kenh Posted November 9, 2006 Share Posted November 9, 2006 I keep getting spam, usually for investment scams, with something like "Subject: [spam:******* 7.0 SpamScore] Investment Strategy" in the subject line. Within the header is something like "X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore". If the score is this high and the probability is 99.99%, why isn't this stuff being blocked? I have my options set to block anything of 5 or higher. :angry: Ken Link to comment Share on other sites More sharing options...
Telarin Posted November 9, 2006 Share Posted November 9, 2006 Show us all the X-headers from the message, there is usually one that gives the reason why it was or was not blocked. Link to comment Share on other sites More sharing options...
Wazoo Posted November 9, 2006 Share Posted November 9, 2006 As Telarin states, there should be a header line .. usually, it's noted that the e-mail was whitelisted in a case like this. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 10, 2006 Share Posted November 10, 2006 I keep getting spam, usually for investment scams, with something like "Subject: [spam:******* 7.0 SpamScore] Investment Strategy" in the subject line. Within the header is something like "X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore". If the score is this high and the probability is 99.99%, why isn't this stuff being blocked? I have my options set to block anything of 5 or higher. And to add another data point, those headers (subjet change or x-xanit...) are not added by spamcop and not looked at by spamcop. We need the headers asked for to see what spamcop is scoring the message. I understand managers of SpamAssassin systems can set the scores for each test to whatever they feel is best. Link to comment Share on other sites More sharing options...
agsteele Posted November 10, 2006 Share Posted November 10, 2006 X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore I may be wrong but I don't believe that the 'X-CanIt-Tag-Reason' tag is related to SpamCop Email. You need to check the 'X-SpamCop-Disposition' value which will tell you what the SpamAssassin score is for the particular message. I have mine set at a trigger value of 2 and this works well with very few false positives. That said I'm considering moving to a value of 3 to see if this makes any difference. Andrew Link to comment Share on other sites More sharing options...
kenh Posted November 10, 2006 Author Share Posted November 10, 2006 Here is the complete header on one of these pieces of spam. I have x'd out my e-mail address. X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade1 X-spam-Level: * X-spam-Status: hits=2.0 tests=SARE_CSNUMTAG,SARE_RMML_Stock4, UNPARSEABLE_RELAY version=3.1.1 Received: from unknown (192.168.1.101) by blade1.cesmail.net with QMQP; 9 Nov 2006 19:32:10 -0000 Received: from mail.directus.net (HELO directus.net) (68.142.68.26) by mailgate.cesmail.net with SMTP; 9 Nov 2006 19:32:10 -0000 Received: from SMTP32-FWD by xxxx.xxx (SMTP32) id A823E01B30000EF7C; Thu, 9 Nov 2006 14:32:14 -0500 Received: from canit.directus.net [68.142.68.43] by directus.net with ESMTP (SMTPD-8.20) id A23E07C8; Thu, 09 Nov 2006 14:32:14 -0500 Received: from -1214940928 (88-104-5-9.dynamic.dsl.as9105.com [88.104.5.9]) by canit.directus.net (8.13.4/8.13.4) with SMTP id kA9JqXxs005244 for <xxxx[at]xxxx.xxx>; Thu, 9 Nov 2006 14:52:39 -0500 Received: from ghanareview.com (-1214534096 [-1214539128]) by gerrytanner.com (Qmailv1) with ESMTP id DFDEE3011A for <xxxx[at]xxxx.xxx>; Thu, 09 Nov 2006 14:30:03 -0600 Date: Thu, 09 Nov 2006 14:30:03 -0600 From: "Bloomer S. Gucci" <extstp[at]ghanareview.com> X-Mailer: The Bat! (v2.00.2) Personal X-Priority: 3 Message-ID: <5809710179.20061109143003[at]ghanareview.com> To: Pwrr <xxxx[at]xxxx.xxx> Subject: [spam:******* 7.0 SpamScore] Investment Strategy MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 mion X-Bayes-Prob: 0.9999 (Score 5) X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore X-CanItPRO-Stream: 12_Moderate X-Canit-Stats-ID: 8221572 - 8e91405497db X-Scanned-By: CanIt (www . roaringpenguin . com) on 68.142.68.43 X-SpamCop-Checked: 192.168.1.101 68.142.68.26 68.142.68.43 88.104.5.9 Ken Link to comment Share on other sites More sharing options...
