You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tim Macrina <ti...@quickmortgageloan.com> on 2005/05/26 16:30:57 UTC
SA marked message as ham
Can anyone explain to me as to why this message was marked as ham.
Thank you
Return-Path: <br...@4praise.com>
Received: from 4praise.com ([220.160.189.10])
by mail2.qmlhost.com (8.13.4/8.13.4) with SMTP id j4Q5SHOl030285
for <ti...@quickmortgageloan.com>; Thu, 26 May 2005 01:28:27 -0400
Message-ID: <44...@4praise.com>
Date: Wed, 25 May 2005 22:01:29 +0700
Reply-To: "kelly westbrook" <br...@4praise.com>
From: "kelly westbrook" <br...@4praise.com>
User-Agent: Pine.SGI.4.10
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Stanton Amato" <va...@quickmortgageloan.com>
Cc: <ne...@quickmortgageloan.com>, <pr...@quickmortgageloan.com>,
<ti...@quickmortgageloan.com>, <st...@quickmortgageloan.com>
Subject: It is an easy and legitimate way to decrease your expenses on quality medicines.
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.84rc2/894/Wed May 25 08:53:16 2005 on mail2.qmlhost.com
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on mail2.qmlhost.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.3
X-UIDL: %S5!!VMZ"!^Z$!!l%V!!
From: kelly westbrook [brandy@4praise.com]
Sent: Wednesday, May 25, 2005 11:01 AM
To: Stanton Amato
Cc: newton@quickmortgageloan.com; professional@quickmortgageloan.com;
timmac@quickmortgageloan.com; stephens@quickmortgageloan.com
Subject: It is an easy and legitimate way to decrease your expenses on
quality medicines.
Thank you all for providing such wonderful quality items on your site. I have reduced my expenses on medicines by half. The
convenient services gave me a lot of time with modest efforts. I'd like to share my experience with
others. -- Joe O. in OH
It is quicker. It is easier. It is a great convenience. It is such a great choice for me and it is less hassle to shop for medicines
at your store.
Thank you for providing this innovative way to acquire my medical needs..
-Jane D. in NM
With a wide variety of legally prescribed remedies on pain, stress, man's care, sleeping disorder, male organ erecting problems,
obesity and elevated cholesterol to choose from, our company provides customers an easy access.
http://p.w8k.jumptothehighestpoint.com/ySqe/
Gget started and browse this pharrn-site for quality items.
in rfering with success the silence and quiet prescribed by every n herurse around on earsa curious place.' I in should have been
chary of discussing my 9 that way, business to London. I
2 did not
Re: Message that conitinually gets bypassed
Posted by Loren Wilton <lw...@earthlink.net>.
> I have this message that continually gets by Spam Assassin. The headers
> have no indication that SA has even touched it. I will post the headers
> below, as well as the message.
Which version of SA? How are you feeding it? Procmail? Something else?
I don't see anything obvious at a real quick glance. Maybe this message has
a really big attachment and goes over the 250K limit?
Loren
Re[2]: Message that conitinually gets bypassed
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Alan,
Monday, June 6, 2005, 6:51:31 AM, you wrote:
AF> Here you go, attached are two.
AF> Keep in mind, if I were to forward this mail to myself, it would get
AF> flagged. It just seems to be getting by when they send it.
In the copies you attached, there are no Received headers.
> From: "George" <xd...@morin.at>
> To: "Mark Stringer" <ms...@accessdata.com>
> Subject: Attention
> Date: Sun, 5 Jun 2005 16:06:14 -0600
> Message-ID: <20...@buh.accessdata.com>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0073_01C56A6C.8E2E5320"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> Thread-Index: AcT9+CUlRgRKMiKZSj+BjT+PHEf8rQ==
>
> Dear Homeowner,
That strongly implies that the message somehow bypassed all email
systems, including yours any any others. It's as if the system which
created the spam dumped it directly onto your system, without going
through any email system. Therefore SA didn't see it, because SA is
normally called by email systems to check the emails.
If you can figure out why this email reached you without any received
headers, then you're well on the way to solving this problem.
