No header changes on spam messages?
Philip Hachey
PHachey at CITY.CORNWALL.ON.CA
Mon Feb 14 16:26:23 GMT 2005
Hi. Has anyone else run into this problem? In all normal cases,
MailScanner adds "X_MailScanner" headers to our incoming email and
modifies the subject line if it is spam, a virus, etc.. However, in some
strange cases, even though the message is detected as spam, no header
changes happen. In all cases that I've seen so far, this only happens
with those "forged" (or resulting from a forge) DSN delivery failure
messages. A snip from the log for such a message follows. MailScanner
did not modify the headers of this message:
Feb 13 20:36:46 mx1 sendmail[15354]: j1E1ajkW015354: from=<>, size=7254,
class=0, nrcpts=1,
msgid=<200502140137.j1E1brWC011675 at iwebination.cust.iaf.nl>, proto=ESMTP,
daemon=MTA, relay=iwebination.cust.iaf.nl [80.89.232.72]
Feb 13 20:36:46 mx1 sendmail[15354]: j1E1ajkW015354:
to=<[#USER#]@[#LOCAL-DOMAIN#]>, delay=00:00:00, mailer=relay, pri=37254,
stat=queued
Feb 13 20:36:50 mx1 MailScanner[13359]: New Batch: Scanning 1 messages,
7752 bytes
Feb 13 20:36:50 mx1 MailScanner[13359]: Spam Checks: Starting
Feb 13 20:37:00 mx1 MailScanner[13359]: Message j1E1ajkW015354 from
80.89.232.72 () to [#LOCAL-DOMAIN#] is spam, SpamAssassin (score=7.321,
required 3, BAYES_40 -1.10, HTML_BACKHAIR_8 0.73, HTML_FONT_BIG 0.14,
HTML_MESSAGE 0.00, HTML_OBFUSCATE_10_20 0.86, HTML_TAG_EXIST_TBODY 0.11,
HTML_TEXT_AFTER_BODY 0.06, J_CHICKENPOX_13 0.60, MIME_HTML_MOSTLY 1.02,
SARE_HTML_INV_TAG 2.22, SARE_STRIPE 1.67, URIBL_SBL 1.00)
Feb 13 20:37:00 mx1 MailScanner[13359]: Spam Checks: Found 1 spam messages
Feb 13 20:37:00 mx1 MailScanner[13359]: Spam Actions: message
j1E1ajkW015354 actions are deliver
Feb 13 20:37:03 mx1 MailScanner[13359]: Virus and Content Scanning:
Starting
Feb 13 20:37:04 mx1 MailScanner[13359]: Found phishing fraud from
ragouted.astronomersledby.com claiming to be
www.railways.havebeenableestimate.com in j1E1ajkW015354
Feb 13 20:37:04 mx1 MailScanner[13359]: Content Checks: Detected and have
disarmed HTML message in j1E1ajkW015354 from
Feb 13 20:37:05 mx1 MailScanner[13359]: Uninfected: Delivered 1 messages
Feb 13 20:37:05 mx1 sendmail[15372]: j1E1ajkW015354:
to=<[#USER#]@[#LOCAL-DOMAIN#]>, delay=00:00:19, xdelay=00:00:00,
mailer=relay, pri=127254, relay=[#HOST#].[#LOCAL-DOMAIN#] [#LOCAL-IP#],
dsn=2.0.0, stat=Sent (Message accepted for delivery)
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list