SpamAssassin v3.1.0 on one spam, and v.3.1.1 on another?

[DavidT]

Beats me. It's happening *again*.

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade5

X-spam-Level: **************

...and naturally, in my inbox.

What's happening again? The phenomenon we've sometimes complained about in this thread is when one or more of the email servers stops doing any SA testing on incoming messages, which winds up with headers lines like this:

X-spam-Level:X-spam-Status: hits=0.0 tests=none version=3.1.0

but your "X-spam-Level" line isn't empty, so I don't know what you're trying to tell us. Sure, if your config is set to route SA flagged stuff into your Held Mail, then that one shouldn't have made it to your inbox, and I'm not seeing anything arriving in my inbox with SA scores above my threshhold, so I'd agree that you should take a thorough look at your whitelisting situation (it should be mentioned in the headers, toward the bottom).

DT

[djtodd]

I was under the assumption that since it was reporting v3.1.1, while it was being checked it wasn't being checked "properly" ... I'm kinda bewildered as to why a '********' level message wasn't blocked when I have the SA level set at 4.

Can't tell you any more about that particular spam, it's long gone. But it shouldn't have hit any of my whitelisted addresses, and it was a Russian cyrillic spam from one of the (should be completely blacklisted IMHO) european ISPs. arcor.de or something.

Next time I encounter one like this I'll triple check the headers and look for the whitelisting information. This is what I get for posting at 3am.

[StevenUnderwood]

Can't tell you any more about that particular spam, it's long gone. But it shouldn't have hit any of my whitelisted addresses

How can you tell that without the spam? Spammers usually forge large domains and often your own adress as the spammer. Unless you have NO whitelisted entries, this is quite probably the reason it was in the Inbox.

[djtodd]

How can you tell that without the spam? Spammers usually forge large domains and often your own adress as the spammer. Unless you have NO whitelisted entries, this is quite probably the reason it was in the Inbox.

Got a different one this morning, and yup. They've forged my own address.

http://www.spamcop.net/sc?id=z1220452712z1...584b8727113757z

That being said though, this one doesn't seem to have been checked:

(or am I reading the headers wrong, and this has a score of zero?)

http://www.spamcop.net/sc?id=z1220453153ze...46926d26fd76e1z

[DavidT]

Got a different one this morning, and yup. They've forged my own address. That being said though, this one doesn't seem to have been checked:

(or am I reading the headers wrong, and this has a score of zero?)

1. It's not a good idea to whitelist your own address, for this very reason.

2. You're reading the headers wrong. The score was "0.3" which isn't enough to display an "*" on the "X-spam-Level:" line. It has to be above 1.0 for that to happen.

DT

[btech]

How can you tell that without the spam? Spammers usually forge large domains and often your own adress as the spammer. Unless you have NO whitelisted entries, this is quite probably the reason it was in the Inbox.

I've seen some come through that show "tests=none", but clearly had words and phrases that would have been caught with SpamAssassain. I can't find any in my past reports, but here is an example that I posted on the 26th: http://forum.spamcop.net/forums/index.php?...7388&st=40#

[btech]

Got one today.

http://www.spamcop.net/sc?id=z1229804148zb...319fdb40e0ef58z

Return-Path: <donagh[at]bakerdrywall.com>

Delivered-To: x

Received: (qmail 10295 invoked from network); 19 Feb 2007 19:47:02 -0000

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade2.cesmail.net

X-spam-Level:

X-spam-Status: hits=0.0 tests=none version=3.1.1

Received: from unknown (192.168.1.103)

by blade2.cesmail.net with QMQP; 19 Feb 2007 19:47:02 -0000

Received: from unknown (HELO bakerdrywall.com) (81.193.50.87)

by mx53.cesmail.net with SMTP; 19 Feb 2007 19:47:01 -0000

Message-ID: <01c7__________________c151[at]f4e3b577f2294e4>

Reply-To: "Ewald Keegan" <donagh[at]bakerdrywall.com>

From: "Ewald Keegan" <donagh[at]bakerdrywall.com>

Why were no tests run? This message was delivered to my inbox (and no, that domain/email is not whitelisted), but it's CLEARLY a med spam that is caught all the time by S.A.

[DavidT]

Why were no tests run?

The message in question does seem to have been run through SpamAssassin, but without any "hits" resulting in a "tests" value of "none" and a null "spam-Level." I've seen a lot of similar "misses" slipping through to my inbox lately, but I think all it means is that the attributes of the given items didn't trigger any of the "tests" that are configured on SpamCop's implementation of SA.

DT

[StevenUnderwood]

Why were no tests run? This message was delivered to my inbox (and no, that domain/email is not whitelisted), but it's CLEARLY a med spam that is caught all the time by S.A.

As DavidT states, tests were run, none matched.

BTW, did you modify the link before submitting it?

Replace "-" with "." in the above link to make it working.

That is against SpamCop's rules.

[btech]

I see how it slipped through now...

VIArrGRA $3. 35

VALrrIUM $1. 25

CIArrLIS $3. 75

XArrNAX

SOrrMA

They used 'r', whereas S.A. catches when 'x' is used, which I saw in an earlier report that was caught. And no Steven, I don't alter my reports. I don't know why the spammers type that crap in there, because the links I've received are unaltered.

[silentlarry]

>Replace "-" with "." in the above link to make it working.

BTW, did you modify the link before submitting it?

That is against SpamCop's rules.

I've been getting phamacrap for several weeks just like this one, spammys breaking their own urls.

I run the correct url thru separately and add the abuse addresses to the spam report with fixed url in user comments.

