Jump to content

Messages not Filtered - Why?


Wazoo

Recommended Posts

One last thought: Maybe we need a FAQ entry for SpamCop Mail users, titled - "Why are these messages slipping past SpamCop's filters?" Granted the answer is complicated, but it could cover the basics regarding how to look at the headers to see what IPs were examined by SpamCop, what score SA gave it, and whether or not the user had it whitelisted.

PeterJ

And the follow-up question ... might you want to try your hand at writing something up for this FAQ entry?

Link to comment
Share on other sites

Ok, here is what I have for starters. I need Email users to help me correct it now. SteveUnderwood you have a mail account I know for sure. Anyone who can help revise what I have here, that would be great.

PeterJ :)

Edited 6/25/04 to include info from SteveUnderwood

=============================================

There are 4 primary reasons why email received by your SpamCop email account may be 'slipping past' the provided filters:

1) The available filters may not be selected or may be misconfigured for your account.

Resolution:

To double check your filtering settings please log into SpamCop's web mail, then click: Options>>SpamCop Tools>>Select your email filtering blacklists. The resulting screen provides you with the means to turn on and off SpamAssassin filtering, set a "SpamAssassin Limit", and select the blacklists you would like to use. Bear in mind that even with SpamAssassin and all blacklists turned off, the SpamCop mail service still adds at least the following headers to your email:

X-spam-Checker-Version:

X-spam-Level:

X-spam-Status:

X-SpamCop-Checked:

2) The whitelist for your SpamCop email account contains the domain or email address indicated in the "From:" header of the received message and therefore it was routed to your inbox.

Resolution:

When SpamCop does get a match contained within your whitelist it adds the header "X-SpamCop-Whitelisted:" to the message displaying the specific whitelist entry. The following example shows how a whitelisted email address is displayed in the headers:

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level:

X-spam-Status: hits=0.0 tests=none version=2.63

X-SpamCop-Checked: 192.168.1.101 66.163.170.83 192.168.33.48 69.208.67.198

X-SpamCop-Whitelisted: yourname[at]spamcop.invalid

Check the headers of the message you received in your inbox to see if they contain the "X-SpamCop-Whitelisted:" header and then determine if you want or need to modify your whitelist.

To modify your SpamCop whitelist settings please log into SpamCop's web mail, then click Options>>SpamCop Tools>>Manage your personal whitelist. The resulting screen provides you with the means to add and delete entries from your whitelist.

(Note that it is possible to have both the "X-SpamCop-Whitelisted:" and "X-SpamCop-Disposition:" headers in the same message. When this occurs, since there was a match with a white list entry the message is routed to your inbox.)

3) None of the IP addresses that SpamCop examined in the headers of the message you received were represented in any of the blacklists that you currently have turned on for your account.

Resolution and Explanation:

When SpamCop holds a message because it matches one of your selected blacklists it adds "X-SpamCop-Disposition:" to the headers of the message. This indicates which blacklist (or if it was SpamAssassin) caused the message to be held. The following is an example where 200.165.15.10 tripped the Brazil blacklist and caused the message to be held.

X-SpamCop-Checked: 192.168.1.213 200.165.15.10

X-SpamCop-Disposition: Blocked brazil.blackholes.us

(Note that when there is a blacklist specified in the "X-SpamCop-Disposition:" line, the last IP listed on the "X-SpamCop-Checked:" line is the IP that was found in the blacklist.)

If a message arrived in your inbox it should not contain the "X-SpamCop-Disposition:" header (unless it also contains the "X-SpamCop-Whitelisted:" header. See section 2 of this FAQ.) The message will have the header "X-SpamCop-Checked:" that indicates all the IP addresses SpamCop checked against your selected blacklists. Possible resolutions include reporting the spam message that slipped through in an effort to get the IP address listed in SpamCop's blacklist, reviewing the blacklists you have enabled for your account, or double-checking the headers to see if SpamCop missed the responsible IP address. It is possible that the IP address responsible for sending the message was added to the SpamCop's blacklist after you received it. In this case as long as the IP address remains on the SpamCop's blacklist and you have elected to use the SpamCop blacklist, then future mails from this IP address will be routed to your "Held Mail" folder.

4) The SpamAssassin score computed for the message is lower than the "SpamAssassin Limit" you have set in your SpamCop Email account settings.

Resolution and Explanation:

Description of SpamAssassin as taken from SpamCop's web mail interface:

SpamAssassin checks your incoming mail against a variety of rules and assigns a spam score. The higher the score, the more likely it is that this email is spam. This option is recommended, as it can help block the few spams that the SpamCop blacklist won't block. Start with a score of 5 and adjust up or down as needed. A lower score will catch more spam, but will catch a few more legit emails.

