rsh_rsh Posted March 5, 2012 Share Posted March 5, 2012 X-Apparently-To: rsh_rsh[at]rogers.com via 98.139.219.233; Mon, 05 Mar 2012 12:20:59 -0800 X-YahooFilteredBulk: 192.100.64.12 Received-SPF: fail (domain of email.princess.com does not designate 192.100.64.12 as permitted sender) X-YMailISG: nnGW6BYWLDv0ByBtgc34hTrdsBT3UP22fcQnMeRx_.G1H40L n4C0s6wrnE5P9s5qt.UF3WDvZcnRkAwZRPpfzxoXsXArWklM1SVIJ0cQnMSo OU3gr5bi.hX9irUA7Xp.7U4cZxpcNTHeWGAhIIAkZSJPrSvJDtNMXXTHfIQ. .8ZUWq.51R6Z7IXJYYZMquaEl34XuryPkxGnyfRm6oakK1wHKIxygUOrwVY3 ilL85hS_IejfyiTudqBMLI7KNNhEFLDEm71l8a444sFEfHsDgm66evcEIBQg bPgfsQYwtcLBKgsVs7tJrmmPyiJJRwcON1K9YzdW3yahpH92H0z4VL3U1KDo JBBBMg-- X-Originating-IP: [192.100.64.12] Authentication-Results: mta1004.rog.mail.bf1.yahoo.com from=email.princess.com; domainkeys=fail (bad sig); from=email.princess.com; dkim=permerror (bad sig) Received: from 127.0.0.1 (EHLO mail.monmouth.edu) (192.100.64.12) by mta1004.rog.mail.bf1.yahoo.com with SMTP; Mon, 05 Mar 2012 12:20:59 -0800 Received: from smtp.monmouth.edu (smtp.monmouth.edu [204.152.149.12]) by mail.monmouth.edu (8.14.4/8.14.4) with ESMTP id q25KKwbw010174 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU>; Mon, 5 Mar 2012 15:20:58 -0500 Received: from mta1.email.princess.com (mta1.email.princess.com [64.40.98.25]) by smtp.monmouth.edu (8.14.4/8.14.4) with ESMTP id q25KKqlM005662 for <ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU>; Mon, 5 Mar 2012 15:20:52 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=x; d=email.princess.com; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type; i=princesscruises[at]email.princess.com; bh=zggJ13LOTSokBbjITHfXAj3dwf8=; b=QsN38yWZjEElX0VKqRXb+zisHfy7lLoUTbv2WIVEP1mvHWIAEmA1quZlIxpIQwoOuw0aupm5vCIN QZxxXe0TAo8uOwg30Jvp+PgSRuoAzZSo2VxYgXirfxUUPncj/YOHxGM6+OJXo2N7RdgrJfgn8FCw Wyhdwc6AqkMvXJJ5JC4= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=x; d=email.princess.com; b=TGjereTj2Cy2g1EYZR0z0OEJMSiQ5D5JUt6fRcTCW/xtvY5DC+PyUXFo7qce/YmtaDYC+Aeecnhh u3FMnZA4RodgZ0zzFufROJbyaxm+g0/ooZZRNPrsLLNwKDqHd2XxmO/oEanrbURKojeLGBYZM7Jp EKIN2zr2xsEU10rpFqQ=; Received: from DM-MTA7 (127.0.0.1) by mta1.email.princess.com (PowerMTA v3.5r15) id hakg281c9lc8 for <ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU>; Mon, 5 Mar 2012 12:20:51 -0800 (envelope-from <princesscruises[at]email.princess.com>) Message-ID: <ebyvlnmzwkzcsna2howat4xpmrq0l1[at]dm.msg> Date: Mon, 05 Mar 2012 20:20:51 GMT From: "Princess Cruises" <princesscruises[at]email.princess.com> Reply-To: princesscruises[at]email.princess.com To: "Robert Heuman" <ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU> Subject: *****spam***** 2.044 Our lowest Alaska cruisetour fares of the season* X-Mailer: EBYVLN MZWKZCS NA2HOWA T4XPMRQ0L1 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_1330978858-16387-79" X-spam-Level: XX X-spam-Score: 2.044, Required: 3 Content-Transfer-Encoding: binary X-Scanned-By: MIMEDefang 2.71 on 192.100.64.12 X-Scanned-By: MIMEDefang 2.71 on 204.152.149.12 X-Text-Classification: adverts X-POPFile-Link: http://127.0.0.1:8080/jump_to_message?view=555 X-Agent-Received: from 2 rsh_rsh (127.0.0.1); Mon, 05 Mar 2012 15:52:32 -0500 X-Agent-Junk-Probability: 0 X-Agent-Folder-Sender: 00010582 X-Agent-Folder-Reason: