You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alan Fullmer <li...@xnote.com> on 2005/06/06 15:51:31 UTC

* SPAM * Xnote.com considers this message as SPAM *** RE: Message that conitinually gets bypassed

Spam detection software, running on the system "vibe.xnote.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Here you go, attached are two. Keep in mind, if I were 
  to forward this mail to myself, it would get flagged. It just seems to 
  be getting by when they send it. 

Content analysis details:   (9.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.7 MSGID_FROM_MTA_ID      Message-Id for external message added locally
 0.4 SARE_HOMELOAN          BODY: Home mortgage stuff
 1.0 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5000]
 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
                            [cf: 100]
 0.0 HTML_90_100            BODY: Message is 90% to 100% HTML
 1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                            [67.108.238.3 listed in sbl-xbl.spamhaus.org]
 0.4 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist
                            [URIs: mrratenow.com droppedr8z.com]
 1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                            [URIs: mrratenow.com droppedr8z.com]
 3.2 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: mrratenow.com droppedr8z.com]
 4.3 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
                            [URIs: droppedr8z.com]
-7.3 AWL                    AWL: From: address is in the auto white-list

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Re[2]: Message that conitinually gets bypassed

Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Alan,

Monday, June 6, 2005, 6:51:31 AM, you wrote:

AF> Here you go, attached are two.

AF> Keep in mind, if I were to forward this mail to myself, it would get
AF> flagged.   It just seems to be getting by when they send it.

In the copies you attached, there are no Received headers.

> From: "George" <xd...@morin.at>
> To: "Mark Stringer" <ms...@accessdata.com>
> Subject: Attention
> Date: Sun, 5 Jun 2005 16:06:14 -0600
> Message-ID: <20...@buh.accessdata.com>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_0073_01C56A6C.8E2E5320"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> Thread-Index: AcT9+CUlRgRKMiKZSj+BjT+PHEf8rQ==
>
> Dear Homeowner,

That strongly implies that the message somehow bypassed all email
systems, including yours any any others. It's as if the system which
created the spam dumped it directly onto your system, without going
through any email system.  Therefore SA didn't see it, because SA is
normally called by email systems to check the emails.

If you can figure out why this email reached you without any received
headers, then you're well on the way to solving this problem.

Bob Menschel


AF> -----Original Message-----
AF> From: Robert Menschel [mailto:Robert@Menschel.net] 
AF> Sent: Thursday, May 26, 2005 6:53 PM
AF> To: Alan Fullmer
AF> Cc: users@spamassassin.apache.org
AF> Subject: Re: Message that conitinually gets bypassed

AF> Hello Alan,

AF> Thursday, May 26, 2005, 9:20:51 AM, you wrote:

AF>> I have this message that continually gets by Spam Assassin. The headers
AF>> have no indication that SA has even touched it.   I will post the
AF> headers
AF>> below, as well as the message.

AF> Unfortunately, you posted the text, and you posted the headers, but
AF> you didn't post the message. Your text says,
>> visit our Website
AF> and there's no link anywhere for the sucker to use. We are missing
AF> some very important information, and can't debug your problem properly
AF> without it.

AF> If you had sent the message as a message, attached (forward as
AF> attachment), I'd be able to save your message to my system, run SA
AF> against them, and do an analysis.  I can't do that the way you cut and
AF> pasted the message.

AF> See the just updated
AF> http://wiki.apache.org/spamassassin/DoYouWantMySpam for some other
AF> ideas.

AF> Bob Menschel







-- 
Best regards,
 Robert                            mailto:Robert@Menschel.net