You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Steven Stern <su...@sterndata.com> on 2005/12/02 03:57:45 UTC
Problems with AOL's TOS reports
In order to keep our mail flowing to AOL members, I've signed up through
the AOL postmaster service to receive TOS reports. Basically, whenever
someone reports mail from our domains as spam, AOL forwards it to me.
(They delete the addressee from the headers, although not completely so
sometimes.)
Anyhow, when it arrives, SA classifies it as spam. What's the reason for
the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I
overrode them by whitelisting the sender (scomp@aol.net)?
pts rule name description
---- ----------------------
--------------------------------------------------
2.2 SARE_SPEC_CLIENT_TOS2 known spammer address
1.0 NO_REAL_NAME From: does not include a real name
2.2 SARE_SPEC_CLIENT_TOS high tech impulse spam sign
-0.0 SPF_PASS SPF: sender matches SPF record
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
1.7 DNS_FROM_RFC_POST RBL: Envelope sender in
postmaster.rfc-ignorant.org
1.6 FORGED_MSGID_AOL Message-ID is forged, (aol.com)
-1.2 AWL AWL: From: address is in the auto white-list
The headers look like this:
Microsoft Mail Internet Headers Version 2.0
Received: from enoch.cciminstitute.com ([10.0.2.195]) by
eve.cciminstitute.com with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 1 Dec 2005 18:29:18 -0600
Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20])
by enoch.cciminstitute.com (8.13.1/8.13.1) with ESMTP id jB20TD75022197;
Thu, 1 Dec 2005 18:29:13 -0600
Received: from scmp-m23.mail.aol.com (scmp-m23.mail.aol.com
[172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id
RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400
Received: from imo-d21.mx.aol.com (imo-d21.mail.aol.com
[172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id
RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400
Received: from undisclosed@undisclosed.com
by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677)
for <sc...@aol.net>; Thu, 1 Dec 2005 19:28:45 -0500 (EST)
From: <sc...@aol.net>
Message-ID: <2b...@aol.com>
Date: Thu, 1 Dec 2005 19:28:45 EST
Subject: *SPAM* Client TOS Notification
To: <un...@aol.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_438F955B.164385DC"
X-Mailer: 9.0 for scomp@aol.net
X-AOL-COUNTRY-CODE: US
X-Spam-Flag: YES
X-AOL-IP: 172.21.28.106
X-Loop: scomp
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
(enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600
(CST)
X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on
enoch.cciminstitute.com
X-Virus-Status: Clean
X-Spam-Status: Yes, score=5.2 required=4.0 tests=AWL,BAYES_00,
DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_MSGID_AOL,HTML_MESSAGE,
NO_REAL_NAME,SARE_SPEC_CLIENT_TOS,SARE_SPEC_CLIENT_TOS2,SPF_PASS
autolearn=no version=3.1.0
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
enoch.cciminstitute.com
Return-Path: scomp@aol.net
X-OriginalArrivalTime: 02 Dec 2005 00:29:18.0390 (UTC)
FILETIME=[6E99C560:01C5F6D7]
------------=_438F955B.164385DC
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
------------=_438F955B.164385DC
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
X-Envelope-From: <sc...@aol.net>
X-Envelope-To: <sp...@cciminstitute.com>
Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20]) by
enoch.cciminstitute.com;
X-Envelope-To: <we...@cciminstitute.com>
Received: from scmp-m23.mail.aol.com (scmp-m23.mail.aol.com
[172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id
RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400
Received: from imo-d21.mx.aol.com (imo-d21.mail.aol.com
[172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id
RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400
Received: from undisclosed@undisclosed.com
