Can't figure out why we are getting so much spam.

Mon Oct 8 01:27:40 IST 2007

Hello UxBoD,

No. I would say 99% are are being marked as spam. It really looks
like the mail being marked as whitelisted has two FROM: entries in the
headers.

ie:

From: Jacob Henry
and X-SYO-Mailscanner-From: Jason at syo.com

Return-path: <jason at syo.com>
Envelope-to: jason at syo.com
Delivery-date: Sun, 07 Oct 2007 09:35:15 -0400
Received: from [86.75.171.147] (helo=147.171.75-86.rev.gaoland.net)
        by sabrina.syo.com with esmtp (Exim 4.66)
        (envelope-from <jason at syo.com>)
        id 1IeWHm-00086o-1K
        for jason at syo.com; Sun, 07 Oct 2007 09:35:10 -0400
Date: Sun, 07 Oct 2007 06:04:53 -0200
From: "Jacob E. Henry" <bkmlu at starmobilesound.net>
X-Mailer: Internet Mail Service (5.5.2650.21)
X-Priority: 3
Message-ID: <652352516118.20071007060453566120153 at starmobilesound.net>
To: jason at syo.com
Subject: Bright side
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SYO-MailScanner-Information: Please contact the SYO for more information
X-SYO-MailScanner: Found to be clean
X-SYO-MailScanner-SpamCheck: not spam (whitelisted),
        SpamAssassin (not cached, score=34.194, required 3, autolearn=spam,
        BAYES_95 3.00, DATE_IN_PAST_03_06 0.04, FORGED_IMS_HTML 2.26,
        FORGED_IMS_TAGS 2.32, FORGED_MUA_IMS 0.45, HELO_DYNAMIC_IPADDR2 4.39,
        HELO_DYNAMIC_SPLIT_IP 3.49, HS_INDEX_PARAM 0.00, HTML_MESSAGE 0.00,
        MIME_HTML_ONLY 1.46, RAZOR2_CF_RANGE_51_100 0.50,
        RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
        RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_PBL 0.91,
        RCVD_IN_SORBS_DUL 0.88, SPF_SOFTFAIL 0.60, URIBL_BLACK 1.96,
        URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SBL 1.50,
        URIBL_SC_SURBL 0.47, URIBL_WS_SURBL 1.50)
X-SYO-MailScanner-From: jason at syo.com

Sunday, October 7, 2007, 1:31:34 PM, you wrote:
UxBoD> You should be able to block a lot by tuning your Exim
UxBoD> installation for RFC compliance.  Cannot comment on this though
UxBoD> as I run Postfix.  Are all the SPAMs being marked as whitelisted?

UxBoD> Regards,

UxBoD> --[ UxBoD ]--
UxBoD> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
UxBoD> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
UxBoD> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
UxBoD> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net

UxBoD> ----- Original Message -----
UxBoD> From: "Jason Gottschalk" <Jason at SYO.Com>
UxBoD> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
UxBoD> Sent: Sunday, October 7, 2007 5:11:18 PM (GMT) Africa/Casablanca
UxBoD> Subject: Re[2]: Can't figure out why we are getting so much spam.

UxBoD> Hello UxBoD,

UxBoD> Okay, maybe not sql whitelisting. It appears to be text file
UxBoD> whitelisting and the whitelist db in sql is empty.

UxBoD> I'm glad you missed the whitelisted part originally, I thought, for a
UxBoD> moment, that you were mean!  

UxBoD> I also, noticed in another spam that seems to be out of control, that
UxBoD> there are two FROM: lines in the header, one is the sender of the
UxBoD> message and the other is me, could this be what is causing it to come
UxBoD> through too?

UxBoD> Sunday, October 7, 2007, 10:46:55 AM, you wrote:
UxBoD>> Doh! Missed that  

UxBoD>> Are you using MailWatch at all with the SQL based whitelisting
UxBoD>> ? or using the text based rules ?

UxBoD>> Regards,

UxBoD>> --[ UxBoD ]--
UxBoD>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
UxBoD>> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
UxBoD>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
UxBoD>> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net

UxBoD>> ----- Original Message -----
UxBoD>> From: "Gareth" <list-mailscanner at linguaphone.com>
UxBoD>> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
UxBoD>> Sent: Sunday, October 7, 2007 2:38:59 PM (GMT) Africa/Casablanca
UxBoD>> Subject: RE: Can't figure out why we are getting so much spam.

>>> X-SYO-MailScanner-SpamCheck: not spam (whitelisted)

UxBoD>> Somthing is making Mailscanner think the mail is whitelisted.

UxBoD>> Yu could try stopping mailscanner and then running it manually
UxBoD>> in debug mode and it should tell you why it was whitelisted.