agsteele Posted November 10, 2006 Share Posted November 10, 2006 Subject: [spam:******* 7.0 SpamScore] X-CanIt-Tag-Reason: score = 7.0; probability = 0.9999; hold_reason = SpamScore X-CanItPRO-Stream: 12_Moderate X-Canit-Stats-ID: 8221572 - 8e91405497db X-Scanned-By: CanIt (www . roaringpenguin . com) on 68.142.68.43 X-SpamCop-Checked: 192.168.1.101 68.142.68.26 68.142.68.43 88.104.5.9 I'm not sure where the [spam:******* 7.0 SpamScore] is being inserted but not by the SpamCop Email system - looks like roaringpenguin.com I don't see, in the headers, a SpamAssassin score so that will be why the message isn't picked up by the SpamCop system. You seem to have spam checking going on in SpamCop Email and roaringpenguin.com In this case roaringpenguin has identified the spam item and the SpamCop SpamAssassin filters have not. Andrew Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 10, 2006 Share Posted November 10, 2006 I don't see, in the headers, a SpamAssassin score so that will be why the message isn't picked up by the SpamCop system. Andrew: The SpamAssassin headers are at the top of the headers now fron spamcop: X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade1 X-spam-Level: * X-spam-Status: hits=2.0 tests=SARE_CSNUMTAG,SARE_RMML_Stock4,UNPARSEABLE_RELAY version=3.1.1 This message only scored 2.0 on SpamCop's system. Link to comment Share on other sites More sharing options...
agsteele Posted November 10, 2006 Share Posted November 10, 2006 Andrew: The SpamAssassin headers are at the top of the headers now fron spamcop: This message only scored 2.0 on SpamCop's system. Things keep moving around :-) But a score of 2 was below the OP's threshold so definitely the reason it hasn't been caught. Andrew Link to comment Share on other sites More sharing options...
kenh Posted November 10, 2006 Author Share Posted November 10, 2006 I'm not sure where the [spam:******* 7.0 SpamScore] is being inserted but not by the SpamCop Email system - looks like roaringpenguin.com I don't see, in the headers, a SpamAssassin score so that will be why the message isn't picked up by the SpamCop system. You seem to have spam checking going on in SpamCop Email and roaringpenguin.com In this case roaringpenguin has identified the spam item and the SpamCop SpamAssassin filters have not. Andrew I have no idea where the Roaring Penguin info is coming from. Perhaps it is my ISP but I don't know for sure. I have Spamcop set to a SpamAssassin score of 5 so it should be picking up this garbage too??????? Ken Link to comment Share on other sites More sharing options...
turetzsr Posted November 10, 2006 Share Posted November 10, 2006 Andrew: The SpamAssassin headers are at the top of the headers now fron spamcop: <snip> This message only scored 2.0 on SpamCop's system. <snip> [A] score of 2 was below the OP's threshold so definitely the reason it hasn't been caught. Andrew ...Thus I shall assume this resolves the OP's inquiry and so mark the thread. Link to comment Share on other sites More sharing options...
kenh Posted November 10, 2006 Author Share Posted November 10, 2006 [A] score of 2 was below the OP's threshold so definitely the reason it hasn't been caught. Andrew...Thus I shall assume this resolves the OP's inquiry and so mark the thread. I would think that if Roaring Penguin rates something as a 7 and a 99.99 percent probability that is is spam, SpamAssassin should also give it a high score. How are the criteria for SpamAssassin established? I would think that if Roaring Penguin rates something as a 7 and a 99.99 percent probability that is is spam, SpamAssassin should also give it a high score. How are the criteria for SpamAssassin established? I just went to the Roaring Penguin website and it says their software is based upon SpamAssassin. How then can the ratings be so different???? Now I am really confused. Ken Link to comment Share on other sites More sharing options...
Telarin Posted November 10, 2006 Share Posted November 10, 2006 It is up to the admin that configures SpamAssassin as to what score it associates with particular criteria. Roaring Penguin may have their own BL that they are pulling data from, or they may simply score particular attributes higher. If you have SpamAssassin set to 5, then it will filter messages scored 5 and ABOVE. You would need to set it to 2 to catch that particular message, which may cause you problems with false positives. You might want to just lower it gradually to see what works best for you. Link to comment Share on other sites More sharing options...
agsteele Posted November 11, 2006 Share Posted November 11, 2006 I have no idea where the Roaring Penguin info is coming from. Perhaps it is my ISP but I don't know for sure. I have Spamcop set to a SpamAssassin score of 5 so it should be picking up this garbage too??????? No, because the SC SpamAssasin check gave a score of 2 - below the threshold you set within SC Email. I just went to the Roaring Penguin website and it says their software is based upon SpamAssassin. How then can the ratings be so different???? Now I am really confused. The thing is, each company can set up their own scoring systems within SpamAssassin so RoaringPenguin could be applying entirely different checks to SC Email - hence a different score. As you know, some spam does filter through most checking services - the aim is to reduce this to a minimal, easily managed level. Selecting a good split of BLs plus a SpamAssassin score of 3 typically catches 98% of spam - at least for me. Andrew Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.