--Headers related to SpamCop's SpamAssassin implementation--

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade2.cesmail.net

X-spam-Level: **

X-spam-Status: hits=2.6 tests=FORGED_YAHOO_RCVD,FROM_NO_USER,

HTML_FONTCOLOR_UNKNOWN,HTML_FONT_INVISIBLE,HTML_MESSAGE,NO_REAL_NAME

version=2.63

X-SpamCop-Checked: 192.168.1.213 200.165.15.10

X-SpamCop-Disposition: SpamAssassin

X-spam-Checker-Version: Indicates the SpamAssassin version in use, blade server that mail passed through (and date installed/upgraded?)

X-spam-Level: Number of asterisks match the "hits" number from "X-spam-Status:" (rounded down)

X-spam-Status: Indicates the score that was computed as the "hits" number for this particular message and the tests that were positive and contributing towards the overall score. Note that it is possible for a "hits" number to be negative and also that the individual scores of each test are not displayed but are configurable by administration if needed. In the above example the numbers assigned to the individual tests listed add up to 2.6.

X-SpamCop-Checked: The IP addresses that SpamCop checked against your selected blacklists (if any), not relevant to SpamAssassin.

X-SpamCop-Disposition: Indicates the reason why SpamCop held your mail. If this line indicates SpamAssassin then the "SpamAssassin Limit" setting for your account is less than or equal to the "hits" number indicated on the "X-spam-Status:" header line.

An example of a possible message arriving in your inbox:

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade2.cesmail.net

X-spam-Level: **

X-spam-Status: hits=2.6 tests=FORGED_YAHOO_RCVD,FROM_NO_USER,

HTML_FONTCOLOR_UNKNOWN,HTML_FONT_INVISIBLE,HTML_MESSAGE,NO_REAL_NAME

version=2.63

X-SpamCop-Checked: 192.168.1.213 200.165.15.10

Using the above example, let’s assume that your "SpamAssassin Limit" is set to "3." After checking the headers of the message you can see that SpamAssassin only gave the message a score of "2.6" and since your limit is set at "3", the message was not routed to your "held mail" folder.

Possible resolutions include lowering the "SpamAssassin Limit" setting for your account or suggesting improvements to SpamCop's SpamAssassin rules/tests. Neither one of these resolutions by themselves is perfect. A balance between the number you choose as your "SpamAssassin Limit" and changes made to SpamAssassin by SpamCop administrators will always be the case. Beware that setting your "SpamAssassin Limit" too low, perhaps at "1", can result in increased false positives. Providing feedback and building consensus in SpamCop's Email forum is likely the best way to encourage SpamCop administrators to implement a custom rule or other desired change to SpamCop's SpamAssassin implementation.

Link to comment
Share on other sites

(...unless the message also hit your whitelist? Is this true? Need help confirming this.)

I will keep an eye out for my whitelisted entries but knowing if they are on the blocklist at the same time is kind of hard. I'm thinking that there will be either a

"X-SpamCop-Whitelisted:" or a "X-SpamCop-Disposition:" entry but not both.

double-checking the headers to see if SpamCop missed the responsible IP address. (Is this last one even possible?)

It is possible if the message came through before the IP address made it to the bl (or was in the process of making it to the bl).

Other than the above, everything seemed to work correctly.

Link to comment
Share on other sites

"X-SpamCop-Whitelisted:" or a "X-SpamCop-Disposition:" entry but not both.

yeah, keep an eye out for this, I do not know if a message can have both or not.

Maybe this has been mentioned elsewhere but what we really need for the FAQs is a SpamCop Wiki! Anyone agree?

PeterJ

Link to comment
Share on other sites

[Well, we have our answer. Minutes after seeing your reply, I checked my messages and found this:

X-SpamCop-Disposition:  Blocked SpamAssassin=7

X-SpamCop-Whitelisted:  property.source[at]era.com 

So apparently it is possible (maybe likely if a host is on the bl alot) to have both tags.

Link to comment
Share on other sites

Wazoo, SteveUnderwood, and others:

I updated this possible FAQ today (6/25). I know everyone is distracted with the SpamCop website layout changes, no biggie. If any other SpamCop mail users have input please comment.

PeterJ

Link to comment
Share on other sites

Should the stuff currently found at http://forum.spamcop.net/forums/index.php?showtopic=1543 be merged into this FAQ (and corrected)...

Wazoo, just to be clear, I took a stab at the correction based on how I read that post. Please correct anything that is wrong, incomplete, or vague. Its important to me that I understand the order and how the various "actions" are being performed. Thanks.

[White/black listing and the “blocking lists” are server rules, and thus are applied regardless of how you obtain your mail (unless overridden by a whilelist rule in the webmail interface :unsure:). The additional filters are client based. Client based rules only kick in if the mail is picked up through the webmail interface. These are filters the user can create to move messages around between the various folders on the server.

