Valid email held as spam

[elind]

I have several times found a valid email in the held spam list, even though that email had passed through only days before without first having been whitelisted.

In this latest case, from a name [at]bankofamerica.com which is unlikely to have suddenly been added to a spam list.

Why is this?

Thanks

[Wazoo]

Do I make an assumption and start with that this isn't a "reporting" issue .. rather something to do with a SpamCop Filtered E-Mail Account?

If it is a SpamCop e-mail account involved, then the e-mail "moved" to the Held folder should have some data to indicate why it was moved there, and am e-mail address usually isn't the cause of this action. So one would ask, why was this e-mail found in the Held Folder - based on the the data seen in the header? And as you provided nothing to go on here, I'm not sure how to even start a guess ... other than to point you to the FAQ and looking for some entries dealing with "filtering" ...????

[StevenUnderwood]

Wazoo: Maybe this should be added to the FAQ (email section), seems to be asked alot recently.

To determine why a particular email message was moved into the held mail folder of the spamcop email system, view the full headers of the message and look for the X-spam* headers. From within the spamcop webmail application, you can view the full headers by either clicking the "Show All Headers" or "Message Source" links from inside the message window.

An example set of those headers looks like:

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5

X-spam-Level: ****************

X-spam-Status: hits=16.3 tests=FORGED_RCVD_HELO, HTML_10_20, HTML_MESSAGE, INFO_TLD, LONGWORDS, MIME_HTML_MOSTLY, MPART_ALT_DIFF, MSGID_DOLLARS, SARE_URI_LET_DIG_PIC, URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL, URIBL_WS_SURBL version=3.0.0

X-SpamCop-Checked: 192.168.1.101 69.56.175.228 24.145.226.56

X-SpamCop-Disposition: Blocked bl.spamcop.net

The last header, X-SpamCop-Disposition, shows why a message was held, in this case the spamcop blocklist.

The last IP address listed in the X-SpamCop-Checked header indicates which IP was found on the list shown in the Disposition header line, in this case, 24.145.226.56.

This message would also have been held due to the SpamAssassin check if it had not been caught by one of the blocklists.

The X-Spamcop-Disposition header can also indicate whether a whitelist or blacklist entry affected the movement of a message.

[StevenUnderwood]

Maybe this should be added to the FAQ (email section), seems to be asked alot recently.

Actually, already there...

FAQ about Filtering and Held Mail: http://www.spamcop.net/fom-serve/cache/336.html

Why did this message get held?: http://www.spamcop.net/fom-serve/cache/312.html

[Wazoo]

Well, you made me look <g>

Moved to the E-Mail Forum based on you making the same read on the issue ...

[Merlyn]

In this latest case, from a name [at]bankofamerica.com which is unlikely to have suddenly been added to a spam list.

Why is this?

Thanks

23285[/snapback]

Anybody can send you email with <anythinghere>[at]bankofamerica.com

What makes you think that is where it came from?

[elind]

Anybody can send you email with <anythinghere>[at]bankofamerica.com

What makes you think that is where it came from?

23295[/snapback]

Because it was a real message from a known sender that had sent non held messages before. Sorry if I did not make that clear.

[Wazoo]

Because it was a real message from a known sender that had sent non held messages before. Sorry if I did not make that clear.

But, did StevenUnderwood's data provide any answers? Have you looked at that which was once not-Held but is-now-Held to see what the reasons were?

[elind]

But, did StevenUnderwood's data provide any answers?  Have you looked at that which was once not-Held but is-now-Held to see what the reasons were?

23323[/snapback]

Yes thanks. I didn't think that the filtering was quite that sensitive. It seems it picked up the two words "bad credit" which were in the body of the message, but not the subject, discussing mortgages.

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade4

X-spam-Level:

X-spam-Status: hits=0.4 tests=BAD_CREDIT,HTML_90_100,HTML_MESSAGE version=3.0.0

I had not thought that alone would be enough, but if I ease the settings I'm afraid I'll get much more through. As it is very little gets through and this does not happen very often, so I'll leave it be.

Thanks to all for the education.

[Tommy]

Yes thanks. I didn't think that the filtering was quite that sensitive. It seems it picked up the two words "bad credit" which were in the body of the message, but not the subject, discussing mortgages.

23324[/snapback]

Unfortunately there's no way to make the automated filters like SpamAssassin absolutely perfect. For example, a loan officer might receive all sorts of messages about bad credit and mortgage rates, and for them SpamAssassin might flag a lot of their legitimate messages as spam.

If you expect to receive mail from specific people at bankofamerica.com, then be sure to put their EXACT addresses into your whitelist and they should never get blocked as spam. Alternatively, if you work with the whole company a lot, you can put just bankofamerica.com in the whitelist and then you will always get any message (even spam) that has bankofamerica.com in the email address.

