While disconcerting, the email itself still scores above 10, which I would call high-scoring. Has anyone seen something like this get through with a score under say 3? And if it did, I&#39;ve seen MS disarm legitimate links on spam scores under 1. <br>

<br>I agree with Peter though. RBL&#39;s, in general, suck. Half my legitimate email servers make the PBL simply because they reside in Rackspace&#39;s IP address space. So I have to go scrub all these sources to make sure legitimate resources aren&#39;t blacklisted? Yeah ... right .... right here buddy.<br>

<br><br>Jerry Benton<br><a href="http://www.mailborder.com">http://www.mailborder.com</a><br><br><div class="gmail_quote">On Mon, Dec 3, 2012 at 11:45 AM, Peter Farrow <span dir="ltr">&lt;<a href="mailto:peter@farrows.org" target="_blank">peter@farrows.org</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div text="#000000" bgcolor="#FFFFFF">

    <div>On 12/11/2012 01:19, Paul Welsh wrote:<br>

    </div>

    <blockquote type="cite">

      <pre>Hi all

Bit off-topic but thought I&#39;d mention <a href="http://dnswl.org" target="_blank">dnswl.org</a> which the spamassassin

wiki describes here -

<a href="http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED" target="_blank">http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED</a> - and

which describes itself as &quot;the leading whitelist provider for email

filtering&quot;.

I was tweaking my spam.assassin.prefs.conf today and noticed

RCVD_IN_DNSWL_MED gets a -2.3 spamassassin score by default.  However,

on doing some digging I noticed this:

2012-11-10 11:01:45 1TX8or-0008Fj-1P &lt;= <a href="mailto:service@santander.co.uk" target="_blank">service@santander.co.uk</a>

H=<a href="http://p02c11o144.mxlogic.net" target="_blank">p02c11o144.mxlogic.net</a> <a href="tel:%5B208.65.144.77" value="+12086514477" target="_blank">[208.65.144.77</a>] P=esmtps

X=TLSv1:AES256-SHA:256 S=3244

<a href="mailto:id=FS3rRZ1UbDBRArVc4Iu00000255@fs3.ellison.local" target="_blank">id=FS3rRZ1UbDBRArVc4Iu00000255@fs3.ellison.local</a> T=&quot;YOUR ONLINE

ACCOUNT HAS BEEN SUSPENDED&quot; from <a href="mailto:service@santander.co.uk" target="_blank">&lt;service@santander.co.uk&gt;</a> for &lt;snip&gt;

This phishing email came from <a href="http://mxlogic.net" target="_blank">mxlogic.net</a>, now called McAfee SaaS

Email Protection &amp; Continuity.  <a href="http://dnswl.org" target="_blank">dnswl.org</a> gives <a href="http://mxlogic.net" target="_blank">mxlogic.net</a> a

classification of:

&quot;Medium        Rare spam occurrences, corrected promptly.&quot;

Fair enough, this is doubtless one of those rare occurrences but I

just thought I&#39;d highlight that phishing does appear to be getting

through <a href="http://mxlogic.net" target="_blank">mxlogic.net</a> and because of <a href="http://dnswl.org" target="_blank">dnswl.org</a>&#39;s treatment of it,

spamassassin is subtracting nearly 3 points from its score.

In the case of the phishing mail I saw, it still got picked up as high

scoring spam and deleted but had the attempts to forge the Outlook

headers been better and/or had I given RCVD_IN_DNSWL_MED a higher

negative score (which I was seriously considering doing), this would

have been delivered:

Nov 10 11:01:50 mail MailScanner[27602]: Message 1TX8or-0008Fj-1P from

208.65.144.77 (<a href="mailto:service@santander.co.uk" target="_blank">service@santander.co.uk</a>) to &lt;snip&gt; is spam,

