agsteele Posted April 19, 2007 Share Posted April 19, 2007 I think I've pretty much proved the point about dwindling use of this venue...back "in the day," when something like this would go wrong, you'd typically see multiple SC Email users bop in here, each starting their own thread. :-) When, on the exceedingly few ccurrences, I get spam breaking through the filters I rarely bother to analyse why. I simply report manually and move on. So I wouldn't know if Filter 7 isn't filtering or not. In addition to SpamAssassin I use various RBLs so perhaps they effectively catch any that might be working through Filter 7. Or maybe, as Steven Underwood suggests, Filter 7 is set aside for you and Firefly Andrew Link to comment Share on other sites More sharing options...
DavidT Posted April 19, 2007 Share Posted April 19, 2007 I think filter7 is your personal mail server because I have not received any email from that server in at least several days. Uh....no. :-) Steven, from your previous posts, it would seem that your incoming mail profile is a lot different than mine. Perhaps you don't have as many different addresses that have been "exposed" to harvesting in the past. DT I was correct...this in from JT: Sorry, this server is a real problem. It's running again. Thanks for catching and reporting this. I'm sticking by my theory, that the email customers aren't bothering to come here much. Although, if we have a total outage (all servers down or unreachable), I imagine that they'll be back. DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 19, 2007 Share Posted April 19, 2007 Uh....no. :-) Steven, from your previous posts, it would seem that your incoming mail profile is a lot different than mine. Perhaps you don't have as many different addresses that have been "exposed" to harvesting in the past. About 2 years ago now, I dumped my most spammed addresses and have been careful with my exiting ones (using spamcop as my main address). Link to comment Share on other sites More sharing options...
jongrose Posted May 1, 2007 Author Share Posted May 1, 2007 blade5 is not running SA. Reported it to the deputies. http://www.spamcop.net/sc?id=z1292097790zb...0dd2f69daf06a4z Link to comment Share on other sites More sharing options...
Wazoo Posted May 1, 2007 Share Posted May 1, 2007 blade5 is not running SA. Reported it to the deputies. Deputies have nothing to do with the SpamCop.net e-mail system .... All they can do is forward your notification to the only person that can do anything about it ... JT ... Link to comment Share on other sites More sharing options...
DavidT Posted May 2, 2007 Share Posted May 2, 2007 The SA on blade5 is fine now. I don't have any messages in my mailbox that went through blade5 around the same time as the one you cited, but the headers of messages a few hours before that, and the ones from today all have the proper SA lines, so if there was a problem, it was very brief. DT Link to comment Share on other sites More sharing options...
DavidT Posted May 2, 2007 Share Posted May 2, 2007 I just checked the headers on a spam that made it to my inbox that passed through the "filter8" server and there were no SpamAssassin lines.....here are some edited headers for anyone's amusement: Return-Path: <service8[at]planet.nl> Delivered-To: x[at]spamcop.net Received: (qmail 5674 invoked from network); 2 May 2007 14:43:02 -0000 Received: from unknown (192.168.1.101) by filter8.cesmail.net with QMQP; 2 May 2007 14:43:02 -0000 Received: from xxxxx by mailgate.cesmail.net with SMTP; 2 May 2007 14:43:01 -0000 Received: by xxxxx (Postfix) id 864BE2470796; Wed, 2 May 2007 07:43:01 -0700 (PDT) Received: from psmtp04.wxs.nl (psmtp04.wxs.nl [195.121.247.13]) by xxxxxxx (spam Firewall) with ESMTP id DC7ADD01DFA9 for <x>; Wed, 2 May 2007 07:43:00 -0700 (PDT) Received: from po07.wxs.nl ([10.94.53.251]) by psmtp04.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.15 (built Nov 14 2006)) with ESMTP id <0JHF00A8P4TMEO[at]psmtp04.wxs.nl> for x; Wed, 02 May 2007 16:41:46 +0200 (MEST) Received: from planet.nl ([127.0.0.1]) by po07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.07 (built Jun 24 2005)) with ESMTP id <0JHF00JQH4TKCZ[at]po07.wxs.nl> for x; Wed, 02 May 2007 16:41:46 +0200 (MEST) Received: from [10.94.71.40] (Forwarded-For: 172.22.73.93, [196.201.151.3]) by po07.wxs.nl (mshttpd); Wed, 02 May 2007 07:41:44 -0700 Date: Wed, 02 May 2007 07:41:44 -0700 From: service8[at]planet.nl Subject: =?iso-8859-1?Q?CONGRATULATIONS=3A_YOU_WON-=A3500=2C000=2E00?= (can't do a Tracking URL on this one, because it would reveal too much information about my servers, etc.) Not sure why the source IP isn't on multple BLs...there are active items in the SC reporting history, and plenty of mentions in the email abuse "sightings" NG. I'll send off a note to JT...it would probably help if others did likewise. The SA process stopped running sometime between 1 May 2007 17:29:01 -0000 and 2 May 2007 01:44:48 -0000 (why the heck won't JT set a proper GMT offset on his boxes? Isn't that a "best practice" for server administration?). DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 2, 2007 Share Posted May 2, 2007 I just checked the headers on a spam that made it to my inbox that passed through the "filter8" server and there were no SpamAssassin lines.....here are some edited headers for anyone's amusement: I'll send off a note to JT...it would probably help if others did likewise. The SA process stopped running sometime between 1 May 2007 17:29:01 -0000 and 2 May 2007 01:44:48 -0000 (why the heck won't JT set a proper GMT offset on his boxes? Isn't that a "best practice" for server administration?). I had one as well and sent the email off to JT. This was an email I had whitelisted anyway, so had no reason to look at it further. Link to comment Share on other sites More sharing options...