by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677)
for <sc...@aol.net>; Thu, 1 Dec 2005 19:28:45 -0500 (EST)
From: <sc...@aol.net>
Message-ID: <2b...@aol.com>
Date: Thu, 1 Dec 2005 19:28:45 EST
Subject: Client TOS Notification
To: <un...@aol.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="part1_2b7.128060a.30c0ef3d_boundary"
X-Mailer: 9.0 for scomp@aol.net
X-AOL-COUNTRY-CODE: US
X-AOL-IP: 172.21.28.106
X-Loop: scomp
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
(enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600
(CST)
X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on
enoch.cciminstitute.com
X-Virus-Status: Clean
--part1_2b7.128060a.30c0ef3d_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
--part1_2b7.128060a.30c0ef3d_boundary
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <de...@ccim.com>
Received: from rly-yc05.mail.aol.com (rly-yc05.mail.aol.com
[172.18.205.148]) by air-yc04.mail.aol.com (v107.13) with ESMTP id
MAILINYC44-1d9438f45e7368; Thu, 01 Dec 2005 13:50:30 -0500
Received: from ldap1.ccim.com (ldap1.ccim.com [198.104.132.226]) by
rly-yc05.mail.aol.com (v107.13) with ESMTP id
MAILRELAYINYC53-1d9438f45e7368; Thu, 01 Dec 2005 13:50:15 -0500
Received: from ldap1.ccim.com (localhost [127.0.0.1])
by ldap1.ccim.com (8.12.11/8.12.11) with ESMTP id jB1IN5rE003286
for <ba...@aol.com>; Thu, 1 Dec 2005 13:49:13 -0500
Received: from enoch.cciminstitute.com (enoch.cciminstitute.com
[12.40.135.196])
by ldap1.ccim.com (8.12.11/8.12.11) with ESMTP id jB1FONIi014070
for <de...@lists.ccim.com>; Thu, 1 Dec 2005 10:24:23 -0500
Received: from eve.cciminstitute.com (eve.cciminstitute.com [10.0.2.7])
by enoch.cciminstitute.com (8.13.1/8.13.1) with SMTP id jB1FOJ9Z022174
for <de...@ccim.com>; Thu, 1 Dec 2005 09:24:19 -0600
content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
Date: Thu, 1 Dec 2005 09:24:21 -0600
Message-ID: <43...@eve.cciminstitute.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RERC/CCIM ITQ -- Market Data Equals Power
Thread-Index: AcX2i00btfR+CFo3TYSbIAA/Y2q0VQ==
From: "CCIM Member Communications"
<CC...@cciminstitute.com>
To: <Undisclosed Recipients>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
(ldap1.ccim.com [127.0.0.1]); Thu, 01 Dec 2005 13:49:13 -0500 (EST)
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-2.0
(ldap1.ccim.com [198.104.132.226]);
Thu, 01 Dec 2005 10:24:23 -0500 (EST)
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-2.0
(enoch.cciminstitute.com [10.0.2.195]);
Thu, 01 Dec 2005 09:24:19 -0600 (CST)
X-Virus-Scanned: ClamAV version 0.87.1,
clamav-milter version 0.87 on ldap1.ccim.com
X-Virus-Scanned: ClamAV version 0.87.1,
clamav-milter version 0.87 on enoch.cciminstitute.com
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=4.0 tests=AWL,BAYES_00,HTML_MESSAGE
autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ldap1.ccim.com
X-Mailman-Approved-At: Thu, 01 Dec 2005 11:14:20 -0500
Subject: [Designees] RERC/CCIM ITQ -- Market Data Equals Power
X-BeenThere: designees@ccim.com
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: Designees List <designees.ccim.com>
List-Unsubscribe: <http://lists.ccim.com/mailman/listinfo/designees>,
<mailto:designees-request@ccim.com?subject=unsubscribe>
List-Archive: <http://lists.ccim.com/pipermail/designees>
List-Post: <ma...@ccim.com>
List-Help: <mailto:designees-request@ccim.com?subject=help>
List-Subscribe: <http://lists.ccim.com/mailman/listinfo/designees>,
<mailto:designees-request@ccim.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0292989648=="
Sender: designees-bounces@ccim.com
Errors-To: designees-bounces@ccim.com
X-AOL-IP: 198.104.132.226
X-Mailer: Unknown (No Version)
--
Steve
Re: Problems with AOL's TOS reports
Posted by Doc Schneider <ma...@maddoc.net>.
