<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2657.73">
<TITLE>RE: Spam mail undetected.</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Another way to go, in your SpamAssassin preferences file...</FONT>
</P>
<P><FONT SIZE=2>uri LOCAL_GRPHSFRM_somedomain /https?:\/\/.*\.somedomain\.tld/i</FONT>
<BR><FONT SIZE=2>describe LOCAL_GRPHSFRM_somedomain Has "<A HREF="http://somedomain.tld" TARGET="_blank">http://somedomain.tld</A>" in uri</FONT>
<BR><FONT SIZE=2>score LOCAL_GRPHSFRM_somedomain 5</FONT>
</P>
<P><FONT SIZE=2>Lots of variations of this.</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: MailScanner mailing list [<A HREF="mailto:MAILSCANNER@JISCMAIL.AC.UK">mailto:MAILSCANNER@JISCMAIL.AC.UK</A>]On</FONT>
<BR><FONT SIZE=2>Behalf Of Plant, Dean</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, November 18, 2003 5:19 AM</FONT>
<BR><FONT SIZE=2>To: MAILSCANNER@JISCMAIL.AC.UK</FONT>
<BR><FONT SIZE=2>Subject: Spam mail undetected.</FONT>
</P>
<BR>
<P><FONT SIZE=2>Hello list</FONT>
</P>
<P><FONT SIZE=2>Currently using:</FONT>
</P>
<P><FONT SIZE=2>MailScanner 4.21-9</FONT>
<BR><FONT SIZE=2>Redhat 8.0</FONT>
<BR><FONT SIZE=2>Sendmail</FONT>
<BR><FONT SIZE=2>F-prot</FONT>
<BR><FONT SIZE=2>ClamAV</FONT>
<BR><FONT SIZE=2>Dcc 1.214</FONT>
<BR><FONT SIZE=2>Razor 2.36</FONT>
<BR><FONT SIZE=2>SpamAssassin 2.6</FONT>
</P>
<P><FONT SIZE=2>I have a user that is receiving a porn spam mail on a daily occurrence that</FONT>
<BR><FONT SIZE=2>is not being picked up by MailScanner/Spamassassin.</FONT>
</P>
<P><FONT SIZE=2>The mail seems to consist only of an HTML image and comes from a different</FONT>
<BR><FONT SIZE=2>IP address every time. I have fed the missed mails into the Spamassassin</FONT>
<BR><FONT SIZE=2>database using sa-learn but the mails still pass through.</FONT>
</P>
<P><FONT SIZE=2>Are there any changes I can make to help stop this type of mail? (3 Sample</FONT>
<BR><FONT SIZE=2>Headers Below).</FONT>
</P>
<P><FONT SIZE=2>Thanks in advance</FONT>
</P>
<P><FONT SIZE=2>Dean Plant</FONT>
</P>
<P><FONT SIZE=2>Sample Header 1</FONT>
</P>
<P><FONT SIZE=2>Received: from mail.ielectoral.com (ip-206-169-149-87.relia-network.net</FONT>
<BR><FONT SIZE=2>[206.169.149.87] (may be forged))</FONT>
<BR><FONT SIZE=2> by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAI1vPoE013167</FONT>
<BR><FONT SIZE=2> for <xxxxx.xxxxx@roke.co.uk>; Tue, 18 Nov 2003 01:57:26 GMT</FONT>
<BR><FONT SIZE=2>Message-Id: <200311180157.hAI1vPoE013167@rsys001x.roke.co.uk></FONT>
<BR><FONT SIZE=2>Received: by mail.ielectoral.com; Mon, 17 Nov 2003 18:51:33 -0700</FONT>
<BR><FONT SIZE=2>(envelope-from <xxxxx.xxxxx@igigantic.com>)</FONT>
<BR><FONT SIZE=2>X-Mailer: PowerMail v7018439</FONT>
<BR><FONT SIZE=2>Content-Type: multipart/alternative; boundary="----=_Lksi8rwBA_ojetw3g_E"</FONT>
<BR><FONT SIZE=2>Subject: Hey dude</FONT>
<BR><FONT SIZE=2>MIME-Version: 1.0</FONT>
<BR><FONT SIZE=2>From: "Brian" <xxxxx.xxxxx@igigantic.com></FONT>
<BR><FONT SIZE=2>To: xxxxx.xxxxx@roke.co.uk</FONT>
<BR><FONT SIZE=2>Date: Mon, 17 Nov 2003 18:51:33 -0700</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x: Found to be clean</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=2.134,</FONT>
<BR><FONT SIZE=2> required 5, BAYES_44 -0.00, HTML_70_80 0.10, HTML_IMAGE_ONLY_02</FONT>
<BR><FONT SIZE=2>1.23,</FONT>
<BR><FONT SIZE=2> HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x-SpamScore: ss</FONT>
