"Is Definitely Spam" rule not working ?

Scott Silva ssilva at sgvwater.com
Mon Feb 4 16:36:22 GMT 2008


on 2/4/2008 4:01 AM Julian Field spake the following:
> 
> 
> Scott Silva wrote:
>> * PGP Signed by an unknown key
> 
>> on 2/1/2008 3:56 AM Pascal Maes spake the following:
>>> Le 01-févr.-08 à 12:38, Julian Field a écrit :
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>>
>>>>
>>>> Pascal Maes wrote:
>>>>> Hello,
>>>>>
>>>>>
>>>>> In MailScanner.conf, we have
>>>>>
>>>>> # Spam Blacklist:
>>>>> # Make this point to a ruleset, and anything in that ruleset whose 
>>>>> value
>>>>> # is "yes" will *always* be marked as spam.
>>>>> # This value can be over-ridden by the "Is Definitely Not Spam" 
>>>>> setting.
>>>>> # This can also be the filename of a ruleset.
>>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no
>>>>>
>>>>>
>>>>> In spam_blacklist.rules, we have :
>>>>>
>>>>> From:           66.63.168.                              yes
>>>>>
>>>>> FromOrTo:       default                                 no
>>>>>
>>>>>
>>>>>
>>>>> As this rule could be over-ridden, I check that
>>>>>
>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules
>>>>>
>>>>> the file spam_whitelist.rules doesn't contain anything about that
>>>>> domain or IP or the recipient
>>>>>
>>>>>
>>>>> Then, I wonder why the following mail was not tagged as SPAM
>>>>>
>>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
>>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server
>>>>> 6.3-4.01 (built
>>>>> Aug  3 2007; 32bit)) with ESMTP id
>>>>> <0JVI00FQIWFSZ240 at mmp.sipr-dc.ucl.ac.be>
>>>>> for <email_address> (ORCPT email_address); Thu,
>>>>> 31 Jan 2008 20:21:28 +0100 (CET)
>>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain 
>>>>> [127.0.0.1])
>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D    for
>>>>> <email_address>; Thu, 31 Jan 2008 20:21:38 +0100 (CET)
>>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP    for 
>>>>> <email_address>; Thu,
>>>>> 31 Jan 2008 20:21:38 +0100 (CET)
>>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id
>>>>> hk8fra01g741; Thu,
>>>>> 31 Jan 2008 14:19:07 -0500
>>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500
>>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST)
>>>>> From: Travel Offers <Travel-Offers at mytravfolks.com>
>>>>> X-SGSI-MailScanner: Found to be clean
>>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached,    score=3.5,
>>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50)
>>>> Because it scored 3.5 where the required score is 5.
>>>>> X-SGSI-Spam-Score: sss
>>>>> X-SGSI-From: travel-offers at mytravfolks.com
>>>>> X-SGSI-Spam-Status: No
>>>>>
>>>>> -- 
>>>>> Pascal
>>>>>
>>>>>
>>>>>
>>>> Jules
>>>>
>>> yes but as we have the header
>>>
>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
>>>
>>> which matches the rule in spam_blacklist.rules
>>>
>>> From:           66.63.168.                              yes
>>>
>>> The message should have been tagged Spam
>>>
>>>
>>> -- 
>>> Pascal
>>>
>>>
>>>
>> Do those rules check all received headers, or just the last one 
>> received from?
>> Julian would know for sure.
> 
> They just check the last one, the IP address of the SMTP client that 
> sent the message to your server.
> 
> Jules
> 
Then there is the answer. As far as mailscanner is concerned, the above 
message came from;
  Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
which doesn't match your blacklist.
The only host that it would have matched on would have been 
smtp4.sgsi.ucl.ac.be if that is in your control.

Thanks Julian for the clarification!
MailScanner rocks!!!

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080204/a8490ec5/signature.bin


More information about the MailScanner mailing list