Jump to content
Sign in to follow this  
kenh

[Resolved] High Spam Score Not Blocked - Why?

Recommended Posts

I keep getting spam, usually for investment scams, with something like

"Subject: [spam:******* 7.0 SpamScore] Investment Strategy" in the subject line.

Within the header is something like "X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore".

If the score is this high and the probability is 99.99%, why isn't this stuff being blocked?

I have my options set to block anything of 5 or higher.

:angry: Ken

Edited by kenh

Share this post


Link to post
Share on other sites

Show us all the X-headers from the message, there is usually one that gives the reason why it was or was not blocked.

Share this post


Link to post
Share on other sites

As Telarin states, there should be a header line .. usually, it's noted that the e-mail was whitelisted in a case like this.

Share this post


Link to post
Share on other sites
I keep getting spam, usually for investment scams, with something like

"Subject: [spam:******* 7.0 SpamScore] Investment Strategy" in the subject line.

Within the header is something like "X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore".

If the score is this high and the probability is 99.99%, why isn't this stuff being blocked?

I have my options set to block anything of 5 or higher.

And to add another data point, those headers (subjet change or x-xanit...) are not added by spamcop and not looked at by spamcop. We need the headers asked for to see what spamcop is scoring the message. I understand managers of SpamAssassin systems can set the scores for each test to whatever they feel is best.

Share this post


Link to post
Share on other sites
X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore

I may be wrong but I don't believe that the 'X-CanIt-Tag-Reason' tag is related to SpamCop Email. You need to check the 'X-SpamCop-Disposition' value which will tell you what the SpamAssassin score is for the particular message.

I have mine set at a trigger value of 2 and this works well with very few false positives. That said I'm considering moving to a value of 3 to see if this makes any difference.

Andrew

Share this post


Link to post
Share on other sites

Here is the complete header on one of these pieces of spam. I have x'd out my e-mail address.

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade1

X-spam-Level: *

X-spam-Status: hits=2.0 tests=SARE_CSNUMTAG,SARE_RMML_Stock4,

UNPARSEABLE_RELAY version=3.1.1

Received: from unknown (192.168.1.101)

by blade1.cesmail.net with QMQP; 9 Nov 2006 19:32:10 -0000

Received: from mail.directus.net (HELO directus.net) (68.142.68.26)

by mailgate.cesmail.net with SMTP; 9 Nov 2006 19:32:10 -0000

Received: from SMTP32-FWD by xxxx.xxx

(SMTP32) id A823E01B30000EF7C; Thu, 9 Nov 2006 14:32:14 -0500

Received: from canit.directus.net [68.142.68.43] by directus.net with ESMTP

(SMTPD-8.20) id A23E07C8; Thu, 09 Nov 2006 14:32:14 -0500

Received: from -1214940928 (88-104-5-9.dynamic.dsl.as9105.com [88.104.5.9])

by canit.directus.net (8.13.4/8.13.4) with SMTP id kA9JqXxs005244

for <xxxx[at]xxxx.xxx>; Thu, 9 Nov 2006 14:52:39 -0500

Received: from ghanareview.com (-1214534096 [-1214539128])

by gerrytanner.com (Qmailv1) with ESMTP id DFDEE3011A

for <xxxx[at]xxxx.xxx>; Thu, 09 Nov 2006 14:30:03 -0600

Date: Thu, 09 Nov 2006 14:30:03 -0600

From: "Bloomer S. Gucci" <extstp[at]ghanareview.com>

X-Mailer: The Bat! (v2.00.2) Personal

X-Priority: 3

Message-ID: <5809710179.20061109143003[at]ghanareview.com>

To: Pwrr <xxxx[at]xxxx.xxx>

Subject: [spam:******* 7.0 SpamScore] Investment Strategy

MIME-Version: 1.0

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

X-Virus-Scanned: by AMaViS perl-11 mion

X-Bayes-Prob: 0.9999 (Score 5)

X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore

X-CanItPRO-Stream: 12_Moderate

X-Canit-Stats-ID: 8221572 - 8e91405497db

X-Scanned-By: CanIt (www . roaringpenguin . com) on 68.142.68.43

X-SpamCop-Checked: 192.168.1.101 68.142.68.26 68.142.68.43 88.104.5.9

Ken

Share this post


Link to post
Share on other sites
Subject: [spam:******* 7.0 SpamScore]

X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore

X-CanItPRO-Stream: 12_Moderate

X-Canit-Stats-ID: 8221572 - 8e91405497db

X-Scanned-By: CanIt (www . roaringpenguin . com) on 68.142.68.43

X-SpamCop-Checked: 192.168.1.101 68.142.68.26 68.142.68.43 88.104.5.9

I'm not sure where the [spam:******* 7.0 SpamScore] is being inserted but not by the SpamCop Email system - looks like roaringpenguin.com

I don't see, in the headers, a SpamAssassin score so that will be why the message isn't picked up by the SpamCop system.

