Jump to content
Sign in to follow this  
jongrose

SpamAssassin v3.1.0 on one spam, and v.3.1.1 on another?

Recommended Posts

Let's all send a message to support at cesmail.net and see who gets his attention first....the shotgun approach. :-)

I always use support[at]spamcop.net and havve just sent off a message pointing him here.

Share this post


Link to post
Share on other sites
blade4 is also not running SA.

I see no evidence of that. All my messages coming through blade4 have SA headers. Filter7, OTOH, allowed multiple spams through to my inbox overnight.

Update: I just found one that came through filter8 without SA tests. The time that filter8 handled it was: 20 Jan 2007 10:35:41 -0000 (just after 5:30 am in Georgia, where the server lives). I don't have any others like that yet, but the problem is getting worse before it gets better. No word from JT yet.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

Well, I saw one from blade4 earlier today without filtering, but more recently I got one that was filtered by blade4. filter7 and filter8 are not filtering.

Share this post


Link to post
Share on other sites

Filter7 still isn't filtering. Grumble.

Yep, I'm seeing a ton of leakthrough from 7 and 8 this morning. All told, I'm getting a bit concerned about this; I've had a paid account with SC almost as long as it has been offered, and I'm having trouble thinking of a time where something this bad has dragged on.

Share this post


Link to post
Share on other sites

this just in, per

http://mail.spamcop.net/news.php

Jan 21, 2007

* [17:38 EST] Over the weekend, two of our filtering servers stopped doing SpamAssassin scanning on the email going through them. This unfortunately let a lot more spam through than usual. The problem is fixed now and we are investigating how to monitor and alarm on this condition so it won't happen again. We apologize for the inconvenience.

P.S.

I just got mail thru filter7 with SA headers... oh happy day.

Edited by silentlarry

Share this post


Link to post
Share on other sites
this just in, per

http://mail.spamcop.net/news.php

P.S.

I just got mail thru filter7 with SA headers... oh happy day.

Good news, that reoccuring problem was beginning to be a real pain. On a related note, I still notice that many of the filter servers still have different versions of SA on them; some w/ 3.1.1, some w/ 3.1.4...

Share this post


Link to post
Share on other sites

Incidents like this also tell me that IP blocklists are fairly useless nowadays given the army of spambots out there.

Share this post


Link to post
Share on other sites
Good news, that reoccuring problem was beginning to be a real pain. On a related note, I still notice that many of the filter servers still have different versions of SA on them; some w/ 3.1.1, some w/ 3.1.4...

This was explained earlier that while the engines were different, the rulesets were the same.

Incidents like this also tell me that IP blocklists are fairly useless nowadays given the army of spambots out there.

I have not had a single spam get past the blocklists the entire weekend. I am convinced it all depends on the types of lists you get yourself (usually by no fault of your own) onto.

Share this post


Link to post
Share on other sites

I just received a message that slipped through the filters and was routed through filter8:

Return-Path: <saulcle[at]galaxycorp.net>
Delivered-To: x
Received: (qmail 25197 invoked from network); 26 Jan 2007 18:14:05 -0000
X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8
X-spam-Level: 
X-spam-Status: hits=0.0 tests=none version=3.1.4
Received: from unknown (192.168.1.101)
  by filter8.cesmail.net with QMQP; 26 Jan 2007 18:14:05 -0000
Received: from x (66.152.166.10)
  by mailgate.cesmail.net with SMTP; 26 Jan 2007 18:14:05 -0000
Received: (qmail 79852 invoked by uid 399); 26 Jan 2007 18:13:45 -0000
Delivered-To: x
Received: (qmail 73970 invoked by uid 399); 26 Jan 2007 18:13:44 -0000
X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses);
  Fri, 26 Jan 2007 10:13:45 -0800
Received: from 82.red-83-61-60.dynamicip.rima-tde.net (HELO galaxycorp.net) (83.61.60.82)
  by mail3.mygisol.com with SMTP; 26 Jan 2007 18:13:44 -0000
Received-SPF: none (x: domain at galaxycorp.net does not designate permitted sender hosts)
	identity=mailfrom; client-ip=83.61.60.82;
	envelope-from=<saulcle[at]galaxycorp.net>;
Message-ID: <01c74175$b836d9d0$523c3d53[at]desktop>
Reply-To: "Modestine Melone" <saulcle[at]galaxycorp.net>
From: "Modestine Melone" <saulcle[at]galaxycorp.net>
To: "Orpah Gabler" <x>
Subject: Re: ED6015
Date: Fri, 26 Jan 2007 19:13:46 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-SpamCop-Checked: 192.168.1.101 66.152.166.10 83.61.60.82 83.61.60.82 

Good day,

Viazzgra  $1, 80
Ciazzlis  $3, 00
Levizztra $3, 35

http://www.printeryml.*com ( Important ! Remove

*EDIT* if this should have gone in the 'email' forum, I apologize, I don't know if the filters are tied to the email or the reporting service.

