Forwarded spam is caught, original message is not

Scott Silva ssilva at sgvwater.com
Thu Mar 5 17:52:38 GMT 2009


on 3-5-2009 9:21 AM Chris Barber spake the following:
>> A DNS timeout on the surbl hits could explain it. The first time the surbl list lookup comes in just at the timeout, then the forward hits >the cached lookup and is faster.
>>
>> Do you quarantine all your messages? If so you could pull the original out and retest it. If it still doesn't hit, it is probably an >encoding issue, it it does, it is a DNS issue.
>>
> 
> Scott,
> 
> Looks like it is not a DNS issue. I put the original and forwarded messages back through the server and I had the same results. The original message does not hit the URIBL rules (even if I put it through many times) and the forwarded one does. The only difference I can see is the encoding. The URL's in the original have some extra characters it seems. See my original post for the queue files and you can see what I mean. 
> 
> Is this some new tactic that spammers are using to get around URL checking in the body of emails? How can I troubleshoot this further?
> 
> Thanks,
> Chris
> 
> 
Can you pastebin an example somewhere so others can test it. That way we can
eliminate or implicate your systems configs or module versions.



-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090305/4f059c28/signature.bin


More information about the MailScanner mailing list