You seem to have spam checking going on in SpamCop Email and roaringpenguin.com In this case roaringpenguin has identified the spam item and the SpamCop SpamAssassin filters have not.

Andrew

Share this post


Link to post
Share on other sites

I don't see, in the headers, a SpamAssassin score so that will be why the message isn't picked up by the SpamCop system.

Andrew: The SpamAssassin headers are at the top of the headers now fron spamcop:

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade1

X-spam-Level: *

X-spam-Status: hits=2.0 tests=SARE_CSNUMTAG,SARE_RMML_Stock4,UNPARSEABLE_RELAY version=3.1.1

This message only scored 2.0 on SpamCop's system.

Share this post


Link to post
Share on other sites
Andrew: The SpamAssassin headers are at the top of the headers now fron spamcop:

This message only scored 2.0 on SpamCop's system.

Things keep moving around :-) But a score of 2 was below the OP's threshold so definitely the reason it hasn't been caught.

Andrew

Share this post


Link to post
Share on other sites

I'm not sure where the [spam:******* 7.0 SpamScore] is being inserted but not by the SpamCop Email system - looks like roaringpenguin.com

I don't see, in the headers, a SpamAssassin score so that will be why the message isn't picked up by the SpamCop system.

You seem to have spam checking going on in SpamCop Email and roaringpenguin.com In this case roaringpenguin has identified the spam item and the SpamCop SpamAssassin filters have not.

Andrew

I have no idea where the Roaring Penguin info is coming from. Perhaps it is my ISP but I don't know for sure. I have Spamcop set to a SpamAssassin score of 5 so it should be picking up this garbage too??????? :(

Ken

Edited by kenh

Share this post


Link to post
Share on other sites
Andrew: The SpamAssassin headers are at the top of the headers now fron spamcop:

<snip>

This message only scored 2.0 on SpamCop's system.

<snip> [A] score of 2 was below the OP's threshold so definitely the reason it hasn't been caught.

Andrew

...Thus I shall assume this resolves the OP's inquiry and so mark the thread.

Share this post


Link to post
Share on other sites
[A] score of 2 was below the OP's threshold so definitely the reason it hasn't been caught.

Andrew...Thus I shall assume this resolves the OP's inquiry and so mark the thread.

I would think that if Roaring Penguin rates something as a 7 and a 99.99 percent probability that is is spam, SpamAssassin should also give it a high score. How are the criteria for SpamAssassin established?

I would think that if Roaring Penguin rates something as a 7 and a 99.99 percent probability that is is spam, SpamAssassin should also give it a high score. How are the criteria for SpamAssassin established?

I just went to the Roaring Penguin website and it says their software is based upon SpamAssassin. How then can the ratings be so different???? Now I am really confused.

Ken

Edited by Wazoo

Share this post


Link to post
Share on other sites

It is up to the admin that configures SpamAssassin as to what score it associates with particular criteria. Roaring Penguin may have their own BL that they are pulling data from, or they may simply score particular attributes higher.

If you have SpamAssassin set to 5, then it will filter messages scored 5 and ABOVE. You would need to set it to 2 to catch that particular message, which may cause you problems with false positives. You might want to just lower it gradually to see what works best for you.

Share this post


Link to post
Share on other sites

I have no idea where the Roaring Penguin info is coming from. Perhaps it is my ISP but I don't know for sure. I have Spamcop set to a SpamAssassin score of 5 so it should be picking up this garbage too??????? :(

No, because the SC SpamAssasin check gave a score of 2 - below the threshold you set within SC Email.

I just went to the Roaring Penguin website and it says their software is based upon SpamAssassin. How then can the ratings be so different???? Now I am really confused.

The thing is, each company can set up their own scoring systems within SpamAssassin so RoaringPenguin could be applying entirely different checks to SC Email - hence a different score.

As you know, some spam does filter through most checking services - the aim is to reduce this to a minimal, easily managed level. Selecting a good split of BLs plus a SpamAssassin score of 3 typically catches 98% of spam - at least for me.

Andrew

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×