Consistent SPAM messages getting through

Nasser Al-Zawawi nassera at alz-inc.com
Mon Dec 15 19:57:46 GMT 2008


Here is the raw message as Martin suggested:
#---------------
>From nassera at alz-inc.com  Thu Dec 11 10:59:35 2008
Return-Path: <nassera at alz-inc.com>
Received: from afnor.fr ([61.106.223.211])
        by www.alz-inc.com (8.13.1/8.13.1) with SMTP id mBBFxVeL031817
        for <nassera at alz-inc.com>; Thu, 11 Dec 2008 10:59:33 -0500
Date: Thu, 11 Dec 2008 10:59:31 -0500
From: Nasser Al-Zawawi <nassera at alz-inc.com>
Message-Id: <200812111559.mBBFxVeL031817 at www.alz-inc.com>
To: <nassera at alz-inc.com>
Subject: Re: Order status
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-alz-inc-MailScanner-Information: Please contact the ISP for more
information
X-alz-inc-MailScanner-ID: mBBFxVeL031817
X-alz-inc-MailScanner: Found to be clean
X-alz-inc-MailScanner-From: nassera at alz-inc.com
X-Spam-Status: No
Status: RO
X-UID: 455188
Content-Length: 355
X-Keywords:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1250">
</HEAD>
<BODY><a href="http://abovesell.com/" target="_blank">
<img src="http://abovesell.com/adv4.jpg" border=0 alt="Having trouble
viewing this email?
Click here to view as a webpage."></a></BODY></HTML>
#---------------

Best regards,

Nasser Al-Zawawi
ALZ, Inc.
http://www.alz-inc.com/
Phone: 313 887-9345
Fax: 888 467-1853

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin
Hepworth
Sent: Monday, December 15, 2008 11:39 AM
To: MailScanner discussion
Subject: Re: Consistent SPAM messages getting through

2008/12/15 Nasser Al-Zawawi <nassera at alz-inc.com>:
> Hi,
>
> I have RedHat ES 4 server running sendmail (8.13.1) and I am using the
> latest MailScanner version (4.73.4-2), ClamAV 0.94.2 and SpamAssassin
> 3.2.5.  Lately this kind of message has been getting through:
>
> It says it is coming from my email or an alias on my system and it is
marked
> urgent the subject is something like: "Your order", "Re: Your order",
> "Delivery Status Notification", "Delivery Status Notification
(Failure)".
> The content is a jpg picture of Viagra, CIALIS, LEVITRA and VPXL
drugs.
>
> Here is the message html source:
>
> --------------
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
>
> <HTML><HEAD>
>
> <META http-equiv=Content-Type content="text/html;
charset=Windows-1252">
>
> </HEAD>
>
> <BODY><a href="http://couragedoctor.com/" target="_blank">
>
> <img src="http://couragedoctor.com/8dvs9.jpg" border=0 alt="Having
trouble
> viewing this email?
>
> Click here to view as a webpage."></a></BODY></HTML>
>
> ---------
>
> and here is the Internet headers:
>
> ---------
>
> Return-Path: <sales at alz-inc.com>
>
> Received: from catv54033BF7.pool.t-online.hu
(catv54033BF7.pool.t-online.hu
> [84.3.59.247])
>
>             by www.alz-inc.com (8.13.1/8.13.1) with SMTP id
mBFEokoH025796
>
>             for <sales at alz-inc.com>; Mon, 15 Dec 2008 09:50:47 -0500
>
> Date: Mon, 15 Dec 2008 09:50:46 -0500
>
> From: Nasser Al-Zawawi <sales at alz-inc.com>
>
> Message-Id: <200812151450.mBFEokoH025796 at www.alz-inc.com>
>
> To: <sales at alz-inc.com>
>
> Subject: Re: Order status
>
> MIME-Version: 1.0
>
> Importance: High
>
> Content-Type: text/html
>
> X-alz-inc-MailScanner-Information: Please contact the ISP for more
> information
>
> X-alz-inc-MailScanner-ID: mBFEokoH025796
>
> X-alz-inc-MailScanner: Found to be clean
>
> X-alz-inc-MailScanner-From: sales at alz-inc.com
>
> X-Spam-Status: No
>
> Status: O
>
> X-UID: 455634
>
> Content-Length: 364
>
> X-Keywords:
>
> -----------
>
>
>
> They seem to come in patches of 4 (4 emails at a time).  I had it
before I
> upgraded to the latest version and after upgrading.  I probably get
about 80
> message of this type per day.  Other types of SPAMs seem to be under
control
> but this type is getting though.  I appreciate any help with this
problem.
>
>
>
> Best regards,
>
> Nasser
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


If you can post more than just the html source to a pastbin or web
page (ie full raw message, headers and everything) people can check
their setup and see what extra rules (like dcc/razor/SARE etc) hit.

-- 
Martin Hepworth
Oxford, UK
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.176 / Virus Database: 270.9.18/1848 - Release Date:
12/15/2008 9:01 AM




More information about the MailScanner mailing list