If you POP, IMAP or forward SC mail, only the blocking list rules apply. If mail is picked up through webmail, the user defined filter rules also are applied and are applied first.]

Link to comment
Share on other sites

Gary.ds .... Thanks for the shot. Most definitely, it cleans up that block of description. It was a great read, up until the last sentence ... it's one of those "I think I know what you mean" but .... I think I died at at the last three words "are applied first" ...

How about a bit of a format change and a snip of some content ...

If you POP, IMAP or forward SC mail, only the blocking list rules apply.

If mail is picked up through webmail, the user defined filter rules are applied first, then the blocking list rules are applied.

This is offered by one that doesn't use the e-mail side of the house, so is thus speaking with ignorance showing <g>

Link to comment
Share on other sites

If you POP, IMAP or forward SC mail, only the blocking list rules apply.

I think it would read better as

If you POP, IMAP or forward SC mail, only the selected blocking lists as modified by the white list apply.

Note: the blocking lists are made up of the following groups:

1) Block All (this will block all mail unless the sender is listed in your white list)

2) Tag only (no mail is block but the header is tagged as spam to allow for local filtering on your client machine.

3) SpamAssassin with an adjustable score limit (the higher the number the less spam will be blocked. The lower the number the more good mail will be blocked.

4) DNS Blacklists (a group of independant blacklists not associated with spamcop)

They are individually selectable but are not adjustable.

5) Your personal Blacklist.

Note: all of the above are found under "Options" "Mail Management" then "Spamcop Tools"

Any comments?

Note: edit per Wazoo suggestion 7-3-04 shown in green

Note: additional edits 7-3-04 shown in red

Link to comment
Share on other sites

The line "(only white listed mail will be sent)" I think needs to be changed a bit .... I see "sent" as only being a part of "Forwarded" .. vice POPing and IMAP, which is more like a Download ... and I'm thinking that most of this bears on the movement of e-mail from the InBox to the Held Folder??? Again, professing a lot of ignorance here ....

Link to comment
Share on other sites

Copied from another thread.

Somewhat different information

You can whitelist "To" information???

Whitelisting based on "To" entry

The reason I ask, is that LISTSERV sends its messages out with a consistent "To" address, which you can indeed whitelist.

Go to Options / SpamCop Tools / Manage your personal whitelist, click on "click here to add to your whitelist" and put the list address in the first box and click on "Submit." To be doubly-sure, you might want to add an entry for "LISTSERV.LOUISVILLE.EDU" -- it won't hurt. I've done that with my own LISTSERV subscriptions from Indiana.edu, and when I receive a message from one of those lists, there's a header line like this:

X-SpamCop-Whitelisted: listserv.indiana.edu

That's how you'll know for sure that it's working.

Link to comment
Share on other sites

  • 3 weeks later...

Useful information, and clarified some issues in my mind - thanks.

My average is about 200 spams a day trapped by Spamcop, and about 100 genuine e-mails that are unhindered, so it's pretty good.

There are usually about five Spams a day that get by - predominantly for fake Rolex watches, and usually from apparently genuine sources. Quite often these are sent to my spamcop.net address - the one I use for newsgroup postings - so the sender is clearly confident of bypassing the Spamcop filters (not many spammers seem to write to my Spamcop address).

The most recent one (fake Rolex again) had a SpamAssassin score of 1.8, if that's of any significance. It also included a very large chunk quoted from a book (Mrs Zant and the Ghost, by Wilkie Collins), presumably to fox any content filters. Since I was reading the mail while on the road, over a GPRS link, it cost me something over $1 to download this one, so I'd be very happy if Spamcop could find a way to trap these "dictionary quoters". (I know, I should have turned on the message length trap on Mozilla, but I was tired and I forgot).

Any hope of a fix for these?

Link to comment
Share on other sites

  • 3 years later...

Useful information, and clarified some issues in my mind - thanks.

The most recent one (fake Rolex again) had a SpamAssassin score of 1.8, if that's of any significance. It also included a very large chunk quoted from a book (Mrs Zant and the Ghost, by Wilkie Collins), presumably to fox any content filters. Since I was reading the mail while on the road, over a GPRS link, it cost me something over $1 to download this one, so I'd be very happy if Spamcop could find a way to trap these "dictionary quoters". (I know, I should have turned on the message length trap on Mozilla, but I was tired and I forgot).

Any hope of a fix for these?

http://mailsc.spamcop.net/mcgi?action=gett...rtid=2726247760

Would help if you included a SpamCop Tracking link

You have GreyListing enabled?

Very rarely does spam get through SpamCop filters for me and my SpamCop email is my main email address I use hotmail for my compulsory sign-up stuff that I do indeed sign-up for

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...