Spam over the max allowed score still slips through!!!

Gib Gilbertson Jr. gib at TMISNET.COM
Fri May 14 12:44:14 IST 2004


At 11:57 AM 5/14/2004 +0200, you wrote:
>Yes but the problem is not in the rulesets or that the mail gets
>insufficient scores.
>
>The mail is getting scores high enough to mark it as 'High scoring spam'
>but the problem is that MailScanner is not treating it as high scoring
>spam!!
>
>The mail should be deleted based on the score it was assigned and the
>actions I set in high scoring spam actions, not delivered.
>
>I suspect it is a MailScanner bug or MailScanner is tripping over some
>funny stuff the spammer pulled in the mail or the headers.
>

does MailScanner skip messages if they already have MailScanner headers
inserted? Is it possible spammers are starting to insert these headers
themselves if that is the case?

gib



>On Fri, 14 May 2004, Martin Hepworth wrote:
>
> > Remco
> >
> > if the domains are different then the bigevil/midevil or the varients in
> > the surbl.org sets might trap them.
> >
> > I'd suggest installing the surbl.org plugin, enabling the three lists
> > and seeing how that goes...
> >
> > that spammers are constantly looking for new tricks...
> >
> > if that don't work try asking on the SA users email list for advice in
> > creating a rule for those messages
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >
> > Remco Barendse wrote:
> > > i'm not using surbl.org and tried several rules. currently i have
> > > installed every ruleset that rulesdujour offers have not had any false
> > > positives yet
> > >
> > > but I don't think this is the problem, the spam score is sufficiently
> high
> > >
> > > every mail that has a spam score of over 8 should never be delivered to
> > > the original recipient, those mails typically score 10-12 points.
> > >
> > > i think they are playing something wicked with the contents or header or
> > > it is a bug in MailScanner that is not always checking the score and
> > > acting correctly on it
> > >
> > > On Fri, 14 May 2004, Martin Hepworth wrote:
> > >
> > >
> > >>Remco
> > >>
> > >>are you using the surbl.org lookups? What extra rules do you use??
> > >>
> > >>
> > >>
> > >>--
> > >>Martin Hepworth
> > >>Snr Systems Administrator
> > >>Solid State Logic
> > >>Tel: +44 (0)1865 842300
> > >>
> > >>
> > >>Remco Barendse wrote:
> > >>
> > >>>OK, this seems to be consistent.
> > >>>
> > >>>I have two different MailScanner boxes all acting as mail gateways
> for one
> > >>>server. Both servers are behaving the same, they are letting spam
> from one
> > >>>spammer too.
> > >>>
> > >>>The mails are all stripped from html and their layout is identical only
> > >>>the domains/content they spamvertise is different. It seems that these
> > >>>guys have found a way to let spam slip through.
> > >>>
> > >>>If anybody is interested in some df/qf pairs of these mails please
> let me
> > >>>know.
> > >>>
> > >>>I am doing a delete forward to the local postmaster on that box for high
> > >>>scoring spam. Could this be causing this behaviour?? I think that some
> > >>>extra (re-processing) of the mail on the same box would have caused an
> > >>>additional header to be added right??
> > >>>
> > >>>
> > >>>On Thu, 13 May 2004, Remco Barendse wrote:
> > >>>
> > >>>
> > >>>>Hmmm, I did not sanitize all of the header indeed
> > >>>>
> > >>>>My mistake but it is a 1:1 delivery from the spammer straight into our
> > >>>>system, I did not cut anything from the header otherwise. If other
> servers
> > >>>>would have been in between extra headers would appear, would it?
> > >>>>
> > >>>>Could it be the weird return path?
> > >>>>