Sender X-Agent-Folder: 00010582 [deleted] Privacy Statement You are subscribed with the address: ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU. Click here if you would like to unsubscribe. To ensure delivery to your inbox, please add princesscruises[at]email.princess.com to your email address book. If you wish to make changes to your email or postal address, name, destination preference or other information, please go to My Princess or you may contact us at captainscircle[at]princesscruises.com. PE2AK041A/PEH2AK541A spam detection software, running on the system "smtp.monmouth.edu", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: You have just received email from Princess Cruises. Please use the link below to view this email online. http://content.princess.com/princess/?jlBkO3aWtvOJTv-0FDzsh1QT5g0cmcQPj You are subscribed with the address: ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU. Use the following URL if you would like to unsubscribe. [...] Content analysis details: (2.0 points, 3.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [64.40.98.25 listed in list.dnswl.org] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record 0.6 HS_INDEX_PARAM URI: Link contains a common tracker pattern. -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 3.4 AWL AWL: From: address is in the auto white-list [gratuitous content deleted and live external link broken] Link to comment Share on other sites More sharing options...
petzl Posted March 5, 2012 Share Posted March 5, 2012 X-Apparently-To: rsh_rsh[at]rogers.com via 98.139.219.233; Mon, 05 Mar 2012 12:20:59 -0800 X-YahooFilteredBulk: 192.100.64.12 Received-SPF: fail (domain of email.princess.com does not designate 192.100.64.12 as permitted sender) X-YMailISG: nnGW6BYWLDv0ByBtgc34hTrdsBT3UP22fcQnMeRx_.G1H40L n4C0s6wrnE5P9s5qt.UF3WDvZcnRkAwZRPpfzxoXsXArWklM1SVIJ0cQnMSo OU3gr5bi.hX9irUA7Xp.7U4cZxpcNTHeWGAhIIAkZSJPrSvJDtNMXXTHfIQ. .8ZUWq.51R6Z7IXJYYZMquaEl34XuryPkxGnyfRm6oakK1wHKIxygUOrwVY3 ilL85hS_IejfyiTudqBMLI7KNNhEFLDEm71l8a444sFEfHsDgm66evcEIBQg bPgfsQYwtcLBKgsVs7tJrmmPyiJJRwcON1K9YzdW3yahpH92H0z4VL3U1KDo JBBBMg-- X-Originating-IP: [192.100.64.12] Authentication-Results: mta1004.rog.mail.bf1.yahoo.com from=email.princess.com; domainkeys=fail (bad sig); from=email.princess.com; dkim=permerror (bad sig) Received: from 127.0.0.1 (EHLO mail.monmouth.edu) (192.100.64.12) by mta1004.rog.mail.bf1.yahoo.com with SMTP; Mon, 05 Mar 2012 12:20:59 -0800 Received: from smtp.monmouth.edu (smtp.monmouth.edu [204.152.149.12]) by mail.monmouth.edu (8.14.4/8.14.4) with ESMTP id q25KKwbw010174 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU>; Mon, 5 Mar 2012 15:20:58 -0500 Received: from mta1.email.princess.com (mta1.email.princess.com [64.40.98.25]) by smtp.monmouth.edu (8.14.4/8.14.4) with ESMTP id q25KKqlM005662 No IP mentioned here is blocked by SpamCops Blocking List (SCBL) nor has been? This thread is for email that has been blocked by the SCBL. 64.40.98.25 has been reported as spam twice in 90 days and not enough to be listed as spam. Sounds like you need a decent email provider. Gmail at present is free and accurate at sorting "spam from ham" Link to comment Share on other sites More sharing options...
