Spam over the max allowed score still slips through!!!

Remco Barendse mailscanner at BARENDSE.TO
Fri May 14 10:57:17 IST 2004 

Yes but the problem is not in the rulesets or that the mail gets
insufficient scores.

The mail is getting scores high enough to mark it as 'High scoring spam'
but the problem is that MailScanner is not treating it as high scoring
spam!!

The mail should be deleted based on the score it was assigned and the
actions I set in high scoring spam actions, not delivered.

I suspect it is a MailScanner bug or MailScanner is tripping over some
funny stuff the spammer pulled in the mail or the headers.


On Fri, 14 May 2004, Martin Hepworth wrote:

> Remco
>
> if the domains are different then the bigevil/midevil or the varients in
> the surbl.org sets might trap them.
>
> I'd suggest installing the surbl.org plugin, enabling the three lists
> and seeing how that goes...
>
> that spammers are constantly looking for new tricks...
>
> if that don't work try asking on the SA users email list for advice in
> creating a rule for those messages
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Remco Barendse wrote:
> > i'm not using surbl.org and tried several rules. currently i have
> > installed every ruleset that rulesdujour offers have not had any false
> > positives yet
> >
> > but I don't think this is the problem, the spam score is sufficiently high
> >
> > every mail that has a spam score of over 8 should never be delivered to
> > the original recipient, those mails typically score 10-12 points.
> >
> > i think they are playing something wicked with the contents or header or
> > it is a bug in MailScanner that is not always checking the score and
> > acting correctly on it
> >
> > On Fri, 14 May 2004, Martin Hepworth wrote:
> >
> >
> >>Remco
> >>
> >>are you using the surbl.org lookups? What extra rules do you use??
> >>
> >>
> >>
> >>--
> >>Martin Hepworth
> >>Snr Systems Administrator
> >>Solid State Logic
> >>Tel: +44 (0)1865 842300
> >>
> >>
> >>Remco Barendse wrote:
> >>
> >>>OK, this seems to be consistent.
> >>>
> >>>I have two different MailScanner boxes all acting as mail gateways for one
> >>>server. Both servers are behaving the same, they are letting spam from one
> >>>spammer too.
> >>>
> >>>The mails are all stripped from html and their layout is identical only
> >>>the domains/content they spamvertise is different. It seems that these
> >>>guys have found a way to let spam slip through.
> >>>
> >>>If anybody is interested in some df/qf pairs of these mails please let me
> >>>know.
> >>>
> >>>I am doing a delete forward to the local postmaster on that box for high
> >>>scoring spam. Could this be causing this behaviour?? I think that some
> >>>extra (re-processing) of the mail on the same box would have caused an
> >>>additional header to be added right??
> >>>
> >>>
> >>>On Thu, 13 May 2004, Remco Barendse wrote:
> >>>
> >>>
> >>>>Hmmm, I did not sanitize all of the header indeed
> >>>>
> >>>>My mistake but it is a 1:1 delivery from the spammer straight into our
> >>>>system, I did not cut anything from the header otherwise. If other servers
> >>>>would have been in between extra headers would appear, would it?
> >>>>
> >>>>Could it be the weird return path?
> >>>>
> >>>>This is the exact full header from the qf file:
> >>>>V6
> >>>>T1084429399
> >>>>K0
> >>>>N0
> >>>>P32506
> >>>>Fbs
> >>>>$_[66.249.106.147]
> >>>>$rSMTP
> >>>>$supliftingease.com
> >>>>${daemon_flags}
> >>>>${if_addr}195.x.x.x
> >>>>S<AngelaJackson at upliftingease.com>
> >>>>rRFC822; xxx at xxx.com
> >>>>RPFD:<xxx at xxx.com>
> >>>>H?P?Return-Path: <<81>g>
> >>>>H??Received: from upliftingease.com ([66.249.106.147])
> >>>>       by xxxx (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
> >>>>       for <xxx at xxxm.com>; Thu, 13 May 2004 08:23:19 +0200
> >>>>H?M?Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> >>>>H??To: <xxx at xxx.com>
> >>>>H??From: Angela Jackson <AngelaJackson at upliftingease.com>
> >>>>H??Reply-To: <AngelaJackson at upliftingease.com>
> >>>>H??Date: Wed, 12 May 2004 23:23:23 -0700
> >>>>H??X-Mailer: Version 5.01.2764.4667
> >>>>H??MIME-version: 1.0
> >>>>H??Content-type: Text/HTML
> >>>>H??Subject: Date-a-Teen (18+over-only)
> >>>>
> >>>>
> >>>>On Thu, 13 May 2004, Desai, Jason wrote:
> >>>>
> >>>>
> >>>>
> >>>>>Is this message going through 2 different mailscanner systems?  I notice
> >>>>>that there could be two different %org% settings in the headers.  Notice
> >>>>>"X-xxxx-MailScanner:" and "X-ecemlgw-MailScanner-SpamCheck:".  So maybe one
> >>>>>system is detecting it as spam, but yours is not?  Or did you just not
> >>>>>completely sanitize the headers?
> >>>>>
> >>>>>Jase
> >>>>>
> >>>>>Remco Barendse wrote:
> >>>>>
> >>>>>
> >>>>>>I have already reported this problem a number of times but am still
