Jump to content

SpamAssassin v3.1.0 on one spam, and v.3.1.1 on another?


Recommended Posts

  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

blade4 is also not running SA.

I see no evidence of that. All my messages coming through blade4 have SA headers. Filter7, OTOH, allowed multiple spams through to my inbox overnight.

Update: I just found one that came through filter8 without SA tests. The time that filter8 handled it was: 20 Jan 2007 10:35:41 -0000 (just after 5:30 am in Georgia, where the server lives). I don't have any others like that yet, but the problem is getting worse before it gets better. No word from JT yet.

DT

Edited by DavidT
Link to comment
Share on other sites

Filter7 still isn't filtering. Grumble.

Yep, I'm seeing a ton of leakthrough from 7 and 8 this morning. All told, I'm getting a bit concerned about this; I've had a paid account with SC almost as long as it has been offered, and I'm having trouble thinking of a time where something this bad has dragged on.
Link to comment
Share on other sites

this just in, per

http://mail.spamcop.net/news.php

Jan 21, 2007

* [17:38 EST] Over the weekend, two of our filtering servers stopped doing SpamAssassin scanning on the email going through them. This unfortunately let a lot more spam through than usual. The problem is fixed now and we are investigating how to monitor and alarm on this condition so it won't happen again. We apologize for the inconvenience.

P.S.

I just got mail thru filter7 with SA headers... oh happy day.

Edited by silentlarry
Link to comment
Share on other sites

Good news, that reoccuring problem was beginning to be a real pain. On a related note, I still notice that many of the filter servers still have different versions of SA on them; some w/ 3.1.1, some w/ 3.1.4...

This was explained earlier that while the engines were different, the rulesets were the same.

Incidents like this also tell me that IP blocklists are fairly useless nowadays given the army of spambots out there.

I have not had a single spam get past the blocklists the entire weekend. I am convinced it all depends on the types of lists you get yourself (usually by no fault of your own) onto.

Link to comment
Share on other sites

I just received a message that slipped through the filters and was routed through filter8:

Return-Path: <saulcle[at]galaxycorp.net>
Delivered-To: x
Received: (qmail 25197 invoked from network); 26 Jan 2007 18:14:05 -0000
X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8
X-spam-Level: 
X-spam-Status: hits=0.0 tests=none version=3.1.4
Received: from unknown (192.168.1.101)
  by filter8.cesmail.net with QMQP; 26 Jan 2007 18:14:05 -0000
Received: from x (66.152.166.10)
  by mailgate.cesmail.net with SMTP; 26 Jan 2007 18:14:05 -0000
Received: (qmail 79852 invoked by uid 399); 26 Jan 2007 18:13:45 -0000
Delivered-To: x
Received: (qmail 73970 invoked by uid 399); 26 Jan 2007 18:13:44 -0000
X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses);
  Fri, 26 Jan 2007 10:13:45 -0800
Received: from 82.red-83-61-60.dynamicip.rima-tde.net (HELO galaxycorp.net) (83.61.60.82)
  by mail3.mygisol.com with SMTP; 26 Jan 2007 18:13:44 -0000
Received-SPF: none (x: domain at galaxycorp.net does not designate permitted sender hosts)
	identity=mailfrom; client-ip=83.61.60.82;
	envelope-from=<saulcle[at]galaxycorp.net>;
Message-ID: <01c74175$b836d9d0$523c3d53[at]desktop>
Reply-To: "Modestine Melone" <saulcle[at]galaxycorp.net>
From: "Modestine Melone" <saulcle[at]galaxycorp.net>
To: "Orpah Gabler" <x>
Subject: Re: ED6015
Date: Fri, 26 Jan 2007 19:13:46 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-SpamCop-Checked: 192.168.1.101 66.152.166.10 83.61.60.82 83.61.60.82 

Good day,

Viazzgra  $1, 80
Ciazzlis  $3, 00
Levizztra $3, 35

http://www.printeryml.*com ( Important ! Remove

*EDIT* if this should have gone in the 'email' forum, I apologize, I don't know if the filters are tied to the email or the reporting service.

Edited by btech
Link to comment
Share on other sites

*EDIT* if this should have gone in the 'email' forum, I apologize, I don't know if the filters are tied to the email or the reporting service.

Wondering just where / how this confusion could have started / not been cleared up in all the various descriptions of the services offered ...?????

