question re: spam mail

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Fri Oct 14 09:11:42 IST 2005 

Jon

Make sure you have the URI-RBL's enabled (needs Net::DNS) in the SA setup
(in /etc/mail/spamassassin/*.pre)

Also run a 

spamassassin -D --lint

to see if it pops any errors....also check the SARE rules and others on
www.rulesemporium.com for lots of nice extras ontop of the default SA ones.



--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Jon Miller
> Sent: 14 October 2005 01:17
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: [MAILSCANNER] question re: spam mail
> 
> Maybe I'm not understanding the function of this program clearly.  I'm
> still receiving various spam mail with all types of content ranging from
> free vacation to viagra to see my wife crap and the like.  I submit these
> e-mail as samples to a folder on the linux server and run a script that
> sa-learn reads and then delete the contents of the folder.
> 
> mail:/home/jlmiller/spam# cat /root/spamlearn.sh
> #!/bin/bash
> # spamlearn.sh - enter mail name to run
> sa-learn -p -v /etc/spam.assassin.prefs.conf --spam /home/jlmiller/spam
> ls -l /home/jlmiller/spam/* >> /home/jlmiller/spammail/spamlist.txt
> rm /home/jlmiller/spam/*.mlm
> 
> 
> Now from what I understood from someone on the list is that this has to
> happen several times before SA will learn that this is considered spam, is
> that correct?
> If so why not run the same junk through several times?  If I do it
> manually I see that sa-learn picks up on the information and learns that
> the submitted mail is spam.  If I run it a 2nd time it states it "Learned
> from 0 message(s) (14 message(s) examined)".
> 
> 1st run
> mail:/home/jlmiller/spam# sa-learn -p -v /etc/spam.assassin.prefs.conf --
> spam /home/jlmiller/spam
> Learned from 13 message(s) (14 message(s) examined).
> 
> 
> 2nd run
> mail:/home/jlmiller/spam# sa-learn -p -v /etc/spam.assassin.prefs.conf --
> spam /home/jlmiller/spam
> Learned from 0 message(s) (14 message(s) examined).
> 
> 
> So, if it's learned something from the 1st run why is it the same email
> can come through time and time again?
> 
> Also in the header of some of these e-mails I can see that SA disabled
> itself (2nd e-mail header) or has timed out others are reporting the score
> in a either a negative (1st email header) or too low.
> 
> Like to get some help in understanding why messages such as these are able
> to get through.
> 
> Thanks
> 
> 
> *************** 1st email header ************************************
> Received: from mail.mmtnetworks.com.au
>  ([192.168.3.3])
>  by mmtnetworks.com.au; Thu, 13 Oct 2005 20:46:53 +0800
> Received: from arcor.de (unknown [81.13.29.16])
>  by mail.mmtnetworks.com.au (Postfix) with SMTP id 6BF47150080
>  for <jlmiller at mmtnetworks.com.au>; Thu, 13 Oct 2005 20:41:15 +0800 (WST)
> Received: from theirs (192.168.226.107)
>  by arcor.de (Crusher oi 4.97) with SMTP id GYCIjl-OHQvnr-qT
>  for <jlmiller at mmtnetworks.com.au>; Thu, 13 Oct 2005 07:29:12 -0500
> Message-ID: <000e01c5cff1$b58e5880$6be2a8c0 at theirs>
> From: "Rajendra Birkland" <rajenktlbirkland at arcor.de>
> To: "Olya Bachelder" <jlmiller at mmtnetworks.com.au>
> Subject: Dumitru Pugliese Meids
> Date: Thu, 13 Oct 2005 07:29:09 -0500
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>  boundary="----=_NextPart_000_000B_01C5CFC7.CCB85080"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> X-mmtnet-MailScanner: Found to be clean
> X-mmtnet-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.018,
>  required 2, BAYES_00, HTML_90_100, HTML_FONT_BIG, HTML_MESSAGE,
>  MIME_QP_LONG_LINE, SARE_HTML_TD_BR)
> X-MailScanner-From: rajenktlbirkland at arcor.de
> 
> 
> ******** 2nd email header **********************
> 
> Received: from mail.mmtnetworks.com.au
>  ([192.168.3.3])
>  by mmtnetworks.com.au; Thu, 06 Oct 2005 21:18:58 +0800
> Received: from cm-85-152-224-116.telecable.es (cm-85-152-224-
> 116.telecable.es [85.152.224.116])
>  by mail.mmtnetworks.com.au (Postfix) with SMTP id 0B548150073
>  for <jlmiller at mmtnetworks.com.au>; Thu,  6 Oct 2005 21:14:58 +0800 (WST)
> FCC: mailbox://wkcoawzpu@hotmail.com/Sent
> X-Identity-Key: id1
> Date: Thu, 06 Oct 2005 13:00:45 -0100
> From: Liliana Winters <wkcoawzpu at hotmail.com>
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: jlmiller at mmtnetworks.com.au
> Subject: re [9]:
> Content-Type: multipart/related;
>  boundary="------------070203010308010305060004"
> Message-Id: <20051006131458.0B548150073 at mail.mmtnetworks.com.au>
> X-mmtnet-MailScanner: Found to be clean
> X-mmtnet-MailScanner-SpamCheck: not spam,
>  SpamAssassin (Disabled due to 20 consecutive timeouts)
> X-MailScanner-From: wkcoawzpu at hotmail.com
> 
> This is a multi-part message in MIME format.
> --------------070203010308010305060004
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> <html><head><meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1"></head><body bgcolor="#FFFFF7" text="#B1C5FD"><p><IMG
> SRC="cid:part1.07050508.00050507 at gwnfcmat@hotmail.com" border="0"
> ALT=""></p><p><font color="#FFFFFA">it's beautiful Oscar Powerball Cliff
> Notes</font></p><p><font color="#FFFFF8">Atkins Diet Oprah
> Winfrey</font></p></body></html>
> 
> --------------070203010308010305060004
> Content-Type: image/gif;
>  name="asinine.GIF"
> Content-Transfer-Encoding: base64
> Content-ID: <part1.07050508.00050507 at gwnfcmat@hotmail.com>
> Content-Disposition: inline;
>  filename="asinine.GIF"
> Click to view Base64 Encoded File
> 
> 
> Jon L. Miller,  ASE, CNS, CLS, MCNE, CCNA
> Director/Sr Systems Consultant
> MMT Networks Pty Ltd
> http://www.mmtnetworks.com.au
> Resellers for: Sophos Anti-Virus, Novell, Cisco, Swifdsl
> 
> "I don't know the key to success, but the key to failure
>  is trying to please everybody." -Bill Cosby
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list