StevenUnderwood Posted January 20, 2007 Share Posted January 20, 2007 Let's all send a message to support at cesmail.net and see who gets his attention first....the shotgun approach. :-) I always use support[at]spamcop.net and havve just sent off a message pointing him here. Link to comment Share on other sites More sharing options...
DavidT Posted January 20, 2007 Share Posted January 20, 2007 blade4 is also not running SA. I see no evidence of that. All my messages coming through blade4 have SA headers. Filter7, OTOH, allowed multiple spams through to my inbox overnight. Update: I just found one that came through filter8 without SA tests. The time that filter8 handled it was: 20 Jan 2007 10:35:41 -0000 (just after 5:30 am in Georgia, where the server lives). I don't have any others like that yet, but the problem is getting worse before it gets better. No word from JT yet. DT Link to comment Share on other sites More sharing options...
Firefly Posted January 20, 2007 Share Posted January 20, 2007 Well, I saw one from blade4 earlier today without filtering, but more recently I got one that was filtered by blade4. filter7 and filter8 are not filtering. Link to comment Share on other sites More sharing options...
djtodd Posted January 21, 2007 Share Posted January 21, 2007 Filter7 still isn't filtering. Grumble. Link to comment Share on other sites More sharing options...
ViRGE Posted January 21, 2007 Share Posted January 21, 2007 Filter7 still isn't filtering. Grumble. Yep, I'm seeing a ton of leakthrough from 7 and 8 this morning. All told, I'm getting a bit concerned about this; I've had a paid account with SC almost as long as it has been offered, and I'm having trouble thinking of a time where something this bad has dragged on. Link to comment Share on other sites More sharing options...
silentlarry Posted January 21, 2007 Share Posted January 21, 2007 this just in, per http://mail.spamcop.net/news.php Jan 21, 2007 * [17:38 EST] Over the weekend, two of our filtering servers stopped doing SpamAssassin scanning on the email going through them. This unfortunately let a lot more spam through than usual. The problem is fixed now and we are investigating how to monitor and alarm on this condition so it won't happen again. We apologize for the inconvenience. P.S. I just got mail thru filter7 with SA headers... oh happy day. Link to comment Share on other sites More sharing options...
jongrose Posted January 22, 2007 Author Share Posted January 22, 2007 this just in, per http://mail.spamcop.net/news.php P.S. I just got mail thru filter7 with SA headers... oh happy day. Good news, that reoccuring problem was beginning to be a real pain. On a related note, I still notice that many of the filter servers still have different versions of SA on them; some w/ 3.1.1, some w/ 3.1.4... Link to comment Share on other sites More sharing options...
Firefly Posted January 22, 2007 Share Posted January 22, 2007 Incidents like this also tell me that IP blocklists are fairly useless nowadays given the army of spambots out there. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 22, 2007 Share Posted January 22, 2007 Good news, that reoccuring problem was beginning to be a real pain. On a related note, I still notice that many of the filter servers still have different versions of SA on them; some w/ 3.1.1, some w/ 3.1.4... This was explained earlier that while the engines were different, the rulesets were the same. Incidents like this also tell me that IP blocklists are fairly useless nowadays given the army of spambots out there. I have not had a single spam get past the blocklists the entire weekend. I am convinced it all depends on the types of lists you get yourself (usually by no fault of your own) onto. Link to comment Share on other sites More sharing options...