> > >>>>This is the exact full header from the qf file:
> > >>>>V6
> > >>>>T1084429399
> > >>>>K0
> > >>>>N0
> > >>>>P32506
> > >>>>Fbs
> > >>>>$_[66.249.106.147]
> > >>>>$rSMTP
> > >>>>$supliftingease.com
> > >>>>${daemon_flags}
> > >>>>${if_addr}195.x.x.x
> > >>>>S<AngelaJackson at upliftingease.com>
> > >>>>rRFC822; xxx at xxx.com
> > >>>>RPFD:<xxx at xxx.com>
> > >>>>H?P?Return-Path: <<81>g>
> > >>>>H??Received: from upliftingease.com ([66.249.106.147])
> > >>>>       by xxxx (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
> > >>>>       for <xxx at xxxm.com>; Thu, 13 May 2004 08:23:19 +0200
> > >>>>H?M?Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> > >>>>H??To: <xxx at xxx.com>
> > >>>>H??From: Angela Jackson <AngelaJackson at upliftingease.com>
> > >>>>H??Reply-To: <AngelaJackson at upliftingease.com>
> > >>>>H??Date: Wed, 12 May 2004 23:23:23 -0700
> > >>>>H??X-Mailer: Version 5.01.2764.4667
> > >>>>H??MIME-version: 1.0
> > >>>>H??Content-type: Text/HTML
> > >>>>H??Subject: Date-a-Teen (18+over-only)
> > >>>>
> > >>>>
> > >>>>On Thu, 13 May 2004, Desai, Jason wrote:
> > >>>>
> > >>>>
> > >>>>
> > >>>>>Is this message going through 2 different mailscanner systems?  I
> notice
> > >>>>>that there could be two different %org% settings in the
> headers.  Notice
> > >>>>>"X-xxxx-MailScanner:" and "X-ecemlgw-MailScanner-SpamCheck:".  So
> maybe one
> > >>>>>system is detecting it as spam, but yours is not?  Or did you just not
> > >>>>>completely sanitize the headers?
> > >>>>>
> > >>>>>Jase
> > >>>>>
> > >>>>>Remco Barendse wrote:
> > >>>>>
> > >>>>>
> > >>>>>>I have already reported this problem a number of times but am still
> > >>>>>>having this problem.
> > >>>>>>
> > >>>>>>There are a number of spammers that send e-mails that are still
> passed
> > >>>>>>through by MailScanner even though the score of the mail is way above
> > >>>>>>the defined limits.
> > >>>>>>
> > >>>>>>I use a delete striphtlm forward postmaster rule for high scoring
> > >>>>>>spam, yet the mail gets delivered to the recipient. For most mails it
> > >>>>>>works as it should, but for some it doesn't.
> > >>>>>>
> > >>>>>>Is anyone else seeing this problem? There are no remarks about
> > >>>>>>whitelisting or anything in the mail headers and I am confident my
> > >>>>>>rulesets are OK since the other spams are trapped correctly.
> > >>>>>>
> > >>>>>>The weird thing is that the mails are stripped from HTML as they
> > >>>>>>should.
> > >>>>>>
> > >>>>>>I *suspect* that they are being treated by MS as low scoring spam for
> > >>>>>>which I have striphtml deliver in my rulesets. Could there be an
> > >>>>>>error in the MS script that is checking the score? Or are they doing
> > >>>>>>black magic in the mail headers?? I have a qf/df pair to send.
> > >>>>>>
> > >>>>>>The upper limit for spam is 8, this is the header of a mail that
> > >>>>>>slipped through.
> > >>>>>>
> > >>>>>>Microsoft Mail Internet Headers Version 2.0
> > >>>>>>Received: from xxxxxx ([10.x.x.x]) by x.x.x with
> > >>>>>>Microsoft SMTPSVC(5.0.2195.6713);
> > >>>>>>        Thu, 13 May 2004 08:50:38 +0200
> > >>>>>>Received: from upliftingease.com ([66.249.106.147])
> > >>>>>>       by x (8.12.10/8.12.8) with SMTP id i4D6N8fK016259
> > >>>>>>       for <xxxx at xxx>; Thu, 13 May 2004 08:23:19 +0200
> > >>>>>>Message-Id: <200405130623.i4D6N8fK016259 at xxx>
> > >>>>>>To: <xxxxx at xxx>
> > >>>>>>From: Angela Jackson <AngelaJackson at upliftingease.com>
> > >>>>>>Reply-To: <AngelaJackson at upliftingease.com>
> > >>>>>>Date: Wed, 12 May 2004 23:23:23 -0700
> > >>>>>>X-Mailer: Version 5.01.2764.4667
> > >>>>>>MIME-version: 1.0
> > >>>>>>Content-type: text/plain
