Jump to content

Recommended Posts

First, it would be nice if the parser could parse around my spamassassin headers.

The red headers and all below are missed by the parser:

Received: from 88.12.142.203 by mail.domain.tld (envelope-from <yuzefa_k[at]mail.ru>, uid 201) with qmail-scanner-1.25st

(clamdscan: 0.88.2/1478. spamassassin: 3.1.0. perlscan: 1.25st.

Clear:RC:0(88.12.142.203):SA:1(29.0/5.0):.

Processed in 1.001175 secs); 24 May 2006 21:49:58 -0000

X-spam-Status: Yes, hits=29.0 required=5.0

X-spam-Level: +++++++++++++++++++++++++++++

X-spam-Report: SA TESTS

2.2 INVALID_DATE Invalid Date: header (not RFC 2822)

0.7 SARE_FREE_WEBM_RuMail Sender used free email account - may be

spammer

0.1 FORGED_RCVD_HELO Received: contains a forged HELO

2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date

2.3 DISGUISE_PORN_MUNDANE BODY: Attempts to disguise mundane words used

in porn

0.8 HTML_00_10 BODY: Message is 0% to 10% HTML

1.8 HTML_OBFUSCATE_10_20 BODY: Message is 10% to 20% HTML obfuscation

0.0 HTML_MESSAGE BODY: HTML included in message

3.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%

[score: 0.5000]

2.1 HTML_NONELEMENT_70_80 BODY: 70% to 80% of HTML elements are

non-standard

0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

1.0 J_BACKHAIR_22 RAW: 2 alpha-tag-2 alpha

1.0 J_BACKHAIR_12 RAW: 1 alpha-tag-2 alpha

1.0 J_BACKHAIR_21 RAW: 2 alpha-tag-1 alpha

0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level

above 50%

[cf: 100]

0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)

0.8 DIGEST_MULTIPLE Message hits more than one network digest check

1.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag

Received: from 203.red-88-12-142.dynamicip.rima-tde.net (HELO iku2aes.ennak.verizon.net) (88.12.142.203)

by 10.11.211.4 with SMTP; 24 May 2006 17:49:54 -0400

Second, is it possible to munge my servername? it contains my domain name, which has plenty of information:

Received: (qmail 8455 invoked by alias); 24 May 2006 17:49:58 -0400

Delivered-To: x

Received: (qmail 8451 invoked by uid 210); 24 May 2006 17:49:58 -0400

Received: from 88.12.142.203 by mail.domain.tld (envelope-from <yuzefa_k[at]mail.ru>, uid 201) with qmail-scanner-1.25st

Received: from 203.red-88-12-142.dynamicip.rima-tde.net (HELO iku2aes.ennak.verizon.net) (88.12.142.203)

by 10.11.211.4 with SMTP; 24 May 2006 17:49:54 -0400

It's at the "mail.domain.tld" location.. currently sent out with every report. My server's internal IP is also in there, but that does not matter as much. (It would if it was bound to a public IP though).

Link to comment
Share on other sites

Posted as a "question" .. so moving this back to the Reporting Help Forum section.

The real question (especially as the "full" header set wasn't offered (please see Tracking URL in the Glossary or Dictionary here, links found in the SpamCop FAQ link at the top of the page) is "why" your SpamAssassin header bits are being inserted like this to begin with. And with the whitespace issues of this Forum application, it's hard to tell exactly what you did or did not change in the process of pasting in your sample ... (even more specifically, I have no real idea how to try to "test" your sample, as I have no idea what it 'really' looks like)

Please see the SpamCop FAQ entry "What is Mole Reporting?" (and there are other links available for more data on this approach)

Believe me, I have my own issues with mail.ru .....

OK, I tried to "play" with your sample .... I don't see an issue with your SpamAssassin headers .... it actually looks like there are other problems .. but then again, I'm not playing with the full set of (your) headers ...

My results can be seen at http://www.spamcop.net/sc?id=z953365221z94...788073a79ea974z

also noting that the first IP address seen is already identified as; 88.12.142.203 is an open proxy

Link to comment
Share on other sites

Here is a message (I tried to get the same one as before)... I am incorrect, it is seeking past the spamassassin output, however, it's not identifying anything past my server. I did the mailhost training for my server, so the parser should know it (my server is the top 3 receives, this is the fourth):

http://www.spamcop.net/sc?id=z953334592z50...5b194fd70d0ccbz

0: Received: from 203.red-88-12-142.dynamicip.rima-tde.net (HELO iku2aes.ennak.verizon.net) (88.12.142.203) by 10.10.221.4 with SMTP; 24 May 2006 17:49:54 -0400

No unique hostname found for source: 88.12.142.203

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

I am not looking to be a mole; simply to munge the message enough that it becomes unidentifyable to my email addresses, and servers.. my server name is visible there, so is one of my custom spamassassin rules. Should I strip this information myself?

Link to comment
Share on other sites

Here is a message (I tried to get the same one as before)... I am incorrect, it is seeking past the spamassassin output, however, it's not identifying anything past my server. I did the mailhost training for my server, so the parser should know it (my server is the top 3 receives, this is the fourth):

My results using a non-mailhosted account for parsing; http://www.spamcop.net/sc?id=z953794751z08...e27ecf35770d69z ...

OK, so now moving this fom the Reporting Help Forum to the MailHost Configurations Help Forum section.

You have not completed the MailHost Cofiguration of your Reporting account.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...