Jump to content

SC Mail not filtering much to the 'Held' folder?


Recommended Posts

Anyone else noticed an influx of spam being delivered to your inbox. Lat night alone, 20 of my 30 new messages were spam. On first glance, it doesn't appear SpamAssasain is hitting the usual words like 'pharmacy'.

Examples:

http://www.spamcop.net/sc?id=z3109831437z1...d4a66119fce08fz

http://www.spamcop.net/sc?id=z3109833967za...319eb848be783fz

Link to comment
Share on other sites

Anyone else noticed an influx of spam being delivered to your inbox.

No, not especially. Now I do make use of the grey-list option so the vast bulk of spam never even reaches the filtering stage. But the remainder seems to have appropriately filtered.

Andrew

Link to comment
Share on other sites

man... out of 70 messages in my inbox, 50 were spam.

Shouldn't this one have been snagged? It has words that I normally see hitting: http://www.spamcop.net/sc?id=z3115129192z1...b7ddb94687143fz

And this one... spam lever 0?! It says 'drugs' 'medications' and 'pharmacy' in the body. Certainly something must be awry: http://www.spamcop.net/sc?id=z3115134554zb...a9ad7a1d359e9ez

... but I wonder if I'm also being flooded... I had 260 messages, all seemingly about pharma, in 12 hours, which is about 2x what I'm used to in that period.

Edited by btech
Link to comment
Share on other sites

...Certainly something must be awry: ...
Doesn't seem like very effective filtering to be sure Brandon. Unfortunately it is a matter of "needle in a haystack" for other users to compare notes on their experience with those spam or anything similar. But your settings don't seem to register suspect words at all? Not a user but that doesn't seem quite right.
Link to comment
Share on other sites

man... out of 70 messages in my inbox, 50 were spam.

We could be comparing oranges with lemons... Which block lists do you have enabled? What is your SpamAssassin trigger level? Do you have grey listing enabled? What addresses do you have in your personal white list? In particular have you added your own address(es) to the white list (even inadvertently)?

All these things could change things for you.

Andrew

Link to comment
Share on other sites

Which block lists do you have enabled? What is your SpamAssassin trigger level? Do you have grey listing enabled? What addresses do you have in your personal white list? In particular have you added your own address(es) to the white list (even inadvertently)?

I have all lists enabled, greylisting is NOT enabled and the none of my personal addresses are on my white lists (I learned that lesson in the past with the TO/FROM spoofing). My SA level is 4, but the issue has never been the SA level... I see several words in these sample messages that should be hitting and raising the SA level, but they're all from 0-1.5, which I find very peculiar. I also find it peculiar that this issue started 3 or so days ago, when the the same type of messages would previously be caught by SA and placed in the 'held' folder.

But your settings don't seem to register suspect words at all? Not a user but that doesn't seem quite right.

Exactly what raised some concern for me. I'm receiving a higher than usual volume of spam, but there are instances where identical messages are being delivered... 1 to the 'held' folder and 1 to the inbox. Prima facia, that looks like an issue with SA.

Here's one that appears to have 1.7 hits, but words like 'replica' (used twice), 'watches' and 'luxury' didn't hit.. I thought they were all words that SA would catch in the past : http://www.spamcop.net/sc?id=z3118665302zf...26f401196684faz

Edited by btech
Link to comment
Share on other sites

I have all lists enabled, greylisting is NOT enabled and the none of my personal addresses are on my white lists (I learned that lesson in the past with the TO/FROM spoofing). My SA level is 4, but the issue has never been the SA level... I see several words in these sample messages that should be hitting and raising the SA level, but they're all from 0-1.5, which I find very peculiar. I also find it peculiar that this issue started 3 or so days ago, when the the same type of messages would previously be caught by SA and placed in the 'held' folder.

Exactly what raised some concern for me. I'm receiving a higher than usual volume of spam, but there are instances where identical messages are being delivered... 1 to the 'held' folder and 1 to the inbox. Prima facie, that looks like an issue with SA.