In most webmail systems, the addresses in the webmail address book get whitelisted automatically, so importing your contacts into webmail addresses might be a simple way to whitelist your frequent contacts. (I'm not absolutely positive SpamCop email does this, so I hope someone else can confirm or deny it.)

[DavidT]

assin 3.0.0 (2004-09-13) on blade4

X-spam-Status: hits=0.4 tests=BAD_CREDIT,HTML_90_100,HTML_MESSAGE

Wait a moment, that's an very low "spam-Status" number, and that wouldn't cause the message to be held. Sure, some attributes of valid email will trigger a response from SpamAssassin analysis, but the eventual "spam-Status" number is generally well below the default threshhold number, which is 5.0. So, this doesn't seem particularly germaine to the topic at hand.

You said "but if I ease the settings I'm afraid I'll get much more through," but I don't remember seeing what your current SpamAssassin setting is...did I miss it somewhere?

DT

[StevenUnderwood]

What is the "X-SpamCop-Disposition:" line for the held message?

Looking at the headers you provided, it should NOT be spamassassin holding the message. The X-spam-Level: is 0, meaning that even the lowest setting of 1 would allow this message through. It had to be something else.

[elind]

What is the "X-SpamCop-Disposition:" line for the held message? 

Looking at the headers you provided, it should NOT be spamassassin holding the message.  The X-spam-Level: is 0, meaning that even the lowest setting of 1 would allow this message through.  It had to be something else.

23345[/snapback]

Hi,

I just received another email from a known sender, (name[at]verizon.net) that has passed through filtering before. I have now whitelisted it, but if the following info says anything about why it was held I'd appreciate knowing. Surely verizon.net can't be blocked completely?

Thanks

X-IronPort-AV: i="3.88,148,1102309200"; d="scan'208,217";

a="170511159:sNHT65860592"

X-Authentication-Info: Submitted using SMTP AUTH at out007.verizon.net from

[64.222.120.25] at Mon, 24 Jan 2005 10:21:23 -0600

X-Virus-Scanned: Symantec AntiVirus Scan Engine

X-Virus-Scanned: Symantec AntiVirus Scan Engine

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5

X-spam-Level:

X-spam-Status: hits=0.0 tests=HTML_MESSAGE version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 65.32.5.51

10.10.4.5 65.32.1.42 206.46.170.107 64.222.120.25

X-SpamCop-Disposition: Blocked dnsbl.sorbs.net

Also, sorry for not replying to your question above, regarding my first query. I missed seeing your reply. Here are the lines for that message.

X-IronPort-AV: i="3.88,136,1102309200"; d="scan'208,217";

a="166938366:sNHT83361340"

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade4

X-spam-Level:

X-spam-Status: hits=0.4 tests=BAD_CREDIT,HTML_90_100,HTML_MESSAGE version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 65.32.5.51

10.10.4.11 24.93.41.200

X-SpamCop-Disposition: Blocked bl.spamcop.net

X-Virus-Scanned: Symantec AntiVirus Scan Engine

[StevenUnderwood]

Hi,

I just received another email from a known sender, (name[at]verizon.net) that has passed through filtering before. I have now whitelisted it, but if the following info says anything about why it was held I'd appreciate knowing. Surely verizon.net can't be blocked completely?

Thanks

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 65.32.5.51

10.10.4.5 65.32.1.42 206.46.170.107 64.222.120.25

X-SpamCop-Disposition: Blocked dnsbl.sorbs.net

23538[/snapback]

64.222.120.25 (last IP in the Checked list) is listed in the dnsbl.sorbs.net list causing the message to be held. It is on 2 siorbs lists: Database of vulnerable/hacked servers and Dynamic IP Space (LAN, Cable, DSL & Dial Ups).

Also, sorry for not replying to your question above, regarding my first query. I missed seeing your reply. Here are the lines for that message.

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 65.32.5.51

10.10.4.11 24.93.41.200

X-SpamCop-Disposition: Blocked bl.spamcop.net

23538[/snapback]

24.93.41.200 (last IP in the Checked list) is listed in the bl.spamcop.net list causing the message to be held. Causes of listing: SpamCop users have reported system as a source of spam about 140 times in the past week. Looking at the most recent samples available, mostly knockoff pharmacuticals with some others thrown in for fun.

Neither of the addresses these came from are seen as being whitelisted at the time they came through the system.

[Merlyn]

Hi,

I just received another email from a known sender, (name[at]verizon.net) that has passed through filtering before. I have now whitelisted it, but if the following info says anything about why it was held I'd appreciate knowing. Surely verizon.net can't be blocked completely?

