Forwarded mail lets spam through

Fri Sep 10 09:24:53 IST 2004

<x-flowed>
Matt

OK - I think I get the issue.

2 options..

Get MS to archive all email (you'll prob have to do this for the S-OX
bill soon anyway!). You can then run SA on the message by hand to get
info about rules hit/or not..

OR can then get MS to make sure you include ALL scores in the
mail-header info even if it's not spam, again you'll see which rules get
triggered and their score.

Make sure the followinng values are set in MailScanner.conf.

Always Include SpamAssasin Report = yes
SpamScore Number Instead Of Stars = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report =yes

Hopefully you'll be able to start norrowing down the issue by getting
this instrumentation into the email.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

Matt Bullock wrote:
> I don't have the raw message unfortunately, its already been mangled in
> Outlook a couple of times :)  Let me try and explain the layout a bit
> better.  I have 2 exchange servers serving separate domains/networks.
> The mailscanner/sendmail box is in a dmz, and forwards smtp to the
> domains on each exchange server.  For one exchange server to send mail
> to the other it would be routed through the sendmail box in the dmz.
> The original messages that arent being tagged as spam are originating
> from the spammer, then are routed through an ISP of a friend that hosts
> a domain for me.  That email is then forwarded to another email address
> that I host.  The email passed through my friends ISP isnt being tagged,
> but if I forward that message back through the sendmail box to my other
> exchange server it gets tagged as spam.
>
> Did I just complicate things more?  :)
>
> Matt
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Martin Hepworth
> Sent: Thursday, September 09, 2004 1:37 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Forwarded mail lets spam through
>
> Matt
>
> have you got the full raw email that you can post on a web/ftp site???
>
> We can then run it through our systems to see what rules it fires and
> give scores?
>
> It could be a specific rule is needed to catch this stuff and one of us
> may have it already installed.
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Matt Bullock wrote:
>
>>The server isnt whitelisted, and the spam coming through are usually
>>tagged with a couple points, but not enough to trigger anything.  I
>
> just
>
>>forwarded one of the emails through the server and it was marked as
>>spam.
>>
>>
>>Regards,
>>
>>Matt Bullock
>>Troika Networks, Inc.
>>Network Administrator
>>805.367.2728
>>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>>Behalf Of Steve Swaney
>>Sent: Wednesday, September 08, 2004 9:17 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Forwarded mail lets spam through
>>
>>
>>
>>>-----Original Message-----
>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>>>Behalf Of Matt Bullock
>>>Sent: Wednesday, September 08, 2004 11:59 AM
>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>Subject: Re: Forwarded mail lets spam through
>>>
>>
>>
>>Snip
>>
>>
>>>Right now SA is catching about 98% of the spam received, it just
>>>doesn't
>>>
>>>tag anything that is forwarded from one particular server.
>>>
>>
>>Snip
>>
>>Only possible explanation I can think of is that this Server is some
>
> how
>
>>white listed. What rule sets have you modified?
>>
>>Steve Swaney
>>President
>>Fortress Systems Ltd.
>>www.fsl.com
>>steve.swaney at fsl.com
>>
>>
>>
>>--
>>This message has been scanned for viruses and dangerous content by
>>MailScanner, and is believed to be clean.
>>
>>Fortress Systems Ltd.
>>www.fsl.com
>>
>>------------------------ MailScanner list ------------------------ To
>>unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and the
>>archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>