Forwarded spam is caught, original message is not
jvoorhees1 at gmail.com
Wed Mar 4 18:46:38 GMT 2009
On Wed, Mar 4, 2009 at 1:15 PM, Chris Barber <chris at techquility.net> wrote:
> Hi All,
> I know this question has been asked before but I can't find a good
> answer. I have a couple of users who receive spam that is not caught by
> the MailScanner server. Then, they forward the spam to me and that
> forwarded message does get caught when coming back to me. I am on the
> same MailScanner server that they are on so the same rules should apply.
> I think it has to do with the encoding of the message because when they
> forward it using Thunderbird, the message hits rules that it did not hit
> on the way in the first time. These messages are also forwarded to me
> through the same server immediately usually.
> Here are the rules that score on one of these messages when it comes in
> to the user:
> 4.2 required
> 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
> 0.00 DIGEST_MULTIPLE Message hits more than one network digest check
> 0.00 HTML_MESSAGE HTML included in message 3.70 PYZOR_CHECK Listed in
> Pyzor (http://pyzor.sf.net/) -0.00 SPF_PASS SPF: sender matches SPF
> record 0.00 SUBJ_BUY Subject line starts with Buy or Buying
> Here are the rules that hit when the same message is forwarded back to
> 4.2 required
> 0.00 HTML_MESSAGE HTML included in message 0.50 RAZOR2_CF_RANGE_51_100
> Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E8_51_100
> Razor2 gives engine 8 confidence level above 50% 0.50 RAZOR2_CHECK
> Listed in Razor2 (http://razor.sf.net/) 3.50 URIBL_JP_SURBL Contains an
> URL listed in the JP SURBL blocklist 3.50 URIBL_OB_SURBL Contains an URL
> listed in the OB SURBL blocklist
> As you can see, the main difference is the URIBL hits. Why would they
> not hit on the original message? They do hit when the same message is
> forwarded back to me. This happens every day multiple times for these
> few users.
> I do not have much experience with this, so if someone could assist me I
> would be VERY grateful. I have attached a copy of one of these messages
> from the MailScanner quarantine directory. There are two files, one is
> the original, and the other is the forwarded message. Any insight would
> be appreciated.
Why don't you whitelist every message that comes from your own domain?
Maybe a whitelist rule by IP address or domain sender would stop
marking as spam internal messages.
You can do this by a MailScanner rule or by the trusted networks
feature of SpamAssassin.
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website!
More information about the MailScanner