btech Posted January 26, 2007 Share Posted January 26, 2007 I just received a message that slipped through the filters and was routed through filter8: Return-Path: <saulcle[at]galaxycorp.net> Delivered-To: x Received: (qmail 25197 invoked from network); 26 Jan 2007 18:14:05 -0000 X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8 X-spam-Level: X-spam-Status: hits=0.0 tests=none version=3.1.4 Received: from unknown (192.168.1.101) by filter8.cesmail.net with QMQP; 26 Jan 2007 18:14:05 -0000 Received: from x (66.152.166.10) by mailgate.cesmail.net with SMTP; 26 Jan 2007 18:14:05 -0000 Received: (qmail 79852 invoked by uid 399); 26 Jan 2007 18:13:45 -0000 Delivered-To: x Received: (qmail 73970 invoked by uid 399); 26 Jan 2007 18:13:44 -0000 X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses); Fri, 26 Jan 2007 10:13:45 -0800 Received: from 82.red-83-61-60.dynamicip.rima-tde.net (HELO galaxycorp.net) (83.61.60.82) by mail3.mygisol.com with SMTP; 26 Jan 2007 18:13:44 -0000 Received-SPF: none (x: domain at galaxycorp.net does not designate permitted sender hosts) identity=mailfrom; client-ip=83.61.60.82; envelope-from=<saulcle[at]galaxycorp.net>; Message-ID: <01c74175$b836d9d0$523c3d53[at]desktop> Reply-To: "Modestine Melone" <saulcle[at]galaxycorp.net> From: "Modestine Melone" <saulcle[at]galaxycorp.net> To: "Orpah Gabler" <x> Subject: Re: ED6015 Date: Fri, 26 Jan 2007 19:13:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-SpamCop-Checked: 192.168.1.101 66.152.166.10 83.61.60.82 83.61.60.82 Good day, Viazzgra $1, 80 Ciazzlis $3, 00 Levizztra $3, 35 http://www.printeryml.*com ( Important ! Remove *EDIT* if this should have gone in the 'email' forum, I apologize, I don't know if the filters are tied to the email or the reporting service. Link to comment Share on other sites More sharing options...
Wazoo Posted January 26, 2007 Share Posted January 26, 2007 *EDIT* if this should have gone in the 'email' forum, I apologize, I don't know if the filters are tied to the email or the reporting service. Wondering just where / how this confusion could have started / not been cleared up in all the various descriptions of the services offered ...????? At any rate, moved this post from the Reporting Help section and merged this "new" post into the existing Topic that covers/includes the same siruation. PM sent to advise of the move/merge action. Link to comment Share on other sites More sharing options...
DavidT Posted January 26, 2007 Share Posted January 26, 2007 I just received a message that slipped through the filters and was routed through filter8: Not sure what you're trying to tell us....the SA process is now working on all the servers, and yes, some spam is slipping through, but not because it's not being seen by SA, AFAIK. The example you submitted shows SA processing/scoring. DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 26, 2007 Share Posted January 26, 2007 The example you submitted shows SA processing/scoring. And to be anal about it, here are the lines that show that: X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8 X-spam-Level: X-spam-Status: hits=0.0 tests=none version=3.1.4 It is just that this spam did not trigger any of the tests being checked. Link to comment Share on other sites More sharing options...
jongrose Posted January 28, 2007 Author Share Posted January 28, 2007 It is just that this spam did not trigger any of the tests being checked. I have noticed that lately myself too. I will get a spam in my inbox that has passed through SA but registered a score of 0, whereas other similar emails have a much higher score. I can find some examples if necessary. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 28, 2007 Share Posted January 28, 2007 I have noticed that lately myself too. I will get a spam in my inbox that has passed through SA but registered a score of 0, whereas other similar emails have a much higher score. I can find some examples if necessary. Please do. I have not seen any but I don't get much spam to compare. If it is always the same system with a zero SA score, perhaps the system is not working correctly. Link to comment Share on other sites More sharing options...
