Forwarded mail lets spam through

Matt Bullock mbullock at TROIKANETWORKS.COM
Sun Sep 12 08:38:52 IST 2004 

Martin Hepworth wrote: 

>Always Include SpamAssasin Report = yes
>SpamScore Number Instead Of Stars = yes
>Detailed Spam Report = yes
>Include Scores In SpamAssassin Report =yes

I checked my settings and they all correspond to what you suggested.

Below are headers from 1 email, received from the forwarding server
ns1701.softcom.net, then I simply forwarded that message back through my
mailscanner server to another account.  When it was received it scored a
2.1, but when I forwarded it through again it scored 5.1.  


Microsoft Mail Internet Headers Version 2.0
Received: from slammer.troikanetworks.com ([12.31.173.45]) by
xchange.venturanetworks.com with Microsoft SMTPSVC(6.0.3790.0);
         Sat, 11 Sep 2004 15:15:17 -0700
Received: from ns1701.softcom.net (ns1701.softcom.net [209.142.8.13])
        by slammer.troikanetworks.com (8.12.11/8.12.11) with ESMTP id
i8BMF5s5002082
        for <matt at solidfunk.com>; Sat, 11 Sep 2004 15:15:06 -0700
Received: from 209.142.8.13 (eZvalaria@[218.18.195.73])
        by ns1701.softcom.net (8.12.11/8.12.11) with SMTP id
i8BMF0HL021989
        for <roto at clanmcp.com>; Sat, 11 Sep 2004 15:15:03 -0700
X-Message-Info: NWfnfMMM833dWXGvyCBIo605ZNHnn941+ELElfr4htA
Received: from gxnmqdcgndg5.sc83.ko.snet.kharkov.ua ([217.44.253.176])
by px496-mc05.sc83.ko.snet.kharkov.ua with Microsoft SMTPSVC
(5.0.0204.6219); Sat, 11 Sep 2004 18:14:56 -0500 PST
Received: from Roslynxhj77f1udh008rhw ([100.240.86.176]) by
ofykpazcmuxhsly571.sc83.ko.snet.kharkov.ua
          (InterMail vM.5.01.06.05 188-929-364-072-251-07411509) with
SMTP
          id
<909655133.BC428.hfkhw642.sc83.ko.snet.kharkov.ua at figurater0p4f40ou>
          for <roto at clanmcp.com>; Sat, 11 Sep 2004 18:14:56 -0500
From: "Mcmahon-Lamont" <tzroto at clanmcp.com>
To: roto at clanmcp.com
Subject: Clark Simone
Date: Sat, 11 Sep 2004 18:14:56 -0500
Message-ID:
<309313yi658y38887$952526$hzr209ia83 at Roslyne727gsl394rjh71nc>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--jkso798660083rvbMNT"
X-TroikaNetworks-MailScanner-OpenProtect-Information: Please contact the
Troika Networks, Inc. IT Department
X-TroikaNetworks-MailScanner-OpenProtect: Found to be clean
X-MailScanner-OpenProtect-MCPCheck: 
X-TroikaNetworks-MailScanner-OpenProtect-SpamCheck: not spam,
        SpamAssassin (score=2.1, required 5, OB_URI_RBL 2.10)
X-TroikaNetworks-MailScanner-OpenProtect-SpamScore: 2
X-MailScanner-OpenProtect-From: tzroto at clanmcp.com
Return-Path: tzroto at clanmcp.com
X-OriginalArrivalTime: 11 Sep 2004 22:15:17.0510 (UTC)
FILETIME=[D1A05A60:01C4984C]

----jkso798660083rvbMNT
Content-Type: text/html; Charset=windows-1252
Content-Transfer-Encoding: 7Bit


----jkso798660083rvbMNT--



Microsoft Mail Internet Headers Version 2.0
Received: from communicator.troikanetworks.com ([12.31.172.15]) by
loadstar.troikanetworks.com with Microsoft SMTPSVC(6.0.3790.0);
         Sat, 11 Sep 2004 20:49:43 -0700
Received: from slammer.troikanetworks.com ([12.31.173.45]) by
communicator.troikanetworks.com with Microsoft SMTPSVC(5.0.2195.6713);
         Sat, 11 Sep 2004 20:49:43 -0700
Received: from xchange.venturanetworks.com (xchange.venturanetworks.com
[12.42.120.163])
        by slammer.troikanetworks.com (8.12.11/8.12.11) with ESMTP id
i8C3nXvn016878
        for <mbullock at troikanetworks.com>; Sat, 11 Sep 2004 20:49:33
-0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: *Spam* FW: Clark Simone
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Date: Sat, 11 Sep 2004 20:49:40 -0700
Message-ID:
<A8F190A47A2C9B4CB1925CE039D29C192D68 at xchange.venturanetworks.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Clark Simone
Thread-Index: AcSYTNGxrxpfPjEgTDiCccGxZXzjmgALrIEg
From: "Matt Bullock" <mbullock at venturanetworks.com>
To: <mbullock at troikanetworks.com>
X-TroikaNetworks-MailScanner-OpenProtect-Information: Please contact the
Troika Networks, Inc. IT Department
X-TroikaNetworks-MailScanner-OpenProtect: Found to be clean
X-MailScanner-OpenProtect-MCPCheck: 
X-TroikaNetworks-MailScanner-OpenProtect-SpamCheck: spam,
        SpamAssassin (score=5.1, required 5, OB_URI_RBL 2.10,
        SPAMCOP_URI_RBL 3.00)
X-TroikaNetworks-MailScanner-OpenProtect-SpamScore: 5
X-MailScanner-OpenProtect-From: mbullock at venturanetworks.com
Return-Path: mbullock at venturanetworks.com
X-OriginalArrivalTime: 12 Sep 2004 03:49:43.0220 (UTC)
FILETIME=[89B8B740:01C4987B] 


Matt Bullock


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Martin Hepworth
Sent: Friday, September 10, 2004 1:25 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Forwarded mail lets spam through

Matt

OK - I think I get the issue.

2 options..

Get MS to archive all email (you'll prob have to do this for the S-OX
bill soon anyway!). You can then run SA on the message by hand to get
info about rules hit/or not..


OR can then get MS to make sure you include ALL scores in the
mail-header info even if it's not spam, again you'll see which rules get
triggered and their score.

Make sure the followinng values are set in MailScanner.conf.

Always Include SpamAssasin Report = yes
SpamScore Number Instead Of Stars = yes
Detailed Spam Report = yes
Include Scores In SpamAssassin Report =yes


Hopefully you'll be able to start norrowing down the issue by getting
this instrumentation into the email.



--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list