2 spam checking issues...

Bob Jones bob.jones at USG.EDU
Mon Mar 28 16:12:20 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hey all,

        We recently implemented spamassassin check through mailscanner here and
have noticed a couple of issues that we could use some help with.  We
have it set up a ruleset so that mail originating from our networks
bypasses the spam checks and that mail to certain addresses (such as
abuse, helpdesk, etc) is not checked for spam either.  We are running
mailscanner version 4.39.6, spamassassin version 3.0.2 and sendmail
version 8.12.11 on Solaris 9.  Now for the issues:

1.  We received a message that bypassed the spam check.  The relevant
header info is:

Received: from 168.24.195.10 ([220.77.201.250])
        by hermes.bor.usg.edu (8.12.11/8.12.11) with SMTP id
j2NEuQkB002299; Wed, 23 Mar 2005 09:56:35 -0500 (EST)

The IP address of our mailserver (hermes.bor.usg.edu) is 168.24.195.10.
  It seems that the spammer used our IP address as his HELO during the
SMTP connection.  The *actual* IP address of the spammer is within the
() in the next field.  To determine if a ruleset applies, is mailscanner
doing a simple grep?  It seems to me that it should be grepping for what
is within the () and ignore what the HELO was as that can be forged.  Or
is there an issue here I'm not grasping.

2.  The second is with skipping spam checks for certain addresses.  It
seems that if an address we have added to the ruleset to skip spam
checks is listed in the CC or BCC fields (maybe the TO field as well,
but haven't seen an example of this yet), that message isn't scanned for
*any* of the recipients.  Is this the expected behavior?  Is there a way
to work around this issue?

I apologize if these are repeated questions, but I searched the list
archives and couldn't find any messages that dealt with these issues.

--
Thanks,
Bob Jones

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list