Here's one that appears to have 1.7 hits, but words like 'replica' (used twice), 'watches' and 'luxury' didn't hit.. I thought they were all words that SA would catch in the past : http://www.spamcop.net/sc?id=z3118665302zf...26f401196684faz

Greylisting is now needed to effectively stop spam

any properly configured email system will resend email appropriately and pass through greylisting

Big trouble is that there are people guising as anti-spammers out to destroy any effective method of stopping spam. Anyone remember Margie.Huey etc, they were VERY knowledgeable about mail systems and were very vocally against any effective system being used to stop spam (ORBS, SpamCop for instance) Always "joining" groups (NANE) that were effective. Convincing others that making them ineffective is the way to go

They seem to be effective. SpamCop seems now reluctant to block delinquent mailservers that do/are not acting on spam/abuse reports. So personal blacklists and whitelists are becoming more important to create and use

Edited by petzl
Link to comment
Share on other sites

Yea, I think I'm going to have to turn graylisting on, because this is just asinine. Example of a CP spam that should CLEARLY have made some hits in SA, but was delivered to my inbox: http://www.spamcop.net/sc?id=z3121429075zb...7000b163e4066ez

If nothing else, it's listed in SORBS... isn't that one of the blocklists?

The IP 61.225.22.8 is from Korea unless you expect email from Korea you should have that country blocked

In this case that IP is a mail server and would resend thus getting past Greylisting

Most ISP's block port 25 stopping spam unless sent from a mail server.

Spammers now rely on "Trogans" to take control of ones computer and email addresses on it

Often one gets attachments from people/email addresses they know. but turn out to be viruses/trojans from computers that have now been made zombies out to infect YOU

Important to have effective protection to stop this such as

Link to comment
Share on other sites

The IP 61.225.22.8 is from Korea unless you expect email from Korea you should have that country blocked

In this case that IP is a mail server and would resend thus getting past Greylisting

Like I said, I have all the BLs checked and active, yet an obscene amount of spam is delivered to my inbox. Hell, I even brought the SA level down to 2 and I'm STILL getting the leakage. I honestly think there is an issue with the SA server(s), because certain words are hitting like they used to.

Link to comment
Share on other sites

Shouldn't this one have been snagged? It has words that I normally see hitting: http://www.spamcop.net/sc?id=z3115129192z1...b7ddb94687143fz

And this one... spam lever 0?! It says 'drugs' 'medications' and 'pharmacy' in the body. Certainly something must be awry: http://www.spamcop.net/sc?id=z3115134554zb...a9ad7a1d359e9ez

Puzzling that you don't hit SA's trigger level with some of these. I'm going to have to start looking at some of my own. Presumbaly everyone at SC who opts for SA filtering is using the same test set (provided by SC), so it shouldn't be a matter of differences in individual users' tests. So, if I got this message it ought to get the same SA score as it did for you.

-- rick

Link to comment
Share on other sites

Like I said, I have all the BLs checked and active, yet an obscene amount of spam is delivered to my inbox. Hell, I even brought the SA level down to 2 and I'm STILL getting the leakage. I honestly think there is an issue with the SA server(s), because certain words are hitting like they used to.

Just pay to check your whitelist

A whitelist will ovrtride spamassasin, greylisting and blacklists

I did not see in your example wher it was whitelisted and it should not of ended up in your inbox?

Link to comment
Share on other sites

Puzzling that you don't hit SA's trigger level with some of these. I'm going to have to start looking at some of my own. Presumbaly everyone at SC who opts for SA filtering is using the same test set (provided by SC), so it shouldn't be a matter of differences in individual users' tests. So, if I got this message it ought to get the same SA score as it did for you.

I think the "SPF_HELO_PASS" is probably lowering the score to allow the pass.

Link to comment
Share on other sites

I think the "SPF_HELO_PASS" is probably lowering the score to allow the pass.

Hmmm... I pulled the SPF records for the HELO of what appeared to be the originator of the zero-score spam (asianet.co.th), this message very conspicuously fails to pass an SPF check as far as I can tell. On the other hand, maybe the check is done on the HELO of btech's own domain, but I failed to get a clear SPF pass here either (tho I may not know enough about reading SPF records to be sure).

So, I wonder which HELO got tested and passed the SPF check?