DavidT Posted May 2, 2007 Share Posted May 2, 2007 ...and now I think he's fixed the problem....here are some lines from the most recent item in my Held folder: Received: (qmail 17874 invoked from network); 2 May 2007 17:14:53 -0000 X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8 X-spam-Level: ************* X-spam-Status: hits=13.8 tests=INVALID_MSGID,NO_REAL_NAME, SUBJECT_ENCODED_TWICE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_OB_SURBL, URIBL_SBL version=3.1.4 Received: from unknown (192.168.1.101) by filter8.cesmail.net with QMQP; 2 May 2007 17:14:53 -0000 DT Link to comment Share on other sites More sharing options...
DavidT Posted May 13, 2007 Share Posted May 13, 2007 tacking this onto the end of this loooonnnnng topic, because it's releated.... About a week ago, it seems that JT upgraded the SpamAssassin on "filter7" and "filter8" but not on any of the "blade" servers. Here's some evidence: X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter7 X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter8 X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade1 X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade2.cesmail.net X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade3.cesmail.net X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade4 (I've got lots more, but they follow the pattern) I also happened to receive virtually identical emails sent to me, some of which travelled through "filter" servers and some through "blade" -- look at the differing scoring: X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade4 X-spam-Level: ** X-spam-Status: hits=2.1 tests=HTML_FONT_BIG,HTML_MESSAGE,J_CHICKENPOX_21, J_CHICKENPOX_22,J_CHICKENPOX_51 version=3.1.8 X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter7 X-spam-Level: X-spam-Status: hits=0.0 tests=HTML_MESSAGE version=3.2.0 So the difference in versions in not insignificant. I guess I'll send off a message to JT....I'll let you know if he responds and what he says. He did respond about the servers all thinking that they are in England (the vast majority of servers around the world are configured with an "offset" from GMT, but his aren't....they all show "-0000" as if they were located in Greenwich): It's a global service, with users all over the world. As long as the times are correct in an absolute sense, I don't see why they need to be stamped with the time zone the servers are actually in. That really is the time in GMT and the majority of our users do not live in the eastern time zone. Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong. DT Link to comment Share on other sites More sharing options...
Farelf Posted May 13, 2007 Share Posted May 13, 2007 ... Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong.Sorry, not "informed", not a server admin but I do know it makes life a heck of a lot simpler, operating across international time zones, to use a single reference zone and that zone, by tradition, is "zulu" (military parlance), GMT/UTC. Both my providers use it in their time stamps (attblobal.net and iinet.net.au) in (some) server to server transactions - but they (or my mail client?) always display local time in the "From -" (top) line. The use of GMT time stamps pre-dates the internet by a very long margin by the way. An inheritance from the time of the telegraph I would imagine. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 13, 2007 Share Posted May 13, 2007 Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong. I always prefer to set the servers I administer to UTC when I can. It helps, among other things, aleviate problems at DST changeover, for instance. Link to comment Share on other sites More sharing options...
agsteele Posted May 13, 2007 Share Posted May 13, 2007 He did respond about the servers all thinking that they are in England (the vast majority of servers around the world are configured with an "offset" from GMT, but his aren't....they all show "-0000" as if they were located in Greenwich): Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong. I'd say it doesn't matter provided the time setting is consistent across all the servers involved and that it is clear which time zone is being referred to. On mine I use GMT and specifically declare it as the +0000 zone. Andrew Link to comment Share on other sites More sharing options...
Wazoo Posted May 13, 2007 Share Posted May 13, 2007 About a week ago, it seems that JT upgraded the SpamAssassin on "filter7" and "filter8" but not on any of the "blade" servers. Here's some evidence: X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter7 X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade1 So the difference in versions in not insignificant. actually, that statement right there carries more weight than you give it credit for .... bluntly put, installing spamAssassin is not imply a matter of downloading, copying over a single file to the server. it a pretty good sized collection of files, some of which need tailoring. The catch is, this isn't all that's needed. Some of the upgrades in this package also require updates/upgrades to other various software packages, libraries, etc. on that same server. The downside is that by updating/upgrading some of these other items .... other tools/applications are then broken. There are items on the Forum server that I'd like to upgrade, but I can't ... stuck in the above situation. Actually a bit worse, as I'd be trying to do this remotely, knowing that if I screwed up, made a wrong decision, then it'd be my fault for needing to holler loudly for JT to make a trip to the datacenter to fix my screwup .... and let's be honest, this Forum isn't a money-maker for him <g> I guess I'll send off a message to JT....I'll let you know if he responds and what he says. He did respond about the servers all thinking that they are in England (the vast majority of servers around the world are configured with an "offset" from GMT, but his aren't....they all show "-0000" as if they were located in Greenwich): Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong. Funnily enough, time/date stamping just caught my interest on the Reporting side of the house ... all that data was showing as -0500 which doesn't equate to the location of any (known by me) IronPort hardware .... Technically, as long as it is tagged correctly, all other time/date handling should calculate out correctly ... Link to comment Share on other sites More sharing options...
