Jump to content
Sign in to follow this  
btech

SC Mail not filtering much to the 'Held' folder?

Recommended Posts

Handled by two different servers, both stating that SpamAssassinis up and running. So, the flip side is an ancient post I made a few years back ... apparently you may have a spammer that's not all that lazy .... take a look at Software Development Life Cycle principles for spam as found in the SpamCop FAQ here.

Share this post


Link to post
Share on other sites
Anyone else noticed an influx of spam being delivered to your inbox.

No, not especially. Now I do make use of the grey-list option so the vast bulk of spam never even reaches the filtering stage. But the remainder seems to have appropriately filtered.

Andrew

Share this post


Link to post
Share on other sites

man... out of 70 messages in my inbox, 50 were spam.

Shouldn't this one have been snagged? It has words that I normally see hitting: http://www.spamcop.net/sc?id=z3115129192z1...b7ddb94687143fz

And this one... spam lever 0?! It says 'drugs' 'medications' and 'pharmacy' in the body. Certainly something must be awry: http://www.spamcop.net/sc?id=z3115134554zb...a9ad7a1d359e9ez

... but I wonder if I'm also being flooded... I had 260 messages, all seemingly about pharma, in 12 hours, which is about 2x what I'm used to in that period.

Edited by btech

Share this post


Link to post
Share on other sites
...Certainly something must be awry: ...
Doesn't seem like very effective filtering to be sure Brandon. Unfortunately it is a matter of "needle in a haystack" for other users to compare notes on their experience with those spam or anything similar. But your settings don't seem to register suspect words at all? Not a user but that doesn't seem quite right.

Share this post


Link to post
Share on other sites
man... out of 70 messages in my inbox, 50 were spam.

We could be comparing oranges with lemons... Which block lists do you have enabled? What is your SpamAssassin trigger level? Do you have grey listing enabled? What addresses do you have in your personal white list? In particular have you added your own address(es) to the white list (even inadvertently)?

All these things could change things for you.

Andrew

Share this post


Link to post
Share on other sites
Which block lists do you have enabled? What is your SpamAssassin trigger level? Do you have grey listing enabled? What addresses do you have in your personal white list? In particular have you added your own address(es) to the white list (even inadvertently)?

I have all lists enabled, greylisting is NOT enabled and the none of my personal addresses are on my white lists (I learned that lesson in the past with the TO/FROM spoofing). My SA level is 4, but the issue has never been the SA level... I see several words in these sample messages that should be hitting and raising the SA level, but they're all from 0-1.5, which I find very peculiar. I also find it peculiar that this issue started 3 or so days ago, when the the same type of messages would previously be caught by SA and placed in the 'held' folder.

But your settings don't seem to register suspect words at all? Not a user but that doesn't seem quite right.

Exactly what raised some concern for me. I'm receiving a higher than usual volume of spam, but there are instances where identical messages are being delivered... 1 to the 'held' folder and 1 to the inbox. Prima facia, that looks like an issue with SA.

Here's one that appears to have 1.7 hits, but words like 'replica' (used twice), 'watches' and 'luxury' didn't hit.. I thought they were all words that SA would catch in the past : http://www.spamcop.net/sc?id=z3118665302zf...26f401196684faz

Edited by btech

Share this post


Link to post
Share on other sites

I have all lists enabled, greylisting is NOT enabled and the none of my personal addresses are on my white lists (I learned that lesson in the past with the TO/FROM spoofing). My SA level is 4, but the issue has never been the SA level... I see several words in these sample messages that should be hitting and raising the SA level, but they're all from 0-1.5, which I find very peculiar. I also find it peculiar that this issue started 3 or so days ago, when the the same type of messages would previously be caught by SA and placed in the 'held' folder.

Exactly what raised some concern for me. I'm receiving a higher than usual volume of spam, but there are instances where identical messages are being delivered... 1 to the 'held' folder and 1 to the inbox. Prima facie, that looks like an issue with SA.

