new spam getting through
jim.barber at ddihealth.com
Mon Dec 6 02:21:27 GMT 2010
On 6/12/2010 8:58 AM, Jim Barber wrote:
> Hi Steve.
> I've noticed one strange thing.
> I run a few MX servers for the company I work for.
> Two of them are running MailScanner with an older version of
> SpamAssassin (v 3.2.5)
> One of them is running MIMEDefang with SpamAssassin 3.3.1
> On the MailScanner boxes, your plugin triggers the HAS_SHORT_URL rule
> along with a number of the other SHORT_URL_* rules.
> So it is working very effectively there.
> But on my MIMEDefang host the plugin has triggered 197 times over the
> weekend with the HAS_SHORT_URL rule, but none of the the SHORT_URL_*
> rules fired at all.
> So it only adds 0.001 to the overall score which isn't enough to ban
> the bad emails.
> I'm not really sure what to check, but I'll start researching now to
> see if I can find why.
> Jim Barber
> DDI Health
One difference I spot is in the SpamAssassin lint test I see the
following on the MailScanner host:
dbg: rules: HAS_SHORT_URL merged duplicates: SHORT_URL_404
SHORT_URL_CHAINED SHORT_URL_LOOP SHORT_URL_MAXCHAIN
This message doesn't happen on the lint tests on the MIMEDefang host.
When I go back over the logs for my MailScanner boxes it seems that if
HAS_SHORT_URL triggers then all of those duplicate rules also trigger.
So to me that means any short URL that comes in to the MailScanner boxes
whether it is legitimate or not will always trigger all the rules.
I guess on the MIMEDefang host, the rules are working correctly, and the
short URL is detected, but none of the other conditions exist.
The bug I am seeing is the duplicate rules, but maybe that is because I
need to upgrade my versions of SpamAssassin (which is on the cards).
More information about the MailScanner