You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alan Fullmer <li...@xnote.com> on 2005/05/26 18:20:51 UTC

Message that conitinually gets bypassed

I have this message that continually gets by Spam Assassin.  The headers
have no indication that SA has even touched it.   I will post the headers
below, as well as the message.

I get various messages all of which have the basic same body content.  If I
forward this message to myself, it clearly tags it as spam the second time.

So I am wondering if spammers have found a way around SA?

I have SA running with Postfix on a linux machine, which then forwards the
filtered mail to an exchange server.


Thanks in advance.
Alan Fullmer
Alan at xnote dot com
www.xnote.com

-----------------------------------------------------------------------
Below is the message
-----------------------------------------------------------------------
Dear Homeowner,

 

You have been pre-approved for a $402,000 Home Loan at a 3.45% Fixed Rate.
This offer is being extended to you unconditionally and your credit is in no
way a factor.

To take Advantage of this Limited Time opportunity all we ask is that you
visit our Website and complete the 1 minute post Approval Form.

 
Enter Here 
Sincerely,

Esteban Tanner
Regional CEO

--------------------------------------------------------------------------
BELOW ARE THE HEADERS
--------------------------------------------------------------------------
Microsoft Mail Internet Headers Version 2.0
Received: from buh.accessdata.com ([192.168.0.5]) by adata.accessdata.com
with Microsoft SMTPSVC(6.0.3790.1830);
	 Thu, 26 May 2005 03:29:31 -0600
Received: from mx1.morningstar.com (unknown [221.207.13.94])
	by buh.accessdata.com (Postfix) with ESMTP
	id 77B55A0644; Thu, 26 May 2005 03:27:36 -0600 (MDT)
From: "Chris" <bi...@moskit.uwm.edu.pl>
To: <ex...@accessdata.com>
Subject: Attention
Date: Thu, 26 May 2005 04:27:39 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----225126436318696341"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcT9+CUlRgRKMiKZSj+BjT+PHEf8rQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Message-Id: <20...@buh.accessdata.com>
Return-Path: biwyxjwqmps@moskit.uwm.edu.pl
X-OriginalArrivalTime: 26 May 2005 09:29:31.0031 (UTC)
FILETIME=[6B8DCA70:01C561D5]

------225126436318696341
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

------225126436318696341
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable;


------225126436318696341--

Re: Message that conitinually gets bypassed

Posted by Loren Wilton <lw...@earthlink.net>.
> I have this message that continually gets by Spam Assassin.  The headers
> have no indication that SA has even touched it.   I will post the headers
> below, as well as the message.

Which version of SA?  How are you feeding it? Procmail?  Something else?

I don't see anything obvious at a real quick glance.  Maybe this message has
a really big attachment and goes over the 250K limit?

        Loren

Re[2]: Message that conitinually gets bypassed

Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Alan,

Monday, June 6, 2005, 6:51:31 AM, you wrote:

AF> Here you go, attached are two.

AF> Keep in mind, if I were to forward this mail to myself, it would get
AF> flagged.   It just seems to be getting by when they send it.

In the copies you attached, there are no Received headers.

> From: "George" <xd...@morin.at>
> To: "Mark Stringer" <ms...@accessdata.com>
> Subject: Attention
> Date: Sun, 5 Jun 2005 16:06:14 -0600
> Message-ID: <20...@buh.accessdata.com>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_0073_01C56A6C.8E2E5320"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> Thread-Index: AcT9+CUlRgRKMiKZSj+BjT+PHEf8rQ==
>
> Dear Homeowner,

That strongly implies that the message somehow bypassed all email
systems, including yours any any others. It's as if the system which
created the spam dumped it directly onto your system, without going
through any email system.  Therefore SA didn't see it, because SA is
normally called by email systems to check the emails.

If you can figure out why this email reached you without any received
headers, then you're well on the way to solving this problem.

Bob Menschel


AF> -----Original Message-----
AF> From: Robert Menschel [mailto:Robert@Menschel.net] 
AF> Sent: Thursday, May 26, 2005 6:53 PM
AF> To: Alan Fullmer
AF> Cc: users@spamassassin.apache.org
AF> Subject: Re: Message that conitinually gets bypassed

AF> Hello Alan,

AF> Thursday, May 26, 2005, 9:20:51 AM, you wrote:

AF>> I have this message that continually gets by Spam Assassin. The headers
AF>> have no indication that SA has even touched it.   I will post the
AF> headers
AF>> below, as well as the message.

AF> Unfortunately, you posted the text, and you posted the headers, but
AF> you didn't post the message. Your text says,
>> visit our Website
AF> and there's no link anywhere for the sucker to use. We are missing
AF> some very important information, and can't debug your problem properly
AF> without it.

AF> If you had sent the message as a message, attached (forward as
AF> attachment), I'd be able to save your message to my system, run SA
AF> against them, and do an analysis.  I can't do that the way you cut and
AF> pasted the message.

AF> See the just updated
AF> http://wiki.apache.org/spamassassin/DoYouWantMySpam for some other
AF> ideas.

AF> Bob Menschel







-- 
Best regards,
 Robert                            mailto:Robert@Menschel.net

Re: Message that conitinually gets bypassed

Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Alan,

Thursday, May 26, 2005, 9:20:51 AM, you wrote:

AF> I have this message that continually gets by Spam Assassin.  The headers
AF> have no indication that SA has even touched it.   I will post the headers
AF> below, as well as the message.

Unfortunately, you posted the text, and you posted the headers, but
you didn't post the message. Your text says,
> visit our Website
and there's no link anywhere for the sucker to use. We are missing
some very important information, and can't debug your problem properly
without it.

If you had sent the message as a message, attached (forward as
attachment), I'd be able to save your message to my system, run SA
against them, and do an analysis.  I can't do that the way you cut and
pasted the message.

See the just updated
http://wiki.apache.org/spamassassin/DoYouWantMySpam for some other
ideas.

Bob Menschel