At any rate, moved this post from the Reporting Help section and merged this "new" post into the existing Topic that covers/includes the same siruation. PM sent to advise of the move/merge action.

Link to comment
Share on other sites

I just received a message that slipped through the filters and was routed through filter8:

Not sure what you're trying to tell us....the SA process is now working on all the servers, and yes, some spam is slipping through, but not because it's not being seen by SA, AFAIK. The example you submitted shows SA processing/scoring.

DT

Link to comment
Share on other sites

The example you submitted shows SA processing/scoring.

And to be anal about it, here are the lines that show that:

X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8

X-spam-Level:

X-spam-Status: hits=0.0 tests=none version=3.1.4

It is just that this spam did not trigger any of the tests being checked.

Link to comment
Share on other sites

It is just that this spam did not trigger any of the tests being checked.

I have noticed that lately myself too. I will get a spam in my inbox that has passed through SA but registered a score of 0, whereas other similar emails have a much higher score. I can find some examples if necessary.

Link to comment
Share on other sites

I have noticed that lately myself too. I will get a spam in my inbox that has passed through SA but registered a score of 0, whereas other similar emails have a much higher score. I can find some examples if necessary.

Please do. I have not seen any but I don't get much spam to compare. If it is always the same system with a zero SA score, perhaps the system is not working correctly.

Link to comment
Share on other sites

If it is always the same system with a zero SA score, perhaps the system is not working correctly.

That is what I suspect. All but two of the emails that passed SA were the new pharmacy spams that use the "replace the * with a ." method in the body.

I haven't been actively watching for this, just to make sure SA has been running, but when I see "tests=none" I get a little suspect. I have been trying to monitor emails that come into my inbox that pass not only the SA filters, but all my blacklists. I have another suspicious that SC is not always running the IPs it checks against some of the blacklists I have selected, as I don't recall ever having seen it check it against SpamHaus or some of the others, but I will post on that in another thread if I find that to be occurring.

I checked through all my emails from the past week (which took a considerable amount of time) and found these. I checked up until last Sunday (the 21st) when SA had been disabled on some servers. I will continue to monitor and save any emails I get that SA bypasses. On a side note, it would be nice to be able to search through your old spam reports.

No hit SA reports on filter7:

http://www.spamcop.net/sc?id=z1206846240z4...5722d00ca90865z (this one appears to have a postcard virus attached as a base64 file)

http://www.spamcop.net/sc?id=z1206668759z3...60ec4fa045f33az

http://www.spamcop.net/sc?id=z1202201762z3...d0baf5a2421c0ez

No hit SA reports on filter8:

http://www.spamcop.net/sc?id=z1202200815z5...670591f0952d07z

http://www.spamcop.net/sc?id=z1200810921z6...3e46cb01d730c4z

No hit SA reports on blade1:

http://www.spamcop.net/sc?id=z1206831002z3...b0446485999965z

http://www.spamcop.net/sc?id=z1204312000zc...7ae5a82cba98caz

Link to comment
Share on other sites

That is what I suspect. All but two of the emails that passed SA were the new pharmacy spams that use the "replace the * with a ." method in the body.

I concur with this assessment. The highest score these types of spam have achieved with me has been 0.2. Interestingly the text follows easy to figure obfuscation of the text so that the various drugs on offer are easy to decipher visually.

I've assumed that SpamAssassin isn't offering a test to catch these Emails.

Andrew

Link to comment
Share on other sites

I got that same email about a dozen times. I didn't notice any of my mails weren't being passed through SA though. But, I was particularly annoyed that SC stated:

Finding links in message body

Parsing text part

error: couldn't parse head

Message body parser requires full, accurate copy of message

More information on this error..

no links found

On the last one I reported, it did parse it all the way through, though. On the rest, I manually reported the URL.

Link to comment
Share on other sites

I got one on filter7 with SA headers from 11:07 pacific, and another at 11:39, so I assume it's been beat into submission.

Perhaps they did rig an alarm to monitor it as the news item suggested they might, seeing as it was apparently down for a matter of a few hours instead of several days.

Edited by silentlarry
Link to comment
Share on other sites

  • 2 weeks later...

Beats me. It's happening *again*.

X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade5

X-spam-Level: **************

...and naturally, in my inbox.

Need to see headers it may be a whitelist problem :blush:

parse the spam and paste a copy of the URL SpamCop puts at top like/similar this one

http://www.spamcop.net/sc?id=z1218614373z8...724f436f7f3762z

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share


×
×
  • Create New...