Blacklist To: not working

Dan Haris dannyh at aac-services.co.uk
Wed Jan 19 12:20:15 GMT 2005 

Hi,

We get a lot of spam sent to specific non-existent users, which I'm trying
to block. We use what I believe is the latest stable MailScanner (4.37.7)
along with Exim 4.32, as a gateway server. I've seen some discussion in the
mailing list archives about blocking non-existent users at the mta level,
but this seems to have only been on sendmail. For various reasons (mainly
paranoid management) we don't want to go this route at the moment, but if
anyone can point me in the right direction for this I'd appreciate it as it
may be of use as a last resort. Our main mail servers (E-Smith/SME server)
run QMail I think authenticating against an LDAP user database (although I
may be talking rubbish there!).

Anyhow, here's the question:

I'm trying to blacklist a To: address in my
/etc/MailScanner/rules/spam.blacklist.rules file with an entry like this:

To:     user at domain.co.uk               yes

Unfortunately this does not seem to be behaving as expected. Since I added
this rule, I've had several spam emails get through to this address. Looking
at the relevant headers from one of them below, the address seems to have
been recognised as blacklisted, but assigned a HIGH SPAM SCORE of zero and
says "Found to be clean":

Subject: {Spam? High Score 0} Downl0ad National Treasure Movie
To: xxx at yyyy.co.uk
X-yyyy-MailScanner-Information: Please contact the IT Dept for more
information
X-yyyy-MailScanner: Found to be clean
X-yyyy-MailScanner-SpamCheck: spam (blacklisted)

There is no entry in the log for this spam (presumably as I don't bother
logging non-spam). However there is an entry like this:

Jan 18 03:29:35 mailscan MailScanner[7058]: Message 1Cqk3g-0001vb-Ep from
218.232.191.173 (livptxxxx at yyyy.co.uk) to yyyy.co.uk is spam (blacklisted)

This email did not get through.

My MailScanner.conf contains the following:

Definite Spam Is High Scoring = yes
Required SpamAssassin Score = 5
High SpamAssassin Score = 10
SpamAssassin Auto Whitelist = yes
Check SpamAssassin If On Spam List = yes
Spam Actions = forward spamtrap at yyyy.co.uk
High Scoring Spam Actions = delete
Non Spam Actions = deliver

Any ideas anyone?

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list