Email detected as spam but not tagged

Rob Sterenborg R.Sterenborg at netsourcing.nl
Mon Jul 19 13:40:29 IST 2010


Hello,

Today I got a complaint about spam email (2 messages, both have the same problem, but I imagine there might be more). I checked the email headers as received and noticed that MailScanner did not insert any lines. Then I traced it's path through the logs and noticed that the message really was scanned and also determined to be spam.

In MailScanner.conf I have:

Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes
Always Include SpamAssassin Report = yes

'Always Include ...' isn't a ruleset here and there are no rules that I can imagine would turn off spam tagging (there are only some custom whitelisting rules that are not relevant for the receiving domain, 'domain2' in the log).

Below is the email header with relevant Postfix/MailScanner logs.
Using this information, can anyone tell me why these emails weren't tagged? If more info is needed, please let me know.


--
Rob


=========


X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: from mx1.domain2.local ([ip.addr]) by mx2.domain2.local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:37 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_004_01CB25F7.FEAB9A80"
Received: from mx3.domain1.nl ([ip.addr]) by mx1.domain2.local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:12 +0200
Received: from overscan.fr (web5.overscan.com [91.121.209.115]) by mx3.domain1.nl (Postfix) with ESMTP id 1EB923AA63 for <user at domain2.nl>; Sat, 17 Jul 2010 23:35:09 +0200 (CEST)
Received: by overscan.fr (Postfix, from userid 33) id 1D4CDB03ECE; Sat, 17 Jul 2010 21:10:17 +0200 (CEST)
Content-Class: urn:content-classes:message
Subject: Account Suspension Kennisgeving,
Date: Sat, 17 Jul 2010 21:10:17 +0200
Message-ID: <13074633318.26896 at ans.nl>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Account Suspension Kennisgeving,
thread-index: Acsl9/85tMksS1O2Spynr0L9jx6l6g==
From: "ASN Bank" <service at ans.nl>
To: "Lastname, Firstname" <user at domain2.nl>



Jul 17 23:35:09 mx3 postfix/smtpd[17888]: connect from web5.overscan.com[91.121.209.115]
Jul 17 23:35:09 mx3 postfix-policyd: connection from: 127.0.0.1 port: 56607 slots: 2 of 4096 used 
Jul 17 23:35:09 mx3 postfix-policyd: rcpt=222839, greylist=update, host=91.121.209.115 (web5.overscan.com), from=www-data at overscan.fr, to=user at domain2.nl, size=1048 
Jul 17 23:35:09 mx3 postfix/smtpd[17888]: 1EB923AA63: client=web5.overscan.com[91.121.209.115]
Jul 17 23:35:09 mx3 postfix/cleanup[20990]: 1EB923AA63: hold: header Received: from overscan.fr (web5.overscan.com [91.121.209.115])??by mx3.domain1.nl (Postfix) with ESMTP id 1EB923AA63??for <user at domain2.nl>; Sat, 17 Jul 2010 23:35:09
 +0200 (CEST) from web5.overscan.com[91.121.209.115]; from=<www-data at overscan.fr> to=<user at domain2.nl> proto=ESMTP helo=<overscan.fr>
Jul 17 23:35:09 mx3 postfix/cleanup[20990]: 1EB923AA63: message-id=<13074633318.26896 at ans.nl>
Jul 17 23:35:09 mx3 postfix/smtpd[17888]: disconnect from web5.overscan.com[91.121.209.115]



Jul 17 23:35:09 mx3 MailScanner[15316]: New Batch: Scanning 1 messages, 1896 bytes 
Jul 17 23:35:09 mx3 MailScanner[15316]: Spam Checks: Starting 
Jul 17 23:35:12 mx3 MailScanner[15316]: Message 1EB923AA63.89E1B from 91.121.209.115 (www-data at overscan.fr) to domain2.nl is spam, SpamAssassin (not cached, score=5.552, vereist 5, HTML_IMAGE_ONLY_08 2.43, HTML_MESSAGE 0.00, HTML_TAG_BALA
NCE_HEAD 1.37, MIME_HTML_ONLY 1.67, TW_JZ 0.08) 
Jul 17 23:35:12 mx3 MailScanner[15316]: Spam Checks: Found 1 spam messages 
Jul 17 23:35:12 mx3 MailScanner[15316]: Spam Actions: message 1EB923AA63.89E1B actions are store,deliver,header 
Jul 17 23:35:12 mx3 MailScanner[15316]: Spam Checks completed at 693 bytes per second 
Jul 17 23:35:12 mx3 MailScanner[15316]: Virus and Content Scanning: Starting 
Jul 17 23:35:12 mx3 MailScanner[15316]: Virus Scanning completed at 20697 bytes per second 
Jul 17 23:35:12 mx3 MailScanner[15316]: Requeue: 1EB923AA63.89E1B to 2E5893AA65 
Jul 17 23:35:12 mx3 MailScanner[15316]: Uninfected: Delivered 1 messages 
Jul 17 23:35:12 mx3 MailScanner[15316]: Virus Processing completed at 410658 bytes per second 
Jul 17 23:35:12 mx3 MailScanner[15316]: Batch completed at 668 bytes per second (1896 / 2) 
Jul 17 23:35:12 mx3 MailScanner[15316]: Batch (1 message) processed in 2.84 seconds 
Jul 17 23:35:12 mx3 MailScanner[15316]: Logging message 1EB923AA63.89E1B to SQL 
Jul 17 23:35:12 mx3 MailScanner[15316]: "Always Looked Up Last" took 0.00 seconds 
Jul 17 23:35:12 mx3 MailScanner[15318]: 1EB923AA63.89E1B: Logged to MailWatch SQL 



Jul 17 23:35:12 mx3 postfix/qmgr[32316]: 2E5893AA65: from=<www-data at overscan.fr>, size=1253, nrcpt=1 (queue active)
Jul 17 23:35:12 mx3 postfix/smtp[21002]: 2E5893AA65: to=<user at domain2.nl>, relay=ip.addr[ip.addr]:25, delay=3.1, delays=3/0/0/0.05, dsn=2.6.0, status=sent (250 2.6.0  <13074633318.26896 at ans.nl> Queued mail for delivery)
Jul 17 23:35:12 mx3 postfix/qmgr[32316]: 2E5893AA65: removed



More information about the MailScanner mailing list