:
> >>
> >>
> >>>Is this message going through 2 different mailscanner systems?  I notice
> >>>that there could be two different %org% settings in the headers.  Notice
> >>>"X-xxxx-MailScanner:" and "X-ecemlgw-MailScanner-SpamCheck:".  So maybe one
> >>>system is detecting it as spam, but yours is not?  Or did you just not
> >>>completely sanitize the headers?
> >>>
> >>>Jase
> >>>
> >>>Remco Barendse wrote:
> >>>
> >>>>I have already reported this problem a number of times but am still
> >>>>having this problem.
> >>>>
> >>>>There are a number of spammers that send e-mails that are still passed
> >>>>through by MailScanner even though the score of the mail is way above
> >>>>the defined limits.
> >>>>
> >>>>I use a delete striphtlm forward postmaster rule for high scoring
> >>>>spam, yet the mail gets delivered to the recipient. For most mails it
> >>>>works as it should, but for some it doesn't.
> >>>>
> >>>>Is anyone else seeing this problem? There are no remarks about
> >>>>whitelisting or anything in the mail headers and I am confident my
> >>>>rulesets are OK since the other spams are trapped correctly.
> >>>>
> >>>>The weird thing is that the mails are stripped from HTML as they
> >>>>should.
> >>>>
> >>>>I *suspect* that they are being treated by MS as low scoring spam for
> >>>>which I have striphtml deliver in my rulesets. Could there be an
> >>>>error in the MS script that is checking the score? Or are they doing
> >>>>black magic in the mail headers?? I have a qf/df pair to send.
> >>>>
> >>>>The upper limit for spam is 8, this is the header of a mail that
> >>>>slipped through.
> >>>>
> >>>>Microsoft Mail Internet Headers Version 2.0
> >>>>Received: from xxxxxx ([10.x.x.x]) by x.x.x with
> >>>>Microsoft SMTPSVC(5.0.2195.6713);
> >>>>         Thu, 13 May 2004 08:50:38 +0200
> >>>>Received: from upliftingease.com ([66.249.106.147])
> >>>>        by x (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
> >>>>        for <xxxx at xxx>; Thu, 13 May 2004 08:23:19 +0200
> >>>>Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> >>>>To: <xxxxx at xxx>
> >>>>From: Angela Jackson <AngelaJackson at upliftingease.com>
> >>>>Reply-To: <AngelaJackson at upliftingease.com>
> >>>>Date: Wed, 12 May 2004 23:23:23 -0700
> >>>>X-Mailer: Version 5.01.2764.4667
> >>>>MIME-version: 1.0
> >>>>Content-type: text/plain
> >>>>Subject: {Spam?} Date-a-Teen (18+over-only)
> >>>>X-xxxx-MailScanner-Information: Please contact the ISP for more
> >>>>information
> >>>>X-xxxx-MailScanner: Found to be clean
> >>>>X-MailScanner-MCPCheck: MCP-Clean (MCP-Whitelisted), MCP-Checker
> >>>>        (score=0, required 1)
> >>>>X-ecemlgw-MailScanner-SpamCheck: spam, SBL+XBL, spamhaus.org,
> >>>>        SpamAssassin (score=13.451, required 6, DNS_FROM_RFCI_DSN
> >>>>        1.39, EXCUSE_19 0.50, HTML_IMAGE_ONLY_04 1.53, HTML_MESSAGE
> >>>>        0.00, HTML_TAG_EXISTS_TBODY 0.10, MIME_HTML_ONLY 0.10,
> >>>>        MSGID_FROM_MTA_SHORT 3.31, MY_SPACER 0.25, RCVD_IN_AHBL 1.27,
> >>>>        RCVD_IN_SBL+XBL 4.00, RCVD_IN_SORBS 1.00)
> >>>>X-xxxx-MailScanner-SpamScore: sssssssssssss
> >>>>X-MailScanner-From: angelajackson at upliftingease.com
> >>>>Return-Path: AngelaJackson at upliftingease.com
> >>>>X-OriginalArrivalTime: 13 May 2004 06:50:38.0656 (UTC)
> >>>>FILETIME=[99AB4C00:01C438B6]
> >>>>
> >>>>-------------------------- MailScanner list ----------------------
> >>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>>>Before posting, please see the Most Asked Questions at
> >>>>http://www.mailscanner.biz/maq/     and the archives at
> >>>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>>
> >>>-------------------------- MailScanner list ----------------------
> >>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>>Before posting, please see the Most Asked Questions at
> >>>http://www.mailscanner.biz/maq/     and the archives at
> >>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>>
> >>
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list