SpamAssassin (score=10.984, required 6, autolearn=disabled,

AXB_XMAILER_MIMEOLE_OL_1ECD5 3.26, FORGED_MUA_OUTLOOK 2.79,

FORGED_OUTLOOK_HTML 0.00, FROM_MISSPACED 0.00, FROM_MISSP_EH_MATCH

0.00, FROM_MISSP_MSFT 0.00, FROM_MISSP_URI 0.00, FROM_MISSP_USER 0.00,

FSL_NEW_HELO_USER 0.00, HTML_IMAGE_ONLY_16 1.05, HTML_MESSAGE 0.00,

HTML_TAG_BALANCE_BODY 0.71, MIME_HTML_ONLY 1.10, MISSING_HEADERS 1.21,

NSL_RCVD_FROM_USER 0.00, RCVD_IN_DNSWL_MED -2.30, SUBJ_ALL_CAPS 1.62,

TVD_PH_BODY_ACCOUNTS_PRE 1.53, T_REMOTE_IMAGE 0.01)

Nov 10 11:01:50 mail MailScanner[27602]: Non-delivery of spam: message

1TX8or-0008Fj-1P from <a href="mailto:service@santander.co.uk" target="_blank">service@santander.co.uk</a> to &lt;snip&gt; with subject

YOUR ONLINE ACCOUNT HAS BEEN SUSPENDED

Nov 10 11:01:50 mail MailScanner[27602]: Spam Actions: message

1TX8or-0008Fj-1P actions are delete

</pre>

    </blockquote>

    A whitelist entry has to be earned, I trust no one by default and

    create my own whitelists - works for me..<br>

    <br>

    <br>

    <br>

    <br>

    <div>-- <br>

      <table style="border-collapse:collapse" border="0" cellpadding="0" cellspacing="0" width="100%">

        <tbody>

          <tr>

            <td bgcolor="E57c09"><img alt="horizontal ruler" src="cid:part1.05070402.06080809@farrows.org" height="7" width="1"> </td>

          </tr>

        </tbody>

      </table>

      <table style="border-collapse:collapse" border="0" cellpadding="0" cellspacing="0">

        <tbody>

          <tr>

            <td colspan="2" style="font-family:Arial;font-weight:bold;font-size:12pt">Peter Farrow</td>

          </tr>

          <tr>

            <td height="100" valign="center" width="100"> <img alt="avatar" src="cid:part2.02080601.08070807@farrows.org" height="100" width="100"> </td>

            <td valign="center">

              <table style="border-collapse:collapse;font-family:Tahoma;font-size:10pt">

                <tbody>

                  <tr>

                    <td colspan="2" style="font-weight:bold">

                      ______________________</td>

                  </tr>

                  <tr>

                    <td style="text-align:right;font-weight:bold;font-size:8pt">Home:</td>

                    <td style="text-align:center"> 01249 654183</td>

                  </tr>

                  <tr>

                    <td style="text-align:right;font-weight:bold;font-size:8pt">Fax:</td>

                    <td style="text-align:center">01249 461 548</td>

                  </tr>

                  <tr>

                    <td style="text-align:right;font-weight:bold;font-size:8pt">Mobile:</td>

                    <td style="text-align:center">07799605617</td>

                  </tr>

                  <tr>

                    <td style="text-align:right;font-weight:bold;font-size:8pt">Skype:</td>

                    <td style="text-align:center">peter_farrow</td>

                  </tr>

                  <tr>

                    <td style="text-align:right;font-weight:bold;font-size:8pt">Web:</td>

                    <td style="text-align:center"><a href="http://www.peterfarrow.com" target="_blank">www.peterfarrow.com</a></td>

                  </tr>

                  <tr>

                    <td colspan="2" style="font-size:6pt" align="center"><br>

                    </td>

                  </tr>

                </tbody>

              </table>

            </td>

          </tr>

        </tbody>

      </table>

    </div>

  </div>

<br>--<br>

MailScanner mailing list<br>

<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>

<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>

<br>

Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>

<br>

Support MailScanner development - buy the book off the website!<br>

<br></blockquote></div><br>