Here's one that appears to have 1.7 hits, but words like 'replica' (used twice), 'watches' and 'luxury' didn't hit.. I thought they were all words that SA would catch in the past : http://www.spamcop.net/sc?id=z3118665302zf...26f401196684faz

Greylisting is now needed to effectively stop spam

any properly configured email system will resend email appropriately and pass through greylisting

Big trouble is that there are people guising as anti-spammers out to destroy any effective method of stopping spam. Anyone remember Margie.Huey etc, they were VERY knowledgeable about mail systems and were very vocally against any effective system being used to stop spam (ORBS, SpamCop for instance) Always "joining" groups (NANE) that were effective. Convincing others that making them ineffective is the way to go

They seem to be effective. SpamCop seems now reluctant to block delinquent mailservers that do/are not acting on spam/abuse reports. So personal blacklists and whitelists are becoming more important to create and use

Edited by petzl

Share this post


Link to post
Share on other sites
Yea, I think I'm going to have to turn graylisting on, because this is just asinine. Example of a CP spam that should CLEARLY have made some hits in SA, but was delivered to my inbox: http://www.spamcop.net/sc?id=z3121429075zb...7000b163e4066ez

If nothing else, it's listed in SORBS... isn't that one of the blocklists?

The IP 61.225.22.8 is from Korea unless you expect email from Korea you should have that country blocked

In this case that IP is a mail server and would resend thus getting past Greylisting

Most ISP's block port 25 stopping spam unless sent from a mail server.

Spammers now rely on "Trogans" to take control of ones computer and email addresses on it

Often one gets attachments from people/email addresses they know. but turn out to be viruses/trojans from computers that have now been made zombies out to infect YOU

Important to have effective protection to stop this such as

Share this post


Link to post
Share on other sites
The IP 61.225.22.8 is from Korea unless you expect email from Korea you should have that country blocked

In this case that IP is a mail server and would resend thus getting past Greylisting

Like I said, I have all the BLs checked and active, yet an obscene amount of spam is delivered to my inbox. Hell, I even brought the SA level down to 2 and I'm STILL getting the leakage. I honestly think there is an issue with the SA server(s), because certain words are hitting like they used to.

Share this post


Link to post
Share on other sites
Shouldn't this one have been snagged? It has words that I normally see hitting: http://www.spamcop.net/sc?id=z3115129192z1...b7ddb94687143fz

And this one... spam lever 0?! It says 'drugs' 'medications' and 'pharmacy' in the body. Certainly something must be awry: http://www.spamcop.net/sc?id=z3115134554zb...a9ad7a1d359e9ez

Puzzling that you don't hit SA's trigger level with some of these. I'm going to have to start looking at some of my own. Presumbaly everyone at SC who opts for SA filtering is using the same test set (provided by SC), so it shouldn't be a matter of differences in individual users' tests. So, if I got this message it ought to get the same SA score as it did for you.

-- rick

Share this post


Link to post
Share on other sites
Like I said, I have all the BLs checked and active, yet an obscene amount of spam is delivered to my inbox. Hell, I even brought the SA level down to 2 and I'm STILL getting the leakage. I honestly think there is an issue with the SA server(s), because certain words are hitting like they used to.

Just pay to check your whitelist

A whitelist will ovrtride spamassasin, greylisting and blacklists

I did not see in your example wher it was whitelisted and it should not of ended up in your inbox?

Share this post


Link to post
Share on other sites
Puzzling that you don't hit SA's trigger level with some of these. I'm going to have to start looking at some of my own. Presumbaly everyone at SC who opts for SA filtering is using the same test set (provided by SC), so it shouldn't be a matter of differences in individual users' tests. So, if I got this message it ought to get the same SA score as it did for you.

I think the "SPF_HELO_PASS" is probably lowering the score to allow the pass.

Share this post


Link to post
Share on other sites
I think the "SPF_HELO_PASS" is probably lowering the score to allow the pass.

Hmmm... I pulled the SPF records for the HELO of what appeared to be the originator of the zero-score spam (asianet.co.th), this message very conspicuously fails to pass an SPF check as far as I can tell. On the other hand, maybe the check is done on the HELO of btech's own domain, but I failed to get a clear SPF pass here either (tho I may not know enough about reading SPF records to be sure).

So, I wonder which HELO got tested and passed the SPF check?

