Forwarded spam is caught, original message is not

Chris Barber chris at techquility.net
Wed Mar 4 18:15:14 GMT 2009


Hi All,

I know this question has been asked before but I can't find a good
answer. I have a couple of users who receive spam that is not caught by
the MailScanner server. Then, they forward the spam to me and that
forwarded message does get caught when coming back to me. I am on the
same MailScanner server that they are on so the same rules should apply.


I think it has to do with the encoding of the message because when they
forward it using Thunderbird, the message hits rules that it did not hit
on the way in the first time. These messages are also forwarded to me
through the same server immediately usually.


Here are the rules that score on one of these messages when it comes in
to the user:
4.2 required   
2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.00 DIGEST_MULTIPLE Message hits more than one network digest check
0.00 HTML_MESSAGE HTML included in message 3.70 PYZOR_CHECK Listed in
Pyzor (http://pyzor.sf.net/) -0.00 SPF_PASS SPF: sender matches SPF
record 0.00 SUBJ_BUY Subject line starts with Buy or Buying


Here are the rules that hit when the same message is forwarded back to
me:
4.2 required   
0.00 HTML_MESSAGE HTML included in message 0.50 RAZOR2_CF_RANGE_51_100
Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E8_51_100
Razor2 gives engine 8 confidence level above 50% 0.50 RAZOR2_CHECK
Listed in Razor2 (http://razor.sf.net/) 3.50 URIBL_JP_SURBL Contains an
URL listed in the JP SURBL blocklist 3.50 URIBL_OB_SURBL Contains an URL
listed in the OB SURBL blocklist

As you can see, the main difference is the URIBL hits. Why would they
not hit on the original message? They do hit when the same message is
forwarded back to me. This happens every day multiple times for these
few users. 


I do not have much experience with this, so if someone could assist me I
would be VERY grateful. I have attached a copy of one of these messages
from the MailScanner quarantine directory. There are two files, one is
the original, and the other is the forwarded message. Any insight would
be appreciated.

Regards,
Chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: messages.tar
Type: application/x-tar
Size: 10240 bytes
Desc: messages.tar
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090304/233fdb96/messages.tar


More information about the MailScanner mailing list