new spam getting through

Jim Barber jim.barber at ddihealth.com
Mon Dec 6 02:46:58 GMT 2010 

On 6/12/2010 10:21 AM, Jim Barber wrote:
> On 6/12/2010 8:58 AM, Jim Barber wrote:
>> Hi Steve.
>>
>> I've noticed one strange thing.
>> I run a few MX servers for the company I work for.
>>
>> Two of them are running MailScanner with an older version of 
>> SpamAssassin (v 3.2.5)
>> One of them is running MIMEDefang with SpamAssassin 3.3.1
>>
>> On the MailScanner boxes, your plugin triggers the HAS_SHORT_URL rule 
>> along with a number of the other SHORT_URL_* rules.
>> So it is working very effectively there.
>>
>> But on my MIMEDefang host the plugin has triggered 197 times over the 
>> weekend with the HAS_SHORT_URL rule, but none of the the SHORT_URL_* 
>> rules fired at all.
>> So it only adds 0.001 to the overall score which isn't enough to ban 
>> the bad emails.
>> I'm not really sure what to check, but I'll start researching now to 
>> see if I can find why.
>>
>> Regards,
>>
>> ----------
>> Jim Barber
>> DDI Health
>
> One difference I spot is in the SpamAssassin lint test I see the 
> following on the MailScanner host:
>
>     dbg: rules: HAS_SHORT_URL merged duplicates: SHORT_URL_404 
> SHORT_URL_CHAINED SHORT_URL_LOOP SHORT_URL_MAXCHAIN
>
> This message doesn't happen on the lint tests on the MIMEDefang host.
>
> When I go back over the logs for my MailScanner boxes it seems that if 
> HAS_SHORT_URL triggers then all of those duplicate rules also trigger.
> So to me that means any short URL that comes in to the MailScanner 
> boxes whether it is legitimate or not will always trigger all the rules.
>
> I guess on the MIMEDefang host, the rules are working correctly, and 
> the short URL is detected, but none of the other conditions exist.
>
> The bug I am seeing is the duplicate rules, but maybe that is because 
> I need to upgrade my versions of SpamAssassin (which is on the cards).

Upgrading to SpamAssassin 3.3.1 fixed the duplicate rule error on the 
MailScanner boxes.
So that's good and all I need to do is increase the HAS_SHORT_URL score 
from 0.01 to something a bit more aggressive to help tip the balance.

Thanks.

More information about the MailScanner mailing list