-- rick

Share this post


Link to post
Share on other sites

Not sure if anyone has asked you this before, but you're not using a "catchall" address (aka "default address") for your domain, are you? That makes all possible incoming addresses valid and is pretty much an invitation to mass quantities of spam.

DT

Share this post


Link to post
Share on other sites

Greetings,

Here's a user rant for you, with a plea for remediation on the Spamcop side, or tips on the user side. :-)

For the past few weeks both of my Spamcop accounts have been receiving a huge number (10-15 a day in each one) making it through Spamcop's filters, my filters, and into my Inbox instead of Held Mail, leaving myself to gloriously delete them individually. In the years I've had these accounts, I've never spent so much time cleaning my inboxes on a regular basis; second, the Spamassassin levels as reported in the headers are 1-2 stars or below, which is right about the threshold of my non-spam mail as well. Whitelisting everyone I know is not a workable solution, for obvious reasons.

The fact that the X-spam-Level is often zero stars, or 1 or 2, coupled with the spams being all the same pretty much (acai berry, online pharmacies and implants, watches, and a few phishing schemes thrown in) makes me wonder what's happening algorithmically on the spam assassin side of the flow.

Before I get flamed here are my account settings:

* All DNS blacklists enabled except 'Spamhaus PBL'

* x-spam-level 5

* I'm not in my whitelist

* no forwarding to or from the Spamcop accounts

So, what can I do to tighten the screws without missing legit mails (note that checking the Held Mail folder is not possible, it has too many daily entries)?

Thanks in advance,

Matt

Share this post


Link to post
Share on other sites

0 x-spam-level

http://www.spamcop.net/sc?id=z3151436249ze...66d653d82b04a9z

1 x-spam-level

http://www.spamcop.net/sc?id=z3151441705za...7a77c11615733dz

2 x-spam-level

http://www.spamcop.net/sc?id=z3151445100z1...db96a346236a2bz

You've read the recent topic at http://forum.spamcop.net/forums/index.php?showtopic=10500 ? Is greylisting an option for you? Can we have a tracking URL for one of those slipping through?

And just to respond to the second question -- greylisting is, to me, a bandaid solution to a fundamental problem which is the need to adjust the algorithms which seemed previously to properly raise the x-spam-level rating. Why the same string values ('acai berry' 'luxury watches' etc etc etc) get sent over and over and over daily to me over the course of a few weeks, never raising the x-spam-level above 1 or 2 (if even that), is probably something that should be confirmed as impossible to overcome programmatically, clever spammers or not.

The greylist solution is clunky because the real-time nature of e-mails are an appeal of the technology and in today's world unfortunately a necessity, making half hour to an hour delays for new senders a very iffy proposition for most people. Consider responses to job postings, or -- more concrete example: every single time my bank's cookie expires, they make me do an e-mail confirmation which sends me an ID code before I am able to log in.

Matt

Share this post


Link to post
Share on other sites
[...]

The fact that the X-spam-Level is often zero stars, or 1 or 2, coupled with the spams being all the same pretty much (acai berry, online pharmacies and implants, watches, and a few phishing schemes thrown in) makes me wonder what's happening algorithmically on the spam assassin side of the flow.

[...]

So, what can I do to tighten the screws without missing legit mails (note that checking the Held Mail folder is not possible, it has too many daily entries)?

Except for "replica" I think SA doesn't use real words much since the Viagra etc. lot just went over to misspelling. To investigate this properly would need a look at what SA tests were effective both now and in the past - I found the URL tests were the usual trigger - and what might be made more effective.

You don't say how many Spams a month you get (index numbers in VER or Held make this quite easy to record).

I have SA=2.0 3622 spams (121/d), 46 leakers (=1.3 %) for June with all Blocklists including pbl in spite of the false positives caused by the SC implementation.

There is a trick to let you just look at the borderline SA values so going from SA=5.0 to SA=2.0 is no risk nor requires more than a few to be eyballed.

Thus using SC Webmail Search on the held folder (and save as a virtual folder)

Search 'Entire messagel' for any of "hits=0.", "hits=1.", "hits=2.", "hits=3.", "hits=4." plus for good measure any that don't contain "hits=" at all This should show you all the low SA and blocklist items which (for me) is only 1-5 a day.

HTH

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×