Charles Sprickman wrote:
> On Fri, 2 Dec 2005, Ralf Hildebrandt wrote:
>
>> * Kai Schaetzl <ma...@conactive.com>:
>>
>>>> In order to keep our mail flowing to AOL members, I've signed up
>>>> through
>>>> the AOL postmaster service to receive TOS reports. Basically, whenever
>>>> someone reports mail from our domains as spam, AOL forwards it to me.
>>>
>>>
>>> Be careful about that. That's what they say. Actually, it seems they
>>> have
>>> their own filters additionally and send you everything they *think* is
>>> spam. I've been getting a lot of TOS reports which weren't spam and
>>> where I
>>> was able to ask the recipient and they said "No, I didn't hit the
>>> button".
>>
>>
>> Yeah, I also get lots of crap that DEFINITELY not spam and that nobody
>> in his/her sane mind would declare as spam. But then nobody
>> in his/her sane mind would use AOL, either.
>
>
> Yeah, I'm fairly certain after speaking with someone who routinely deals
> directly with AOL's "postmaster" folks that these are all button pushes.
>
> Never underestimate the stupidity of the average computer user. AOL
> does not help matters by putting the "report as spam" button next to the
> "delete" button in their mail client.
>
> Charles
>
I deal with aol (I call it AOHELL) a lot through their loopback and
besides them placing the buttons for 'delete' and 'report as spam'
really close if a spam is deleted from their spam folder it is the same
as pushing 'report as spam', also after 4 days if left in the spam
folder it is deleted by their system and reported as spam. (Really not a
good thing[tm] with the holidays travel coming up)
From talking to several folks who use aol seems if a message lands in
the spam bucket it needs to be highlighted and then 'this is not spam'
needs to be hit.
Of course when my Dad first got on the 'net he signed for you... you
guessed it aol and it only took me an hour to get him a real 'net
connection and all setup... but took him having to cancel the credit
card he used before they stopped billing for it. (He called for like 6
months, at least, wanting his service canceled.) (This all happened a
few years ago like 1997 or so--I've heard they somewhat have a handle on
this but still hear of it happening to people.)
-Doc (Who laughs so hard sometimes at the commercials about aol on TV)
Re: Problems with AOL's TOS reports
Posted by Charles Sprickman <sp...@bway.net>.
On Fri, 2 Dec 2005, Ralf Hildebrandt wrote:
> * Kai Schaetzl <ma...@conactive.com>:
>
>>> In order to keep our mail flowing to AOL members, I've signed up through
>>> the AOL postmaster service to receive TOS reports. Basically, whenever
>>> someone reports mail from our domains as spam, AOL forwards it to me.
>>
>> Be careful about that. That's what they say. Actually, it seems they have
>> their own filters additionally and send you everything they *think* is
>> spam. I've been getting a lot of TOS reports which weren't spam and where I
>> was able to ask the recipient and they said "No, I didn't hit the button".
>
> Yeah, I also get lots of crap that DEFINITELY not spam and that nobody
> in his/her sane mind would declare as spam. But then nobody
> in his/her sane mind would use AOL, either.
Yeah, I'm fairly certain after speaking with someone who routinely deals
directly with AOL's "postmaster" folks that these are all button pushes.
Never underestimate the stupidity of the average computer user. AOL does
not help matters by putting the "report as spam" button next to the
"delete" button in their mail client.
Charles
> --
> Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandt@charite.de
> Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155
> Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
> IT-Zentrum Standort CBF send no mail to spamtrap@charite.de
>
Re: Problems with AOL's TOS reports
Posted by Ralf Hildebrandt <Ra...@charite.de>.
* Kai Schaetzl <ma...@conactive.com>:
> > In order to keep our mail flowing to AOL members, I've signed up through
> > the AOL postmaster service to receive TOS reports. Basically, whenever
> > someone reports mail from our domains as spam, AOL forwards it to me.