> >>>>>>having this problem.
> >>>>>>
> >>>>>>There are a number of spammers that send e-mails that are still passed
> >>>>>>through by MailScanner even though the score of the mail is way above
> >>>>>>the defined limits.
> >>>>>>
> >>>>>>I use a delete striphtlm forward postmaster rule for high scoring
> >>>>>>spam, yet the mail gets delivered to the recipient. For most mails it
> >>>>>>works as it should, but for some it doesn't.
> >>>>>>
> >>>>>>Is anyone else seeing this problem? There are no remarks about
> >>>>>>whitelisting or anything in the mail headers and I am confident my
> >>>>>>rulesets are OK since the other spams are trapped correctly.
> >>>>>>
> >>>>>>The weird thing is that the mails are stripped from HTML as they
> >>>>>>should.
> >>>>>>
> >>>>>>I *suspect* that they are being treated by MS as low scoring spam for
> >>>>>>which I have striphtml deliver in my rulesets. Could there be an
> >>>>>>error in the MS script that is checking the score? Or are they doing
> >>>>>>black magic in the mail headers?? I have a qf/df pair to send.
> >>>>>>
> >>>>>>The upper limit for spam is 8, this is the header of a mail that
> >>>>>>slipped through.
> >>>>>>
> >>>>>>Microsoft Mail Internet Headers Version 2.0
> >>>>>>Received: from xxxxxx ([10.x.x.x]) by x.x.x with
> >>>>>>Microsoft SMTPSVC(5.0.2195.6713);
> >>>>>>        Thu, 13 May 2004 08:50:38 +0200
> >>>>>>Received: from upliftingease.com ([66.249.106.147])
> >>>>>>       by x (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
> >>>>>>       for <xxxx at xxx>; Thu, 13 May 2004 08:23:19 +0200
> >>>>>>Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> >>>>>>To: <xxxxx at xxx>
> >>>>>>From: Angela Jackson <AngelaJackson at upliftingease.com>
> >>>>>>Reply-To: <AngelaJackson at upliftingease.com>
> >>>>>>Date: Wed, 12 May 2004 23:23:23 -0700
> >>>>>>X-Mailer: Version 5.01.2764.4667
> >>>>>>MIME-version: 1.0
> >>>>>>Content-type: text/plain
> >>>>>>Subject: {Spam?} Date-a-Teen (18+over-only)
> >>>>>>X-xxxx-MailScanner-Information: Please contact the ISP for more
> >>>>>>information
> >>>>>>X-xxxx-MailScanner: Found to be clean
> >>>>>>X-MailScanner-MCPCheck: MCP-Clean (MCP-Whitelisted), MCP-Checker
> >>>>>>       (score=0, required 1)
> >>>>>>X-ecemlgw-MailScanner-SpamCheck: spam, SBL+XBL, spamhaus.org,
> >>>>>>       SpamAssassin (score=13.451, required 6, DNS_FROM_RFCI_DSN
> >>>>>>       1.39, EXCUSE_19 0.50, HTML_IMAGE_ONLY_04 1.53, HTML_MESSAGE
> >>>>>>       0.00, HTML_TAG_EXISTS_TBODY 0.10, MIME_HTML_ONLY 0.10,
> >>>>>>       MSGID_FROM_MTA_SHORT 3.31, MY_SPACER 0.25, RCVD_IN_AHBL 1.27,
> >>>>>>       RCVD_IN_SBL+XBL 4.00, RCVD_IN_SORBS 1.00)
> >>>>>>X-xxxx-MailScanner-SpamScore: sssssssssssss
> >>>>>>X-MailScanner-From: angelajackson at upliftingease.com
> >>>>>>Return-Path: AngelaJackson at upliftingease.com
> >>>>>>X-OriginalArrivalTime: 13 May 2004 06:50:38.0656 (UTC)
> >>>>>>FILETIME=[99AB4C00:01C438B6]
> >>>>>>
> >>>>>>-------------------------- MailScanner list ----------------------
> >>>>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>>>>>Before posting, please see the Most Asked Questions at
> >>>>>>http://www.mailscanner.biz/maq/     and the archives at
> >>>>>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>>>>
> >>>>>-------------------------- MailScanner list ----------------------
> >>>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>>>>Before posting, please see the Most Asked Questions at
> >>>>>http://www.mailscanner.biz/maq/     and the archives at
> >>>>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>>>>
> >>>>
> >>>-------------------------- MailScanner list ----------------------
> >>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>>Before posting, please see the Most Asked Questions at
> >>>http://www.mailscanner.biz/maq/     and the archives at
> >>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>
> >>**********************************************************************
> >>
> >>This email and any files transmitted with it are confidential and
> >>intended solely for the use of the individual or entity to whom they
> >>are addressed. If you have received this email in error please notify
> >>the system manager.
> >>
> >>This footnote confirms that this email message has been swept
> >>for the presence of computer viruses and is believed to be clean.
> >>
> >>**********************************************************************
> >>
> >>-------------------------- MailScanner list ----------------------
> >>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> >>Before posting, please see the Most Asked Questions at
> >>http://www.mailscanner.biz/maq/     and the archives at
> >>http://www.jiscmail.ac.uk/lists/mailscanner.html
> >>
> >
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list