Bob Menschel
AF> -----Original Message-----
AF> From: Robert Menschel [mailto:Robert@Menschel.net]
AF> Sent: Thursday, May 26, 2005 6:53 PM
AF> To: Alan Fullmer
AF> Cc: users@spamassassin.apache.org
AF> Subject: Re: Message that conitinually gets bypassed
AF> Hello Alan,
AF> Thursday, May 26, 2005, 9:20:51 AM, you wrote:
AF>> I have this message that continually gets by Spam Assassin. The headers
AF>> have no indication that SA has even touched it. I will post the
AF> headers
AF>> below, as well as the message.
AF> Unfortunately, you posted the text, and you posted the headers, but
AF> you didn't post the message. Your text says,
>> visit our Website
AF> and there's no link anywhere for the sucker to use. We are missing
AF> some very important information, and can't debug your problem properly
AF> without it.
AF> If you had sent the message as a message, attached (forward as
AF> attachment), I'd be able to save your message to my system, run SA
AF> against them, and do an analysis. I can't do that the way you cut and
AF> pasted the message.
AF> See the just updated
AF> http://wiki.apache.org/spamassassin/DoYouWantMySpam for some other
AF> ideas.
AF> Bob Menschel
--
Best regards,
Robert mailto:Robert@Menschel.net
Re: Message that conitinually gets bypassed
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Alan,
Thursday, May 26, 2005, 9:20:51 AM, you wrote:
AF> I have this message that continually gets by Spam Assassin. The headers
AF> have no indication that SA has even touched it. I will post the headers
AF> below, as well as the message.
Unfortunately, you posted the text, and you posted the headers, but
you didn't post the message. Your text says,
> visit our Website
and there's no link anywhere for the sucker to use. We are missing
some very important information, and can't debug your problem properly
without it.
If you had sent the message as a message, attached (forward as
attachment), I'd be able to save your message to my system, run SA
against them, and do an analysis. I can't do that the way you cut and
pasted the message.
See the just updated
http://wiki.apache.org/spamassassin/DoYouWantMySpam for some other
ideas.
Bob Menschel
Message that conitinually gets bypassed
Posted by Alan Fullmer <li...@xnote.com>.
I have this message that continually gets by Spam Assassin. The headers
have no indication that SA has even touched it. I will post the headers
below, as well as the message.
I get various messages all of which have the basic same body content. If I
forward this message to myself, it clearly tags it as spam the second time.
So I am wondering if spammers have found a way around SA?
I have SA running with Postfix on a linux machine, which then forwards the
filtered mail to an exchange server.
Thanks in advance.
Alan Fullmer
Alan at xnote dot com
www.xnote.com
-----------------------------------------------------------------------
Below is the message
-----------------------------------------------------------------------
Dear Homeowner,
You have been pre-approved for a $402,000 Home Loan at a 3.45% Fixed Rate.
This offer is being extended to you unconditionally and your credit is in no
way a factor.
To take Advantage of this Limited Time opportunity all we ask is that you
visit our Website and complete the 1 minute post Approval Form.
Enter Here
Sincerely,
Esteban Tanner
Regional CEO
--------------------------------------------------------------------------
BELOW ARE THE HEADERS
--------------------------------------------------------------------------
Microsoft Mail Internet Headers Version 2.0
Received: from buh.accessdata.com ([192.168.0.5]) by adata.accessdata.com
with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 26 May 2005 03:29:31 -0600
Received: from mx1.morningstar.com (unknown [221.207.13.94])
by buh.accessdata.com (Postfix) with ESMTP
id 77B55A0644; Thu, 26 May 2005 03:27:36 -0600 (MDT)
From: "Chris" <bi...@moskit.uwm.edu.pl>
To: <ex...@accessdata.com>
Subject: Attention
Date: Thu, 26 May 2005 04:27:39 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----225126436318696341"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcT9+CUlRgRKMiKZSj+BjT+PHEf8rQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-Id: <20...@buh.accessdata.com>
Return-Path: biwyxjwqmps@moskit.uwm.edu.pl
X-OriginalArrivalTime: 26 May 2005 09:29:31.0031 (UTC)
FILETIME=[6B8DCA70:01C561D5]
------225126436318696341
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
------225126436318696341
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable;
------225126436318696341--
Re: SA marked message as ham
Posted by Matt Kettler <mk...@evi-inc.com>.