-- rick

Link to comment
Share on other sites

Not sure if anyone has asked you this before, but you're not using a "catchall" address (aka "default address") for your domain, are you? That makes all possible incoming addresses valid and is pretty much an invitation to mass quantities of spam.

DT

Link to comment
Share on other sites

Greetings,

Here's a user rant for you, with a plea for remediation on the Spamcop side, or tips on the user side. :-)

For the past few weeks both of my Spamcop accounts have been receiving a huge number (10-15 a day in each one) making it through Spamcop's filters, my filters, and into my Inbox instead of Held Mail, leaving myself to gloriously delete them individually. In the years I've had these accounts, I've never spent so much time cleaning my inboxes on a regular basis; second, the Spamassassin levels as reported in the headers are 1-2 stars or below, which is right about the threshold of my non-spam mail as well. Whitelisting everyone I know is not a workable solution, for obvious reasons.

The fact that the X-spam-Level is often zero stars, or 1 or 2, coupled with the spams being all the same pretty much (acai berry, online pharmacies and implants, watches, and a few phishing schemes thrown in) makes me wonder what's happening algorithmically on the spam assassin side of the flow.

Before I get flamed here are my account settings:

* All DNS blacklists enabled except 'Spamhaus PBL'

* x-spam-level 5

* I'm not in my whitelist

* no forwarding to or from the Spamcop accounts

So, what can I do to tighten the screws without missing legit mails (note that checking the Held Mail folder is not possible, it has too many daily entries)?

Thanks in advance,

Matt

Link to comment
Share on other sites

0 x-spam-level

http://www.spamcop.net/sc?id=z3151436249ze...66d653d82b04a9z

1 x-spam-level

http://www.spamcop.net/sc?id=z3151441705za...7a77c11615733dz

2 x-spam-level

http://www.spamcop.net/sc?id=z3151445100z1...db96a346236a2bz

You've read the recent topic at http://forum.spamcop.net/forums/index.php?showtopic=10500 ? Is greylisting an option for you? Can we have a tracking URL for one of those slipping through?

And just to respond to the second question -- greylisting is, to me, a bandaid solution to a fundamental problem which is the need to adjust the algorithms which seemed previously to properly raise the x-spam-level rating. Why the same string values ('acai berry' 'luxury watches' etc etc etc) get sent over and over and over daily to me over the course of a few weeks, never raising the x-spam-level above 1 or 2 (if even that), is probably something that should be confirmed as impossible to overcome programmatically, clever spammers or not.

The greylist solution is clunky because the real-time nature of e-mails are an appeal of the technology and in today's world unfortunately a necessity, making half hour to an hour delays for new senders a very iffy proposition for most people. Consider responses to job postings, or -- more concrete example: every single time my bank's cookie expires, they make me do an e-mail confirmation which sends me an ID code before I am able to log in.

Matt

Link to comment
Share on other sites

[...]

The fact that the X-spam-Level is often zero stars, or 1 or 2, coupled with the spams being all the same pretty much (acai berry, online pharmacies and implants, watches, and a few phishing schemes thrown in) makes me wonder what's happening algorithmically on the spam assassin side of the flow.

[...]

So, what can I do to tighten the screws without missing legit mails (note that checking the Held Mail folder is not possible, it has too many daily entries)?

Except for "replica" I think SA doesn't use real words much since the Viagra etc. lot just went over to misspelling. To investigate this properly would need a look at what SA tests were effective both now and in the past - I found the URL tests were the usual trigger - and what might be made more effective.

You don't say how many Spams a month you get (index numbers in VER or Held make this quite easy to record).

I have SA=2.0 3622 spams (121/d), 46 leakers (=1.3 %) for June with all Blocklists including pbl in spite of the false positives caused by the SC implementation.

There is a trick to let you just look at the borderline SA values so going from SA=5.0 to SA=2.0 is no risk nor requires more than a few to be eyballed.

Thus using SC Webmail Search on the held folder (and save as a virtual folder)

Search 'Entire messagel' for any of "hits=0.", "hits=1.", "hits=2.", "hits=3.", "hits=4." plus for good measure any that don't contain "hits=" at all This should show you all the low SA and blocklist items which (for me) is only 1-5 a day.

HTH

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...