first message spam, next spam gets whitelisted?

Matt Kettler mkettler at EVI-INC.COM
Tue Mar 29 19:30:34 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Looking at your "problem" it appears the second message is actually the
first message.

 However, the second one looks like it's already been tagged by a
version of SpamAssassin that's set to encapsulate spam messages. When
spamassassin encapsulates, it replaces all the headers, so MailScanner
will see the message as coming from the machine that tagged it as spam,
not as coming from the spammer.

You might want to dig around and check your headers for the spam message
in question VERY closely.

You might be double-scanning your messages sent to localdomain1.com. In
particular, check if if localdomain0.com is set up as a forward to
localdomain1 in such a way that it will get sent back through the
MailScanner a second time.


Fractal IT Dept. wrote:

> Hi everyone,
>
> I'm seeing a bunch of messages these days that look like this:
> [
> <http://ns1.fractalweb.com/_fractalscan/detail.php?id=j2TETeso011205>]
> 29/03/05 06:29:57     itbe_1e3925a6a26ccc4b151239a39c588a...
> sara at localdomain1.com <mailto:sara at localdomain1.com>  {**Spam?**} IT
> Secur...      35.6Kb  7.75    W/L
> [
> <http://ns1.fractalweb.com/_fractalscan/detail.php?id=j2TETVso011164>]
> 29/03/05 06:29:40     itbe_1e3925a6a26ccc4b151239a39c588a...
> sara at localdomain0.com <mailto:sara at localdomain0.com>  IT
> Security--Ignoran...  33.7Kb  6.06    Spam
>
>
> So from what I can see, a message comes in to this user and is
> correctly tagged as spam. Then 27 seconds later, another (likely
> duplicate) message from the same spammer comes in for the user's email
> address on her other address, gets even higher spam but is
> whitelisted. Needless to say, this spammer is not in the
> spam.whitelist.rules file.
>
> Obviously my question is: how do I stop this from happening? And why
> is a higher scoring message being let through to the user's inbox as
> whitelisted (when it isn't) when an identical message only seconds
> before was correctly tagged?
>
> Thanks,
> Chris
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> *Support MailScanner development - buy the book off the website!*

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list