"Is Definitely Spam" rule not working ?

Julian Field MailScanner at ecs.soton.ac.uk
Mon Feb 4 12:01:51 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Scott Silva wrote:
> * PGP Signed by an unknown key
>
> on 2/1/2008 3:56 AM Pascal Maes spake the following:
>>
>> Le 01-févr.-08 à 12:38, Julian Field a écrit :
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> Pascal Maes wrote:
>>>> Hello,
>>>>
>>>>
>>>> In MailScanner.conf, we have
>>>>
>>>> # Spam Blacklist:
>>>> # Make this point to a ruleset, and anything in that ruleset whose 
>>>> value
>>>> # is "yes" will *always* be marked as spam.
>>>> # This value can be over-ridden by the "Is Definitely Not Spam" 
>>>> setting.
>>>> # This can also be the filename of a ruleset.
>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no
>>>>
>>>>
>>>> In spam_blacklist.rules, we have :
>>>>
>>>> From:           66.63.168.                              yes
>>>>
>>>> FromOrTo:       default                                 no
>>>>
>>>>
>>>>
>>>> As this rule could be over-ridden, I check that
>>>>
>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules
>>>>
>>>> the file spam_whitelist.rules doesn't contain anything about that
>>>> domain or IP or the recipient
>>>>
>>>>
>>>> Then, I wonder why the following mail was not tagged as SPAM
>>>>
>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server
>>>> 6.3-4.01 (built
>>>> Aug  3 2007; 32bit)) with ESMTP id
>>>> <0JVI00FQIWFSZ240 at mmp.sipr-dc.ucl.ac.be>
>>>> for <email_address> (ORCPT email_address); Thu,
>>>> 31 Jan 2008 20:21:28 +0100 (CET)
>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain 
>>>> [127.0.0.1])
>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D    for
>>>> <email_address>; Thu, 31 Jan 2008 20:21:38 +0100 (CET)
>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP    for 
>>>> <email_address>; Thu,
>>>> 31 Jan 2008 20:21:38 +0100 (CET)
>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id
>>>> hk8fra01g741; Thu,
>>>> 31 Jan 2008 14:19:07 -0500
>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500
>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST)
>>>> From: Travel Offers <Travel-Offers at mytravfolks.com>
>>>> X-SGSI-MailScanner: Found to be clean
>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached,    score=3.5,
>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50)
>>> Because it scored 3.5 where the required score is 5.
>>>>
>>>> X-SGSI-Spam-Score: sss
>>>> X-SGSI-From: travel-offers at mytravfolks.com
>>>> X-SGSI-Spam-Status: No
>>>>
>>>> -- 
>>>> Pascal
>>>>
>>>>
>>>>
>>>
>>> Jules
>>>
>>
>> yes but as we have the header
>>
>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
>>
>> which matches the rule in spam_blacklist.rules
>>
>> From:           66.63.168.                              yes
>>
>> The message should have been tagged Spam
>>
>>
>> -- 
>> Pascal
>>
>>
>>
> Do those rules check all received headers, or just the last one 
> received from?
> Julian would know for sure.
>
They just check the last one, the IP address of the SMTP client that 
sent the message to your server.

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 1012)
Comment: (pgp-secured)
Charset: UTF-8

wj8DBQFHpv6wEfZZRxQVtlQRAvWfAJ9VCrnu7thMsekTo9u7ManoZFevyQCeOJb2
tC67pwyIz36t5X+1+sEuP+o=
=jl6X
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list