Tim Macrina wrote:
> I'm pretty new to SA but my local.cf has the following entries
>
> skip_rbl_checks 0
> use_razor2 0
> use_dcc 0
> use_pyzor 0
>
> I believe this means that I am not using any of the checks. Are these features that need to be installed? Are there others I should
> use in addition/instead of?
> Thanks
Actually, that only means that razor, dcc and pyzor are disabled. All three are
add-on packages that need separate installation, and you'd have to set those to
1 instead of 0.
The "skip_rbl_checks" would only turn off normal RBLs if set to 1.
However, none of this tells you anything about URI blacklists. For that you need
to have a relatively recent version of Net::DNS installed.
Try running spamassassin --lint -D and see if it complains about DNS being
unavailable, or too old to support URIBLs.
Also make sure you have an init.pre file in your /etc/mail/spamassassin. The
normal tarball will install this, but several distribution packages screwed up
and left this important file out. If it's missing, download the tarball from the
spamassassin website and copy init.pre out of it.
RE: SA marked message as ham
Posted by Tim Macrina <ti...@quickmortgageloan.com>.
I'm pretty new to SA but my local.cf has the following entries
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
I believe this means that I am not using any of the checks. Are these features that need to be installed? Are there others I should
use in addition/instead of?
Thanks
-----Original Message-----
From: Matt Kettler [mailto:mkettler@evi-inc.com]
Sent: Thursday, May 26, 2005 11:08 AM
To: Tim Macrina
Cc: users@spamassassin.apache.org
Subject: Re: SA marked message as ham
Tim Macrina wrote:
> Can anyone explain to me as to why this message was marked as ham.
> Thank you
Because it didn't hit any rules. No hits = ham, and by default, autolearn as ham
(IMO this is a bad thing, but the default SA ruleset doesn't have enough
negative-scoring rules to use a negative learning threshold.)
> X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
> version=3.0.3
Do you run with network checks enabled? in particular that message should have
hit a bunch of SURBLs, URIBL.com lists, and razor.
Also, the source IP 220.160.189.10 is in XBL (via CBL).
Of course, both of these hits could have been added after you got the message,
but it's worth checking if your setup is using network tests.
Re: SA marked message as ham
Posted by Matt Kettler <mk...@evi-inc.com>.
Tim Macrina wrote:
> Can anyone explain to me as to why this message was marked as ham.
> Thank you
Because it didn't hit any rules. No hits = ham, and by default, autolearn as ham
(IMO this is a bad thing, but the default SA ruleset doesn't have enough
negative-scoring rules to use a negative learning threshold.)
> X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
> version=3.0.3
Do you run with network checks enabled? in particular that message should have
hit a bunch of SURBLs, URIBL.com lists, and razor.
Also, the source IP 220.160.189.10 is in XBL (via CBL).
Of course, both of these hits could have been added after you got the message,
but it's worth checking if your setup is using network tests.
RE: SA marked message as ham
Posted by Ben Wylie <sa...@benwylie.co.uk>.
Because you don't have any rules enabled that hit it.
I suggest turning on URIBL tests. I have them scored highly and a low
threshold to flag spam as that is ok with my setup. I don't know whether the
how high the default scores would take this.
Three lists got:
http://p.w8k.jumptothehighestpoint.com/ySqe/
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on server
X-Spam-Spammy: 0.999-4--0h-51s--0d--decrease, 0.997-2--0h-15s--2d--gget
X-Spam-Hammy: 0.006-5--9h-0s--9d--H*r:8.13.4,
0.025-1856--4686h-300s--0d--Sent
X-Spam-Report:
* 0.7 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received:
date
* 0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5297]
* 2.7 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: jumptothehighestpoint.com]
* 4.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
* [URIs: jumptothehighestpoint.com]
* 4.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
* [URIs: jumptothehighestpoint.com]
X-Spam-Status: Yes, score=11.9 required=2.4 bayes=0.5297 tests=BAYES_50,
DATE_IN_PAST_12_24,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
autolearn=disabled version=3.0.2
X-Spam-Level: ***********
Ben