jongrose Posted January 28, 2007 Author Share Posted January 28, 2007 If it is always the same system with a zero SA score, perhaps the system is not working correctly. That is what I suspect. All but two of the emails that passed SA were the new pharmacy spams that use the "replace the * with a ." method in the body. I haven't been actively watching for this, just to make sure SA has been running, but when I see "tests=none" I get a little suspect. I have been trying to monitor emails that come into my inbox that pass not only the SA filters, but all my blacklists. I have another suspicious that SC is not always running the IPs it checks against some of the blacklists I have selected, as I don't recall ever having seen it check it against SpamHaus or some of the others, but I will post on that in another thread if I find that to be occurring. I checked through all my emails from the past week (which took a considerable amount of time) and found these. I checked up until last Sunday (the 21st) when SA had been disabled on some servers. I will continue to monitor and save any emails I get that SA bypasses. On a side note, it would be nice to be able to search through your old spam reports. No hit SA reports on filter7: http://www.spamcop.net/sc?id=z1206846240z4...5722d00ca90865z (this one appears to have a postcard virus attached as a base64 file) http://www.spamcop.net/sc?id=z1206668759z3...60ec4fa045f33az http://www.spamcop.net/sc?id=z1202201762z3...d0baf5a2421c0ez No hit SA reports on filter8: http://www.spamcop.net/sc?id=z1202200815z5...670591f0952d07z http://www.spamcop.net/sc?id=z1200810921z6...3e46cb01d730c4z No hit SA reports on blade1: http://www.spamcop.net/sc?id=z1206831002z3...b0446485999965z http://www.spamcop.net/sc?id=z1204312000zc...7ae5a82cba98caz Link to comment Share on other sites More sharing options...
agsteele Posted January 28, 2007 Share Posted January 28, 2007 That is what I suspect. All but two of the emails that passed SA were the new pharmacy spams that use the "replace the * with a ." method in the body. I concur with this assessment. The highest score these types of spam have achieved with me has been 0.2. Interestingly the text follows easy to figure obfuscation of the text so that the various drugs on offer are easy to decipher visually. I've assumed that SpamAssassin isn't offering a test to catch these Emails. Andrew Link to comment Share on other sites More sharing options...
petzl Posted January 30, 2007 Share Posted January 30, 2007 http://www.spamcop.net/sc?id=z1208885080z5...0067781e0cfdcfz Spamassasin not checking AGAIN Link to comment Share on other sites More sharing options...
jongrose Posted January 30, 2007 Author Share Posted January 30, 2007 http://www.spamcop.net/sc?id=z1208885080z5...0067781e0cfdcfz Spamassasin not checking AGAIN I got that same email about a dozen times. I didn't notice any of my mails weren't being passed through SA though. But, I was particularly annoyed that SC stated: Finding links in message body Parsing text part error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found On the last one I reported, it did parse it all the way through, though. On the rest, I manually reported the URL. Link to comment Share on other sites More sharing options...
silentlarry Posted January 30, 2007 Share Posted January 30, 2007 Spamassasin not checking AGAIN Yep. Someone needs to b!+[at]h-slap filter7 but good. Link to comment Share on other sites More sharing options...
petzl Posted January 30, 2007 Share Posted January 30, 2007 Yep. Someone needs to b!+[at]h-slap filter7 but good. http://www.spamcop.net/sc?id=z1209364534z2...02978adc05c23az And again (but only one, so someone may have done as you suggest?) Link to comment Share on other sites More sharing options...
silentlarry Posted January 30, 2007 Share Posted January 30, 2007 I got one on filter7 with SA headers from 11:07 pacific, and another at 11:39, so I assume it's been beat into submission. Perhaps they did rig an alarm to monitor it as the news item suggested they might, seeing as it was apparently down for a matter of a few hours instead of several days. Link to comment Share on other sites More sharing options...
jongrose Posted January 31, 2007 Author Share Posted January 31, 2007 I curious as to why this keeps occurring? Link to comment Share on other sites More sharing options...
djtodd Posted February 9, 2007 Share Posted February 9, 2007 I curious as to why this keeps occurring? Beats me. It's happening *again*. X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade5 X-spam-Level: ************** ...and naturally, in my inbox. Link to comment Share on other sites More sharing options...
petzl Posted February 9, 2007 Share Posted February 9, 2007 Beats me. It's happening *again*. X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade5 X-spam-Level: ************** ...and naturally, in my inbox. Need to see headers it may be a whitelist problem parse the spam and paste a copy of the URL SpamCop puts at top like/similar this one http://www.spamcop.net/sc?id=z1218614373z8...724f436f7f3762z Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.