Forwarded spam is caught, original message is not
chris at techquility.net
Sat Mar 7 02:59:18 GMT 2009
on 3-5-2009 9:21 AM Chris Barber spake the following:
>> A DNS timeout on the surbl hits could explain it. The first time the surbl list lookup comes in just at the timeout, then the forward hits >the cached lookup and is faster.
>> Do you quarantine all your messages? If so you could pull the original out and retest it. If it still doesn't hit, it is probably an >encoding issue, it it does, it is a DNS issue.
> Looks like it is not a DNS issue. I put the original and forwarded messages back through the server and I had the same results. The original message does not hit the URIBL rules (even if I put it through many times) and the forwarded one does. The only difference I can see is the encoding. The URL's in the original have some extra characters it seems. See my original post for the queue files and you can see what I mean.
> Is this some new tactic that spammers are using to get around URL checking in the body of emails? How can I troubleshoot this further?
>Can you pastebin an example somewhere so others can test it. That way we can eliminate or implicate your systems configs or module >versions.
Here is the pastebin for the original messages which the URIBL rules miss on:
Here it is for the forwarded message which does trigger the URIBL rules:
Thanks again for taking a look at this. It has been plaguing me for many months now.
More information about the MailScanner