>
> Be careful about that. That's what they say. Actually, it seems they have
> their own filters additionally and send you everything they *think* is
> spam. I've been getting a lot of TOS reports which weren't spam and where I
> was able to ask the recipient and they said "No, I didn't hit the button".
Yeah, I also get lots of crap that DEFINITELY not spam and that nobody
in his/her sane mind would declare as spam. But then nobody
in his/her sane mind would use AOL, either.
--
Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to spamtrap@charite.de
Re: Problems with AOL's TOS reports
Posted by Kai Schaetzl <ma...@conactive.com>.
Steven Stern wrote on Thu, 01 Dec 2005 20:57:45 -0600:
> In order to keep our mail flowing to AOL members, I've signed up through
> the AOL postmaster service to receive TOS reports. Basically, whenever
> someone reports mail from our domains as spam, AOL forwards it to me.
Be careful about that. That's what they say. Actually, it seems they have
their own filters additionally and send you everything they *think* is
spam. I've been getting a lot of TOS reports which weren't spam and where I
was able to ask the recipient and they said "No, I didn't hit the button".
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
Re: Problems with AOL's TOS reports
Posted by Steven Stern <su...@sterndata.com>.
Robert Menschel wrote:
> Hello Steven,
>
> Thursday, December 1, 2005, 6:57:45 PM, you wrote:
>
> SS> In order to keep our mail flowing to AOL members, I've signed up through
> SS> the AOL postmaster service to receive TOS reports. Basically, whenever
> SS> someone reports mail from our domains as spam, AOL forwards it to me.
>
> SS> Anyhow, when it arrives, SA classifies it as spam. What's the reason for
> SS> the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I
> SS> overrode them by whitelisting the sender (scomp@aol.net)?
>
> The reason is that people on our systems here that have not subscribed
> to this service are receiving spam with exactly these characteristics.
> I believe that some spammer (or ratware) is mimicking the AOL
> service's characteristics in order to get their spam through people's
> whitelists.
>
> When I put these rules together, I wasn't aware of AOL's service and
> its email characteristics, and nobody else in any of the several SARE
> mass-checks had any hits at all, so there was no indication through
> that means that this was a Bad Rule (tm).
>
> 1) If you subscribe to this service, or any domain you process mail
> for does, zero the score on these rules.
>
> 2) As soon as I get back from vacation, I'll zero the scores on those
> rules in the production files, and see if I can figure out how to
> identify the spammer as opposed to the service.
>
> 3) Yes, whitelist scomp@aol.com, but do so through an unforgeable
> means, such as SPF or RCVD. Do not use a simple whitelist from, since
> that's what the spammer is hoping you will do.
>
> Bob Menschel
>
>
>
Thanks. I'm using the whitelist_from_spf successfully.
--
Steve
Re: Problems with AOL's TOS reports
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Steven,
Thursday, December 1, 2005, 6:57:45 PM, you wrote:
SS> In order to keep our mail flowing to AOL members, I've signed up through
SS> the AOL postmaster service to receive TOS reports. Basically, whenever
SS> someone reports mail from our domains as spam, AOL forwards it to me.
SS> Anyhow, when it arrives, SA classifies it as spam. What's the reason for
SS> the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I
SS> overrode them by whitelisting the sender (scomp@aol.net)?
The reason is that people on our systems here that have not subscribed
to this service are receiving spam with exactly these characteristics.
I believe that some spammer (or ratware) is mimicking the AOL
service's characteristics in order to get their spam through people's
whitelists.
When I put these rules together, I wasn't aware of AOL's service and
its email characteristics, and nobody else in any of the several SARE
mass-checks had any hits at all, so there was no indication through
that means that this was a Bad Rule (tm).
1) If you subscribe to this service, or any domain you process mail
for does, zero the score on these rules.
2) As soon as I get back from vacation, I'll zero the scores on those
rules in the production files, and see if I can figure out how to
identify the spammer as opposed to the service.
3) Yes, whitelist scomp@aol.com, but do so through an unforgeable
means, such as SPF or RCVD. Do not use a simple whitelist from, since
that's what the spammer is hoping you will do.
Bob Menschel