How did this spam make it through?

Jeff Falgout jfalgout at OGOV.NET
Thu Mar 17 16:00:15 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

A user sent me a nasty-spam(tm) that made it through MS (headers below).
SA scored it a 24.772, but it was whitelisted. I've searched through all
of my whitelists and can find nothing related. What does have me baffled
is that the first Received line:

Received: from 206.247.49.30 ([219.144.239.84])
        by ww11.co.jefferson.co.us (8.13.1/8.13.1) with SMTP id j2HEXJ40003797;

206.247.49.30, which shows up as the hostname for 219.144.239.84 (I
believe I'm reading that correctly), is the ip address of the machine
ww11.co.jefferson.co.us - the primary MX.

Did this spam get whitelisted because it saw it's ip address somewhere in
the first Recieved line and thought it came from itself? How can I fix
this or is it a new technique?

Jeff


Return-path: <Doran at didamail.com>
Received: from ww11.co.jefferson.co.us [172.18.2.30]
        by GC6.jefferson.co.us; Thu, 17 Mar 2005 07:34:17 -0700
Received: from 206.247.49.30 ([219.144.239.84])
        by ww11.co.jefferson.co.us (8.13.1/8.13.1) with SMTP id j2HEXJ40003797;
        Thu, 17 Mar 2005 07:33:37 -0700
Message-Id: <200503171433.j2HEXJ40003797 at ww11.co.jefferson.co.us>
Received: from [108.94.24.232] by dutiful%DIGITS.beetle.219.144.239.84 via
HTTP; Thu, 17 Mar 2005 06:33:39 -0800
Reply-To: "boardermail.com" <Doran at didamail.com>
From: "boardermail.com" <Doran at didamail.com>
To: <llamprec at co.jefferson.co.us>
Subject: Here it is
Date: Thu, 17 Mar 2005 06:33:39 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--3842810193altf8696"
X-JeffCo-MailScanner-Information: Please contact the Help Desk for more
information
X-JeffCo-MailScanner: Found to be clean
X-JeffCo-MailScanner-SpamCheck: not spam (whitelisted),
        SpamAssassin (score=24.722, required 4, autolearn=spam,
        BAYES_50 0.00, DCC_CHECK 2.17, DNS_FROM_RFC_WHOIS 0.30,
        MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72,
        RCVD_HELO_IP_MISMATCH 2.18, RCVD_IN_BL_SPAMCOP_NET 1.22,
        RCVD_IN_DSBL 1.00, RCVD_IN_XBL 3.08, RCVD_NUMERIC_HELO 1.25,
        SOMETHING_FOR_ADULTS 0.01, UNRESOLVED_TEMPLATE 2.87,
        URIBL_AB_SURBL 0.42, URIBL_OB_SURBL 3.21, URIBL_SBL 1.00,
        URIBL_SC_SURBL 4.26)
X-MailScanner-From: doran at didamail.com

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list