Edited by btech

Share this post


Link to post
Share on other sites
*EDIT* if this should have gone in the 'email' forum, I apologize, I don't know if the filters are tied to the email or the reporting service.

Wondering just where / how this confusion could have started / not been cleared up in all the various descriptions of the services offered ...?????

At any rate, moved this post from the Reporting Help section and merged this "new" post into the existing Topic that covers/includes the same siruation. PM sent to advise of the move/merge action.

Share this post


Link to post
Share on other sites
I just received a message that slipped through the filters and was routed through filter8:

Not sure what you're trying to tell us....the SA process is now working on all the servers, and yes, some spam is slipping through, but not because it's not being seen by SA, AFAIK. The example you submitted shows SA processing/scoring.

DT

Share this post


Link to post
Share on other sites

The example you submitted shows SA processing/scoring.

And to be anal about it, here are the lines that show that:

X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8

X-spam-Level:

X-spam-Status: hits=0.0 tests=none version=3.1.4

It is just that this spam did not trigger any of the tests being checked.

Share this post


Link to post
Share on other sites
It is just that this spam did not trigger any of the tests being checked.

I have noticed that lately myself too. I will get a spam in my inbox that has passed through SA but registered a score of 0, whereas other similar emails have a much higher score. I can find some examples if necessary.

Share this post


Link to post
Share on other sites
I have noticed that lately myself too. I will get a spam in my inbox that has passed through SA but registered a score of 0, whereas other similar emails have a much higher score. I can find some examples if necessary.

Please do. I have not seen any but I don't get much spam to compare. If it is always the same system with a zero SA score, perhaps the system is not working correctly.

Share this post


Link to post
Share on other sites
If it is always the same system with a zero SA score, perhaps the system is not working correctly.

That is what I suspect. All but two of the emails that passed SA were the new pharmacy spams that use the "replace the * with a ." method in the body.

I haven't been actively watching for this, just to make sure SA has been running, but when I see "tests=none" I get a little suspect. I have been trying to monitor emails that come into my inbox that pass not only the SA filters, but all my blacklists. I have another suspicious that SC is not always running the IPs it checks against some of the blacklists I have selected, as I don't recall ever having seen it check it against SpamHaus or some of the others, but I will post on that in another thread if I find that to be occurring.

I checked through all my emails from the past week (which took a considerable amount of time) and found these. I checked up until last Sunday (the 21st) when SA had been disabled on some servers. I will continue to monitor and save any emails I get that SA bypasses. On a side note, it would be nice to be able to search through your old spam reports.

No hit SA reports on filter7:

http://www.spamcop.net/sc?id=z1206846240z4...5722d00ca90865z (this one appears to have a postcard virus attached as a base64 file)

http://www.spamcop.net/sc?id=z1206668759z3...60ec4fa045f33az

http://www.spamcop.net/sc?id=z1202201762z3...d0baf5a2421c0ez

No hit SA reports on filter8:

http://www.spamcop.net/sc?id=z1202200815z5...670591f0952d07z

http://www.spamcop.net/sc?id=z1200810921z6...3e46cb01d730c4z

No hit SA reports on blade1:

http://www.spamcop.net/sc?id=z1206831002z3...b0446485999965z

http://www.spamcop.net/sc?id=z1204312000zc...7ae5a82cba98caz

Share this post


Link to post
Share on other sites
That is what I suspect. All but two of the emails that passed SA were the new pharmacy spams that use the "replace the * with a ." method in the body.

I concur with this assessment. The highest score these types of spam have achieved with me has been 0.2. Interestingly the text follows easy to figure obfuscation of the text so that the various drugs on offer are easy to decipher visually.

I've assumed that SpamAssassin isn't offering a test to catch these Emails.

Andrew

Share this post


Link to post
Share on other sites

I got that same email about a dozen times. I didn't notice any of my mails weren't being passed through SA though. But, I was particularly annoyed that SC stated:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

On the last one I reported, it did parse it all the way through, though. On the rest, I manually reported the URL.

Share this post


Link to post
Share on other sites

I got one on filter7 with SA headers from 11:07 pacific, and another at 11:39, so I assume it's been beat into submission.

Perhaps they did rig an alarm to monitor it as the news item suggested they might, seeing as it was apparently down for a matter of a few hours instead of several days.

Edited by silentlarry

Share this post


Link to post
Share on other sites
I curious as to why this keeps occurring?

Beats me. It's happening *again*.

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade5

X-spam-Level: **************

...and naturally, in my inbox.

Share this post


Link to post
Share on other sites

Beats me. It's happening *again*.

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade5

X-spam-Level: **************

...and naturally, in my inbox.

Need to see headers it may be a whitelist problem :blush:

parse the spam and paste a copy of the URL SpamCop puts at top like/similar this one

http://www.spamcop.net/sc?id=z1218614373z8...724f436f7f3762z

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×