All messages getting marked as Spam

Alex Neuman van der Hans alex at vidadigital.com.pa
Wed Mar 23 06:20:52 GMT 2011


You can either include something like:

score URIBL_BLACK 0.00

in your /etc/mail/spamassassin/local.cf and ignore those rules, or you 
can fix whatever's being added or included in your otherwise legitimate 
mails that is being listed at the URIBL lists as "url's common in spam 
e-mail".

I'm guessing, so I'm probably wrong. But it's probably a "disclaimer" or 
"signature" with a URL that's being added to most e-mails going through 
your server (such as your "This electronic mail (including any 
attachments) may contain information that is privileged, confidential, 
and/or otherwise protected from disclosure to anyone other than its 
intended recipient(s). Any dissemination or use of this electronic email 
or its contents (including any attachments) by persons other than the 
intended recipient(s) is strictly prohibited. If you have received this 
message in error, please notify us immediately by reply email so that we 
may correct our internal records. Please then delete the original 
message (including any attachments) in its entirety. Thank you.", which 
is not really enforceable neither technically nor legally, and is only a 
waste of electrons) - which is being sent to spamtraps and marked as 
"spammy" by the URIBL lists. Unfortunately without more information I 
don't think we could guess what is actually triggering these rules.

The URIBL lists work by listing known SPAM URL's... If a spammer decides 
to send out spams saying "buy this thing that will make you bigger down 
there" or something like that, with a URL saying "visit soandso.com", 
the URIBL list will add "soandso.com" to it's database. If another 
e-mail - even with a different text - comes with "visit soandso.com" the 
URIBL list rules will "hit", adding an X amount of points towards the 
"6" you "believe" to be the default setting.

That means something is being added - by your users, or by your server - 
that triggers this rule. Without the original messages, there's no way 
of knowing, especially since it's "strictly prohibited" to disseminate 
this electronic mail or its contents.

The fact that this happened "since yesterday" means something made the 
URIBL lists "aware" of the URL's being added somewhere within the 
messages (could be a signature) as something used by spammers (not 
necessarily you or your server).

This means that even if you score these rules as "0.0", others might 
throw your messages in the junk mail folder since they still follow the 
original rules.

On 3/22/2011 7:47 PM, Sumit Bhattacharjee wrote:
> Hello All,
> I have been using MailScanner for several months now and it has been 
> working very well.  However, since yesterday, almost all inbound 
> messages are getting marked marked as Spam.  I have the SpamAssassin 
> threshold set to 6 (default I believe), and following are a couple of 
> examples of the spam report (email from different domains/IP's):
> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
>  score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00,
>  MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00,
>  T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00,
>  URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01,
>  URIBL_SEM_FRESH_15 4.10)
> X-cospringsitcom-MailScanner-SpamScore: 7
> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
>  score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00,
>  URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26,
>  URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01,
>  URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00)
> X-cospringsitcom-MailScanner-SpamScore: 9
> The commonality that I am seeing is that the URIBL_BLACK  is 1.77 for 
> almost all messages and URIBL_SEM_FRESH_15 is 4.10.  But I am not sure 
> what has changed (nothing should have).
> I'd much appreciate any debugging steps recommended by experts on this 
> list.
> Regards,
> Sumit Bhattacharjee
>
> This electronic mail (including any attachments) may contain 
> information that is privileged, confidential, and/or otherwise 
> protected from disclosure to anyone other than its intended 
> recipient(s). Any dissemination or use of this electronic email or its 
> contents (including any attachments) by persons other than the 
> intended recipient(s) is strictly prohibited. If you have received 
> this message in error, please notify us immediately by reply email so 
> that we may correct our internal records. Please then delete the 
> original message (including any attachments) in its entirety. Thank you.
>

-- 

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110323/b6e825a2/attachment.html


More information about the MailScanner mailing list