>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of UxBoD
>>> Sent: 07 October 2007 15:21
>>> To: MailScanner discussion
>>> Subject: Re: Can't figure out why we are getting so much spam.
>>> 
>>> 
>>> Hi,
>>> 
>>> You have scored that email over 30 points, so what help do you 
>>> require ? If you want to reduce the number at the MTA then you 
>>> could always look at implementing the RBLs directly from Exim, or 
>>> look at other methods like greylisting.
>>> 
>>> Regards,
>>> 
>>> --[ UxBoD ]--
>>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
>>> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
>>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
>>> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>>> 
>>> ----- Original Message -----
>>> From: "Jason Gottschalk" <Jason at SYO.Com>
>>> To: mailscanner at lists.mailscanner.info
>>> Sent: Sunday, October 7, 2007 2:19:33 PM (GMT) Africa/Casablanca
>>> Subject: Can't figure out why we are getting so much spam.
>>> 
>>> Hello mailscanner,
>>> 
>>> 
>>> The amount of spam we are getting has really grown in the last few
>>> weeks, from 2 or 3 per day to dozens per hour.
>>> 
>>> Any help would be appreciated.
>>> 
>>> Here is an example: (and it certainly is NOT in my whitelist!:)
>>> 
>>> Return-path: <jason at syo.com>
>>> Envelope-to: jason at syo.com
>>> Delivery-date: Sun, 07 Oct 2007 09:35:15 -0400
>>> Received: from [86.75.171.147] (helo=147.171.75-86.rev.gaoland.net)
>>>         by sabrina.syo.com with esmtp (Exim 4.66)
>>>         (envelope-from <jason at syo.com>)
>>>         id 1IeWHm-00086o-1K
>>>         for jason at syo.com; Sun, 07 Oct 2007 09:35:10 -0400
>>> Date: Sun, 07 Oct 2007 06:04:53 -0200
>>> From: "Jacob E. Henry" <bkmlu at starmobilesound.net>
>>> X-Mailer: Internet Mail Service (5.5.2650.21)
>>> X-Priority: 3
>>> Message-ID: <652352516118.20071007060453566120153 at starmobilesound.net>
>>> To: jason at syo.com
>>> Subject: Bright side
>>> MIME-Version: 1.0
>>> Content-Type: text/html; charset=UTF-8
>>> Content-Transfer-Encoding: 7bit
>>> X-SYO-MailScanner-Information: Please contact the SYO for more information
>>> X-SYO-MailScanner: Found to be clean
>>> X-SYO-MailScanner-SpamCheck: not spam (whitelisted),
>>>         SpamAssassin (not cached, score=34.194, required 3, 
>>> autolearn=spam,
>>>         BAYES_95 3.00, DATE_IN_PAST_03_06 0.04, FORGED_IMS_HTML 2.26,
>>>         FORGED_IMS_TAGS 2.32, FORGED_MUA_IMS 0.45, 
>>> HELO_DYNAMIC_IPADDR2 4.39,
>>>         HELO_DYNAMIC_SPLIT_IP 3.49, HS_INDEX_PARAM 0.00, 
>>> HTML_MESSAGE 0.00,
>>>         MIME_HTML_ONLY 1.46, RAZOR2_CF_RANGE_51_100 0.50,
>>>         RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
>>>         RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_PBL 0.91,
>>>         RCVD_IN_SORBS_DUL 0.88, SPF_SOFTFAIL 0.60, URIBL_BLACK 1.96,
>>>         URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SBL 1.50,
>>>         URIBL_SC_SURBL 0.47, URIBL_WS_SURBL 1.50)
>>> X-SYO-MailScanner-From: jason at syo.com
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> Best regards,
>>> 
>>>  Jason Gottschalk                         mailto:Jason at SYO.Com
>>>  SYO Computer Engineering Services, Inc.
>>>  SYO - Servicing Your Organization
>>>  586-286-2557
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> 
>>> Before posting, read http://wiki.mailscanner.info/posting
>>> 
>>> Support MailScanner development - buy the book off the website! 
>>> 
>>> -- 
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>> 
>>> 
>>> 
>>> -- 
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>> 
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> 
>>> Before posting, read http://wiki.mailscanner.info/posting
>>> 
>>> Support MailScanner development - buy the book off the website! 
>>> 
>>> 
>>> 

UxBoD>> --
UxBoD>> MailScanner mailing list
UxBoD>> mailscanner at lists.mailscanner.info
UxBoD>> http://lists.mailscanner.info/mailman/listinfo/mailscanner

UxBoD>> Before posting, read http://wiki.mailscanner.info/posting

UxBoD>> Support MailScanner development - buy the book off the website!

UxBoD>> -- 
UxBoD>> This message has been scanned for viruses and
UxBoD>> dangerous content by MailScanner, and is
UxBoD>> believed to be clean.

UxBoD> -- 
UxBoD> Best regards,
UxBoD>  Jason Gottschalk                         mailto:Jason at SYO.Com
UxBoD>  SYO Computer Engineering Services, Inc.
UxBoD>  586-286-2557

UxBoD> -- 
UxBoD> MailScanner mailing list
UxBoD> mailscanner at lists.mailscanner.info
UxBoD> http://lists.mailscanner.info/mailman/listinfo/mailscanner

UxBoD> Before posting, read http://wiki.mailscanner.info/posting

UxBoD> Support MailScanner development - buy the book off the website! 

UxBoD> -- 
UxBoD> This message has been scanned for viruses and
UxBoD> dangerous content by MailScanner, and is
UxBoD> believed to be clean.

-- 
Best regards,
 Jason Gottschalk                         mailto:Jason at SYO.Com
 SYO Computer Engineering Services, Inc.
 586-286-2557