> > >>>>>>Subject: {Spam?} Date-a-Teen (18+over-only)
> > >>>>>>X-xxxx-MailScanner-Information: Please contact the ISP for more
> > >>>>>>information
> > >>>>>>X-xxxx-MailScanner: Found to be clean
> > >>>>>>X-MailScanner-MCPCheck: MCP-Clean (MCP-Whitelisted), MCP-Checker
> > >>>>>>       (score=0, required 1)
> > >>>>>>X-ecemlgw-MailScanner-SpamCheck: spam, SBL+XBL, spamhaus.org,
> > >>>>>>       SpamAssassin (score=13.451, required 6, DNS_FROM_RFCI_DSN
> > >>>>>>       1.39, EXCUSE_19 0.50, HTML_IMAGE_ONLY_04 1.53, HTML_MESSAGE
> > >>>>>>       0.00, HTML_TAG_EXISTS_TBODY 0.10, MIME_HTML_ONLY 0.10,
> > >>>>>>       MSGID_FROM_MTA_SHORT 3.31, MY_SPACER 0.25, RCVD_IN_AHBL 1.27,
> > >>>>>>       RCVD_IN_SBL+XBL 4.00, RCVD_IN_SORBS 1.00)
> > >>>>>>X-xxxx-MailScanner-SpamScore: sssssssssssss
> > >>>>>>X-MailScanner-From: angelajackson at upliftingease.com
> > >>>>>>Return-Path: AngelaJackson at upliftingease.com
> > >>>>>>X-OriginalArrivalTime: 13 May 2004 06:50:38.0656 (UTC)
> > >>>>>>FILETIME=[99AB4C00:01C438B6]
> > >>>>>>
> > >>>>>>-------------------------- MailScanner list ----------------------
> > >>>>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > >>>>>>Before posting, please see the Most Asked Questions at
> > >>>>>>http://www.mailscanner.biz/maq/     and the archives at
> > >>>>>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >>>>>
> > >>>>>-------------------------- MailScanner list ----------------------
> > >>>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > >>>>>Before posting, please see the Most Asked Questions at
> > >>>>>http://www.mailscanner.biz/maq/     and the archives at
> > >>>>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >>>>>
> > >>>>
> > >>>-------------------------- MailScanner list ----------------------
> > >>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > >>>Before posting, please see the Most Asked Questions at
> > >>>http://www.mailscanner.biz/maq/     and the archives at
> > >>>http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >>
> > >>**********************************************************************
> > >>
> > >>This email and any files transmitted with it are confidential and
> > >>intended solely for the use of the individual or entity to whom they
> > >>are addressed. If you have received this email in error please notify
> > >>the system manager.
> > >>
> > >>This footnote confirms that this email message has been swept
> > >>for the presence of computer viruses and is believed to be clean.
> > >>
> > >>**********************************************************************
> > >>
> > >>-------------------------- MailScanner list ----------------------
> > >>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > >>Before posting, please see the Most Asked Questions at
> > >>http://www.mailscanner.biz/maq/     and the archives at
> > >>http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >>
> > >
> > >
> > > -------------------------- MailScanner list ----------------------
> > > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > > Before posting, please see the Most Asked Questions at
> > > http://www.mailscanner.biz/maq/     and the archives at
> > > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > **********************************************************************
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/     and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
>
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html


      Gib Gilbertson Jr.
     Tierramiga Info Systems
      619-287-8647 Support
      http://www.tmisnet.com
      San Diego's "Friendly ISP"

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list