</P>
<P><FONT SIZE=2>Sample Header 2</FONT>
</P>
<P><FONT SIZE=2>Received: from mail.inumberone.com (el-2-mx-111.relia-network.net</FONT>
<BR><FONT SIZE=2>[216.190.157.111])</FONT>
<BR><FONT SIZE=2> by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAGMw0oF029554</FONT>
<BR><FONT SIZE=2> for <xxxxx.xxxxx@roke.co.uk>; Sun, 16 Nov 2003 22:58:00 GMT</FONT>
<BR><FONT SIZE=2>Message-Id: <200311162258.hAGMw0oF029554@rsys001x.roke.co.uk></FONT>
<BR><FONT SIZE=2>Received: by mail.inumberone.com; Sun, 16 Nov 2003 15:57:43 -0700</FONT>
<BR><FONT SIZE=2>(envelope-from <xxxxx.xxxxx@ienough.com>)</FONT>
<BR><FONT SIZE=2>X-Mailer: PowerMail v7018439</FONT>
<BR><FONT SIZE=2>Content-Type: multipart/alternative; boundary="----=_Jnhd6HDt5_osk6GE4_B"</FONT>
<BR><FONT SIZE=2>Subject: To be continued</FONT>
<BR><FONT SIZE=2>MIME-Version: 1.0</FONT>
<BR><FONT SIZE=2>From: "John" <xxxxx.xxxxx@ienough.com></FONT>
<BR><FONT SIZE=2>To: xxxxx.xxxxx@roke.co.uk</FONT>
<BR><FONT SIZE=2>Date: Sun, 16 Nov 2003 15:57:43 -0700</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x: Found to be clean</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=1.905,</FONT>
<BR><FONT SIZE=2> required 5, BAYES_44 -0.00, HTML_50_60 0.10, HTML_IMAGE_ONLY_04</FONT>
<BR><FONT SIZE=2>1.00,</FONT>
<BR><FONT SIZE=2> HTML_MESSAGE 0.10, MSGID_FROM_MTA_HEADER 0.70)</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x-SpamScore: s</FONT>
</P>
<P><FONT SIZE=2>Sample Header 3</FONT>
</P>
<P><FONT SIZE=2>Received: from mail.icommital.com (xo-3-mx-4.relia-network.net [67.108.2.4])</FONT>
<BR><FONT SIZE=2> by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id hAG3MPoE007214</FONT>
<BR><FONT SIZE=2> for <xxxxx.xxxxx@roke.co.uk>; Sun, 16 Nov 2003 03:22:26 GMT</FONT>
<BR><FONT SIZE=2>Message-Id: <200311160322.hAG3MPoE007214@rsys001x.roke.co.uk></FONT>
<BR><FONT SIZE=2>Received: by mail.icommital.com; Sat, 15 Nov 2003 20:22:20 -0700</FONT>
<BR><FONT SIZE=2>(envelope-from <xxxxx.xxxxx@transpondent.com>)</FONT>
<BR><FONT SIZE=2>X-Mailer: PowerMail v7018439</FONT>
<BR><FONT SIZE=2>Content-Type: multipart/alternative; boundary="----=_Y7urNjsLp_9is4Rntj_E"</FONT>
<BR><FONT SIZE=2>Subject: Hey</FONT>
<BR><FONT SIZE=2>MIME-Version: 1.0</FONT>
<BR><FONT SIZE=2>From: "Jim" <xxxxx.xxxxx@transpondent.com></FONT>
<BR><FONT SIZE=2>To: xxxxx.xxxxx@roke.co.uk</FONT>
<BR><FONT SIZE=2>Date: Sat, 15 Nov 2003 20:22:20 -0700</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x: Found to be clean</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x-SpamCheck: not spam, SpamAssassin (score=4.814,</FONT>
<BR><FONT SIZE=2> required 5, BAYES_50 0.00, DCC_CHECK 2.91, HTML_50_60 0.10,</FONT>
<BR><FONT SIZE=2> HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10,</FONT>
<BR><FONT SIZE=2> MSGID_FROM_MTA_HEADER 0.70)</FONT>
<BR><FONT SIZE=2>X-MailScanner-rsys001x-SpamScore: ssss</FONT>
</P>
<BR>
<P><FONT SIZE=2>--</FONT>
<BR><FONT SIZE=2>Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,</FONT>
<BR><FONT SIZE=2>Berkshire. RG12 8FZ</FONT>
</P>
<P><FONT SIZE=2>The information contained in this e-mail and any attachments is confidential to</FONT>
<BR><FONT SIZE=2>Roke Manor Research Ltd and must not be passed to any third party without</FONT>
<BR><FONT SIZE=2>permission. This communication is for information only and shall not create or</FONT>
<BR><FONT SIZE=2>change any contractual relationship.</FONT>
</P>
</BODY>
</HTML>