One might cite this as evidence that reporting URLs is having effect. But then perhaps this might have to do with avoiding content based filters instead? Aye dunno.

[DavidT]

One might cite this as evidence that reporting URLs is having effect. But then perhaps this might have to do with avoiding content based filters instead?

I think it's more the latter than the former. Systems using Barracuda spam Firewalls are heavily quarantining and blocking messages based on the URLs contained in the message bodies (much of my incoming mail runs through a Barracuda). The spammers want to make sure that more of their messages are actually received, but it seems this method would have questionable success, in that the gullible victim doesn't simply have to click on something or enter a simple URL in their browser, but they would additionally have to "fix" a broken URL.

DT

[Wazoo]

Hard to imagine that the larger spammers aren't also attending the same trade shows, reading the same press releases, trying out the same software as the anti-spam folks. And just to leep things 'in-house' ... one of the latest IronPort Press Releases ....

IronPort Systems Adds URL Filtering to World's Most Advanced Web Security Appliance

The noted "spammer used 'this' instead of 'that' in the last spam run" was pretty much addressed a while back in a posting made into a FAQ entry here ..... Software Development Life Cycle principles for spam

[Firefly]

filter7 is not doing SpamAssassin filtering today.

[DavidT]

filter7 is not doing SpamAssassin filtering today.

Quite correct. I'll send a note to JT, but it would be helpful if others did, just to make sure he gets the message.

DT

[DavidT]

Looks like JT got my note, because the SpamAssassin process on the "filter7" SC mail server was working again by Saturday evening. Prior to that, it had allowed multiple spams through to my inbox, and some of the items in my Held mail had to be caught by secondary techniques, such as RBLs. I'm a little bit surprised by the lack of other user comments here (other than Firefly, who first reported it). Traffic in this forum seems to have slowed to a crawl, but that's just an impression, as opposed to any real analysis.

DT

[StevenUnderwood]

Looks like JT got my note, because the SpamAssassin process on the "filter7" SC mail server was working again by Saturday evening. Prior to that, it had allowed multiple spams through to my inbox, and some of the items in my Held mail had to be caught by secondary techniques, such as RBLs. I'm a little bit surprised by the lack of other user comments here (other than Firefly, who first reported it). Traffic in this forum seems to have slowed to a crawl, but that's just an impression, as opposed to any real analysis.

DT

I saw the message, but had no proof to back it up or shoot it down. All messages I had went through other servers and had SA headers. I rarely have any spam that is not caught by the SA settings.

[DavidT]

I rarely have any spam that is not caught by the SA settings.

This is fairly true for me, also, as long as SA is actually running on all the servers. In this case, both "firefly" and I received messages that proved otherwise, which is why we posted here. I think there are fewer SC email users currently using this forum, because when this has happened in the past, there has generally been more activity here.

DT

[Firefly]

I don't tend to post here much unless I see a problem. Most of the traffic deals with issues I can't help much with. I do pop in once a week or so to see what's new.

And yes, I was getting quite a bit of mail slipping through the filters, all from filter7. Since I had seen this behavior twice in the past (and knew about this thread), I knew what to look for.

What's not clear to me is how I'm supposed to report problems. What is the correct way to "send a note to JT"?

I'd guess that the majority of SC users are unaware of the forum. People are directed here when they look at the online help. There was, for a short time, a SC newsletter that went out. I wouldn't mind seeing that resurrected.

[silentlarry]

... I'm a little bit surprised by the lack of other user comments here (other than Firefly, who first reported it). Traffic in this forum seems to have slowed to a crawl, but that's just an impression, as opposed to any real analysis.

Yesterday I had a bunch of filter7 email had no SA headers as well. But it sounded like you had it covered, I didn't figure a "me too" was helpful.

That, and for some reason my spam has really dwindled as of late, so I did not get leaked on. (I hate it when I get leaked on!) I didn't notice the problem until you pointed it out. So, low motivation to squawk.

There was talk on the last go-round that they would look into setting up automated monitoring to alert them when a server did not have SA process running. I wonder how far that got?

L

[DavidT]

There was talk on the last go-round that they would look into setting up automated monitoring to alert them when a server did not have SA process running. I wonder how far that got?

Me too. Maybe it was implemented, but since this happened on a Saturday, anyone who could have responded might have been out fishing, or at a NASCAR event, or....? :-)

DT

[DavidT]

SA on filter7 is down again! The following headers are missing from the last few messages I received that came through filter7:

X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter7

X-spam-Level:

Same issue as before...guess I'll drop a note to JT....he never responded to the previous one, BTW. :-(

DT

[DavidT]

three hours later and filter7 is still not running SA...looks like that purported "automatic" notification and/or restart of the SA process isn't happening

BTW, I think I've pretty much proved the point about dwindling use of this venue...back "in the day," when something like this would go wrong, you'd typically see multiple SC Email users bop in here, each starting their own thread. :-)

Wazoo? maybe you can call your super-duper-secret phone number and get JT's attention...

dt

[DavidT]

still broken....here's what was posted back in January on the rather sparse email system "News" page:

[17:38 EST] Over the weekend, two of our filtering servers stopped doing SpamAssassin scanning on the email going through them. This unfortunately let a lot more spam through than usual. The problem is fixed now and we are investigating how to monitor and alarm on this condition so it won't happen again.

Hello?

dt

[StevenUnderwood]

BTW, I think I've pretty much proved the point about dwindling use of this venue...back "in the day," when something like this would go wrong, you'd typically see multiple SC Email users bop in here, each starting their own thread. :-)

I think filter7 is your personal mail server because I have not received any email from that server in at least several days.