Farelf Posted March 6, 2012 Share Posted March 6, 2012 ...This thread is for email that has been blocked by the SCBL. ...Moved from SpamCop Blocklist Help forum. Presume you have tried Princess Cruises suggestion of adding their address to your e-mail address book? If that doesn't work, an alternative suggestion - check with monmouth.edu (mail system FAQs or mail admin) about WHITELISTING. Link to comment Share on other sites More sharing options...
InvisiBill Posted March 28, 2012 Share Posted March 28, 2012 spam detection software, running on the system "smtp.monmouth.edu", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: You have just received email from Princess Cruises. Please use the link below to view this email online. http://content.princess.com/princess/?jlBkO3aWtvOJTv-0FDzsh1QT5g0cmcQPj You are subscribed with the address: ROBERT.HEUMAN[at]ALUMNI.MONMOUTH.EDU. Use the following URL if you would like to unsubscribe. [...] Content analysis details: (2.0 points, 3.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at [url=http://www.dnswl.org/]http://www.dnswl.org/[/url], no trust [64.40.98.25 listed in list.dnswl.org] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record 0.6 HS_INDEX_PARAM URI: Link contains a common tracker pattern. -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 3.4 AWL AWL: From: address is in the auto white-list [gratuitous content deleted and live external link broken] Not sure if I missed something due to the trimming, but this appears to have nothing at all to do with SpamCop. SpamAssassin, running on monmouth.edu's mail server, has decided that the email is spam. As you can see from the test info, there are a few spam characteristics in the message, however most don't affect the score at all (0.0), and the one that does only increases it a tiny bit (0.6). The Bayesian filter thinks the body looks good and lowers the score by 1.9 points. However, the AutoWhitelist increases the score 3.4 points. AWL looks at the history of the sender (based on the email address and first half of the IP) and adds/subtracts points based on previous spams/hams. In this case, AWL is adding a lot of points, meaning it has historically seen a lot of spam from them, so it's assuming this one is spam too. That could be due to legitimately receiving lots of spam from them in the past, misconfiguration of SpamAssassin, or people incorrectly reporting unwanted marketing emails as spam (as opposed to opting out or changing their subscription preferences). One curious thing is that it says the email scored 2.0 points (the math in those tests works out to 2.1, but it could be an issue of rounding the extra decimal places), and that 3.0 is required for SA to consider an email spam. It's basically saying that it doesn't have enough points to be considered spam, but that it's spam. It looks like you're forwarding from your monmouth.edu address to a Yahoo address also (a very common thing for alumni to do). This adds some complication, as the final mail server (Yahoo) doesn't know that the email was addressed to and forwarded by a different mail server (Monmouth). You can see that monmouth.edu received the email from princess.com and SPF passed, but Yahoo gets the email and says that SPF fails because the IP it received the mail from (monmouth.edu) doesn't match the sending email address (princess.com). However, SpamAssassin is running on Monmouth's server, so the Yahoo stuff doesn't come into play on this specific message - just FYI for future issues. Note that SpamAssassin can be configured to use SpamCop's database of spammer info to help determine if an email is spam or not. In this specific case, the email contains nothing SpamCop-related though. I'd check with the mail admins at Monmouth. First, it classified the email as spam even though it only had 2.0 points when it says it's looking for 3.0. Second, email from princess.com is getting a huge spam weighting from the AWL. Unless they've gotten a ton of spam from them (unlikely), this is probably due to a (previous?) misconfiguration or other users reporting it as spam instead of unsubscribing. See if they can change/reset the AWL value for that sender. Finally, I personally dislike it when people try to catch more spam by lowering the cutoff point from the default 5.0. With a little bit of Bayesian training and a couple custom rule tweaks, I find SpamAssassin to be very good at classifying emails. As a curious geek, I actually increased my personal threshold so that I see a few borderline spams for feeding back into the learning system. I get maybe 1 spam per week that legitimately makes it past SA. Most of my spams score 10+, and most of my hams are well into the negatives. In my eyes, lowering the threshold down to 3.0 is a bandaid for a poorly configured SA system. When done right, the vast majority of spam should be well above 5.0, allowing more wiggle room for legitimate emails (usually marketing stuff) that tend to look spammy. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.