Forwarded spam is caught, original message is not

Scott Silva ssilva at sgvwater.com
Wed Mar 4 18:32:45 GMT 2009


on 3-4-2009 10:15 AM Chris Barber spake the following:
> Hi All,
> 
> I know this question has been asked before but I can't find a good
> answer. I have a couple of users who receive spam that is not caught by
> the MailScanner server. Then, they forward the spam to me and that
> forwarded message does get caught when coming back to me. I am on the
> same MailScanner server that they are on so the same rules should apply.
> 
> 
> I think it has to do with the encoding of the message because when they
> forward it using Thunderbird, the message hits rules that it did not hit
> on the way in the first time. These messages are also forwarded to me
> through the same server immediately usually.
> 
> 
> Here are the rules that score on one of these messages when it comes in
> to the user:
> 4.2 required   
> 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> 0.00 DIGEST_MULTIPLE Message hits more than one network digest check
> 0.00 HTML_MESSAGE HTML included in message 3.70 PYZOR_CHECK Listed in
> Pyzor (http://pyzor.sf.net/) -0.00 SPF_PASS SPF: sender matches SPF
> record 0.00 SUBJ_BUY Subject line starts with Buy or Buying
> 
> 
> Here are the rules that hit when the same message is forwarded back to
> me:
> 4.2 required   
> 0.00 HTML_MESSAGE HTML included in message 0.50 RAZOR2_CF_RANGE_51_100
> Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E8_51_100
> Razor2 gives engine 8 confidence level above 50% 0.50 RAZOR2_CHECK
> Listed in Razor2 (http://razor.sf.net/) 3.50 URIBL_JP_SURBL Contains an
> URL listed in the JP SURBL blocklist 3.50 URIBL_OB_SURBL Contains an URL
> listed in the OB SURBL blocklist
> 
> As you can see, the main difference is the URIBL hits. Why would they
> not hit on the original message? They do hit when the same message is
> forwarded back to me. This happens every day multiple times for these
> few users. 
> 
> 
> I do not have much experience with this, so if someone could assist me I
> would be VERY grateful. I have attached a copy of one of these messages
> from the MailScanner quarantine directory. There are two files, one is
> the original, and the other is the forwarded message. Any insight would
> be appreciated.
> 
> Regards,
> Chris
> 
> 
A DNS timeout on the surbl hits could explain it. The first time the surbl
list lookup comes in just at the timeout, then the forward hits the cached
lookup and is faster.

Do you quarantine all your messages? If so you could pull the original out and
retest it. If it still doesn't hit, it is probably an encoding issue, it it
does, it is a DNS issue.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090304/64dbf292/signature.bin


More information about the MailScanner mailing list