DavidT Posted May 14, 2007 Share Posted May 14, 2007 Here's the response from JT about the different SA versions currently in use on the various servers: I upgraded the filters initially and let them run for a while as a test of the new version. I actually found that we were running into an error which is pretty well documented by the SpamAssassin guys. I'm waiting for them to fix this error before I upgrade the blades. They're talking like this should be soon. I suggested that might be worthy of posting to the System News page. DT Link to comment Share on other sites More sharing options...
DavidT Posted July 8, 2007 Share Posted July 8, 2007 Here's the latest status, according to headers of mail I've received recently: SpamAssassin 3.1.8 (2007-02-13) blade1 blade2 blade3 blade5 blade6 SpamAssassin 3.2.0 (2007-05-01) blade4 filter7 filter8 So the only change is that blade4 received the same version upgrade that's been running on the "filters" for a while. DT Link to comment Share on other sites More sharing options...
DavidT Posted August 27, 2007 Share Posted August 27, 2007 Update: Sometime in the middle of August, it seems that *all* of the blades and filters (the SC email servers) have had a SpamAssassin upgrade as shown in email headers: X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on * Was this announced somewhere and I just missed it? DT Link to comment Share on other sites More sharing options...
DavidT Posted August 27, 2007 Share Posted August 27, 2007 Not sure if related or not...probably not, but here's an announcement that's currently displaying on the webmail login page: Aug 27, 2007 [16:50 EDT] During a system upgrade this afternoon, we made a change which let a lot of spam slip through the filters. We are aware of the issue and have fixed things so they should be back to normal. We apologize about the inconvenience. DT Link to comment Share on other sites More sharing options...
btech Posted August 29, 2007 Share Posted August 29, 2007 Which leads me to wonder how this message with 14 hits made it into my inbox: Return-Path: <x[at]selekta.com> Delivered-To: cesmail-net-x[at]cesmail.net Received: (qmail 5580 invoked from network); 29 Aug 2007 22:05:40 -0000 X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter8 X-spam-Level: ************** X-spam-Status: hits=14.0 tests=DC_GIF_UNO_LARGO,EXTRA_MPART_TYPE, FROM_LOCAL_NOVOWEL,HTML_MESSAGE,MIME_QP_LONG_LINE,MY_CID_AND_STYLE, PART_CID_STOCK,PART_CID_STOCK_LESS,SARE_GIF_ATTACH,T_TVD_FW_GRAPHIC_ID1, UNPARSEABLE_RELAY version=3.2.3 Received: from unknown (192.168.1.108) by filter8.cesmail.net with QMQP; 29 Aug 2007 22:05:40 -0000 Received: from selekta.com (72.22.11.66) by mx71.cesmail.net with SMTP; 29 Aug 2007 22:05:40 -0000 Received: from host-163.121.241.72.tedata.net ([163.121.241.72]) by selekta.com with hMailServer; Wed, 29 Aug 2007 18:05:34 -0400 Received: from mail.global.frontbridge.com (port=10523 helo=xqijjnlqhbat) by host-163.121.241.72.tedata.net with smtp id 25287-Bew6M07TY-0Q44Qh8 for x[at]selekta.com; Thu, 30 Aug 2007 01:03:22 +0200 Message-ID: <000f01c7ea88$67aaff20$036de48c[at]xqijjnlqhbat> From: "Terry" <trkdthnxg[at]thinktwiceinc.com> To: x[at]selekta.com Subject: Will want to have paid for one, yet he be obliged: to clamber back in three Date: Thu, 30 Aug 2007 01:03:22 +0200 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0011_01C7EAA1.8CF5C620" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-SpamCop-Checked: X-SpamCop-Disposition: Blocked SpamAssassin=14 X-SpamCop-Whitelisted: x[at]selekta.com The whitelisted address shouldn't affect the blocking, because I get TONS of spam with the whitelisted address in the 'To' field that get put in the HELD folder. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 30, 2007 Share Posted August 30, 2007 Which leads me to wonder how this message with 14 hits made it into my inbox: The whitelisted address shouldn't affect the blocking, because I get TONS of spam with the whitelisted address in the 'To' field that get put in the HELD folder. The To: field is irrelevant for the whitelist. Primarily the From: and Return-Path: (the one causing the problem here: <x[at]selekta.com>) are checked. THe whitelist is why this is in your Inbox. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.