question re: spam mail

Jon Miller jlmiller at MMTNETWORKS.COM.AU
Fri Oct 14 01:16:55 IST 2005 

Maybe I'm not understanding the function of this program clearly.  I'm still receiving various spam mail with all types of content ranging from free vacation to viagra to see my wife crap and the like.  I submit these e-mail as samples to a folder on the linux server and run a script that sa-learn reads and then delete the contents of the folder.  

mail:/home/jlmiller/spam# cat /root/spamlearn.sh
#!/bin/bash
# spamlearn.sh - enter mail name to run
sa-learn -p -v /etc/spam.assassin.prefs.conf --spam /home/jlmiller/spam
ls -l /home/jlmiller/spam/* >> /home/jlmiller/spammail/spamlist.txt
rm /home/jlmiller/spam/*.mlm


Now from what I understood from someone on the list is that this has to happen several times before SA will learn that this is considered spam, is that correct?
If so why not run the same junk through several times?  If I do it manually I see that sa-learn picks up on the information and learns that the submitted mail is spam.  If I run it a 2nd time it states it "Learned from 0 message(s) (14 message(s) examined)".

1st run
mail:/home/jlmiller/spam# sa-learn -p -v /etc/spam.assassin.prefs.conf --spam /home/jlmiller/spam
Learned from 13 message(s) (14 message(s) examined).


2nd run
mail:/home/jlmiller/spam# sa-learn -p -v /etc/spam.assassin.prefs.conf --spam /home/jlmiller/spam
Learned from 0 message(s) (14 message(s) examined).


So, if it's learned something from the 1st run why is it the same email can come through time and time again?

Also in the header of some of these e-mails I can see that SA disabled itself (2nd e-mail header) or has timed out others are reporting the score in a either a negative (1st email header) or too low.

Like to get some help in understanding why messages such as these are able to get through.

Thanks


*************** 1st email header ************************************
Received: from mail.mmtnetworks.com.au
 ([192.168.3.3])
 by mmtnetworks.com.au; Thu, 13 Oct 2005 20:46:53 +0800
Received: from arcor.de (unknown [81.13.29.16])
 by mail.mmtnetworks.com.au (Postfix) with SMTP id 6BF47150080
 for <jlmiller at mmtnetworks.com.au>; Thu, 13 Oct 2005 20:41:15 +0800 (WST)
Received: from theirs (192.168.226.107)
 by arcor.de (Crusher oi 4.97) with SMTP id GYCIjl-OHQvnr-qT
 for <jlmiller at mmtnetworks.com.au>; Thu, 13 Oct 2005 07:29:12 -0500
Message-ID: <000e01c5cff1$b58e5880$6be2a8c0 at theirs>
From: "Rajendra Birkland" <rajenktlbirkland at arcor.de>
To: "Olya Bachelder" <jlmiller at mmtnetworks.com.au>
Subject: Dumitru Pugliese Meids
Date: Thu, 13 Oct 2005 07:29:09 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----=_NextPart_000_000B_01C5CFC7.CCB85080"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-mmtnet-MailScanner: Found to be clean
X-mmtnet-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.018,
 required 2, BAYES_00, HTML_90_100, HTML_FONT_BIG, HTML_MESSAGE,
 MIME_QP_LONG_LINE, SARE_HTML_TD_BR)
X-MailScanner-From: rajenktlbirkland at arcor.de


******** 2nd email header **********************

Received: from mail.mmtnetworks.com.au
 ([192.168.3.3])
 by mmtnetworks.com.au; Thu, 06 Oct 2005 21:18:58 +0800
Received: from cm-85-152-224-116.telecable.es (cm-85-152-224-116.telecable.es [85.152.224.116])
 by mail.mmtnetworks.com.au (Postfix) with SMTP id 0B548150073
 for <jlmiller at mmtnetworks.com.au>; Thu,  6 Oct 2005 21:14:58 +0800 (WST)
FCC: mailbox://wkcoawzpu@hotmail.com/Sent
X-Identity-Key: id1
Date: Thu, 06 Oct 2005 13:00:45 -0100
From: Liliana Winters <wkcoawzpu at hotmail.com>
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: jlmiller at mmtnetworks.com.au
Subject: re [9]:
Content-Type: multipart/related;
 boundary="------------070203010308010305060004"
Message-Id: <20051006131458.0B548150073 at mail.mmtnetworks.com.au>
X-mmtnet-MailScanner: Found to be clean
X-mmtnet-MailScanner-SpamCheck: not spam,
 SpamAssassin (Disabled due to 20 consecutive timeouts)
X-MailScanner-From: wkcoawzpu at hotmail.com

This is a multi-part message in MIME format.
--------------070203010308010305060004
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body bgcolor="#FFFFF7" text="#B1C5FD"><p><IMG SRC="cid:part1.07050508.00050507 at gwnfcmat@hotmail.com" border="0" ALT=""></p><p><font color="#FFFFFA">it's beautiful Oscar Powerball Cliff Notes</font></p><p><font color="#FFFFF8">Atkins Diet Oprah Winfrey</font></p></body></html>

--------------070203010308010305060004
Content-Type: image/gif;
 name="asinine.GIF"
Content-Transfer-Encoding: base64
Content-ID: <part1.07050508.00050507 at gwnfcmat@hotmail.com>
Content-Disposition: inline;
 filename="asinine.GIF"
Click to view Base64 Encoded File 


Jon L. Miller,  ASE, CNS, CLS, MCNE, CCNA
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au
Resellers for: Sophos Anti-Virus, Novell, Cisco, Swifdsl

"I don't know the key to success, but the key to failure
 is trying to please everybody." -Bill Cosby

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, "HTML"  Text/HTML  131 lines. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list