Thanks

X-IronPort-AV: i="3.88,148,1102309200";   d="scan'208,217";

a="170511159:sNHT65860592"

X-Authentication-Info: Submitted using SMTP AUTH at out007.verizon.net from

[64.222.120.25] at Mon, 24 Jan 2005 10:21:23 -0600

X-Virus-Scanned: Symantec AntiVirus Scan Engine

X-Virus-Scanned: Symantec AntiVirus Scan Engine

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5

X-spam-Level:

X-spam-Status: hits=0.0 tests=HTML_MESSAGE version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 65.32.5.51

10.10.4.5 65.32.1.42 206.46.170.107 64.222.120.25

X-SpamCop-Disposition: Blocked dnsbl.sorbs.net

Also, sorry for not replying to your question above, regarding my first query. I missed seeing your reply. Here are the lines for that message.

X-IronPort-AV: i="3.88,136,1102309200";   d="scan'208,217";

a="166938366:sNHT83361340"

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade4

X-spam-Level:

X-spam-Status: hits=0.4 tests=BAD_CREDIT,HTML_90_100,HTML_MESSAGE version=3.0.0

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 65.32.5.51

10.10.4.11 24.93.41.200

X-SpamCop-Disposition: Blocked bl.spamcop.net

X-Virus-Scanned: Symantec AntiVirus Scan Engine

23538[/snapback]

The first one you say cam from a known sender on 64.222.120.25 is also listed as Likely Trojaned Machine, host running Korgo trojan.

in the second one the older one came through 24.145.226.56 which is also an infected/abused machine, that IP is listed everywhere. I doubt this was a valid email, most likely a phish because I doubt bankofamerica.com is sending through hijacked machines.

[elind]

The first one you say cam from a known sender on 64.222.120.25 is also listed as Likely Trojaned Machine, host running Korgo trojan.

in the second one the older one came through 24.145.226.56 which is also an infected/abused machine, that IP is listed everywhere.  I doubt this was a valid email, most likely a phish because I doubt bankofamerica.com is sending through hijacked machines.

23541[/snapback]

No, both messages came from known senders and were valid communications, but could their machines be compromised without their knowledge then?

Perhaps the BofA message was sent from the senders home PC instead of the office?

Should I advise them?

[Wazoo]

No, both messages came from known senders and were valid communications, but could their machines be compromised without their knowledge then?

Pointed out a couple of times already ..

You say "address is whitelisted but moved to Held .."

Folks have pointed out "no evidence of whitelisting"

You provide samples showing a "Blocked" in the Disposition lines.

This is what's missing that would show that whitelisting was in effect (stolen from another discussion);

X-SpamCop-Disposition: Blocked bl.spamcop.net

X-SpamCop-Whitelisted: returns.groups.yahoo.com

^^^^^^^^^^^^^^^^

This second line is not showing, therefore your "it is whitelisted" is very much in question.

Perhaps the BofA message was sent from the senders home PC instead of the office?

Should I advise them?

And just what business arrangements would you have that would cause a BoA staff member to be handling "your" account stuff from "his/her" home computer? My experience with folks dealing at that kind of "personal" attention usually "have people" that take care of those piddly details ....

As far as a specific answer, there is no way for someone on this side of the screen to guess at whether your "known senders and valid communications" are as you seem to feel. Your e-mail, your details, your call ....

[Merlyn]

No, both messages came from known senders and were valid communications, but could their machines be compromised without their knowledge then?

Perhaps the BofA message was sent from the senders home PC instead of the office?

Should I advise them?

23566[/snapback]

Yes they can be compromised without knowing it.

From what you say you are still depending on the "From" address to validate your email.

[elind]

1: I whitelisted AFTER noticing this issue. They are now whitelisted, but would otherwise still be held. I don't think I said the address was whitelisted initially, but if I did I am sorry and meant to say that the address has not been held before, in other communications.

2: Why would you not simply take my word for the fact that the messages were real and recognized communications from the senders shown?

3: I don't know what the specifics of the messages have to do with it, but if you are curious, I have business with BofA and communicate with a VP who travels a lot and I would guess connects from many locations, perhaps including home. I will ask.

4: In the latter case, if it's not via a VPN, perhaps only the connection at that time is on the blacklist? If this is a dynamically allocated IP, how does one know that it won't be used by another person tomorrow?

[elind]

Yes they can be compromised without knowing it.

From what you say you are still depending on the "From" address to validate your email.

23572[/snapback]

How else can I validate it other than saying I will accept any message from merlyn <at> verizon.net, for example?

True, I could still get a message with that address forged, and spammers would have short success spurt if they could sent everyone spam appearing to come from someone in their own address book, but that is not very likely is it?

I will tell them to check their PCs.