Spam pass trough w/o activating any rules.

Discuss our MailScanner install script and MailScanner itself
Post Reply
nabuhonodozor
Junior Member
Posts: 48
Joined: 29 Oct 2007, 07:01

Spam pass trough w/o activating any rules.

Post by nabuhonodozor »

Hi,
I am not sure its the right forum but lately I am getting high volume of spam which pass through mailscanner like a wind through a desert.

Almost all mails are treated correctly. MS, SA, clam works like a charm but theres small count of mails (comparing to whole mail count) which seems to baypass all checking

All of them dont have sender, are short and dont trigger any SA rule. Even If I rise SA rule for HTML mails to 0.4, those which are formatted in html dont triger any action.

Do You have any idea what to do?

Best ,
Piotr


Below is one of that messages, and later I put exim_mail log:
==================================
From - Thu May 29 07:26:07 2008
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <>
Envelope-to: JOE@MYEMAIL.COM
Delivery-date: Thu, 29 May 2008 06:51:15 +0200
Received: from 84.120.161.199.dyn.user.ono.com ([84.120.161.199])
by MY.SERVER.COM with smtp (Exim 4.68)
id 1K1a6b-0006ny-Cr
for JOE@MYEMAIL.COM; Thu, 29 May 2008 06:51:13 +0200
Received: from [84.120.161.199] (port= helo=84.120.161.199.dyn.user.ono.com)
by email.com with esmtp
id --
for JOE@MYEMAIL.COM; Thu, 29 May 2008 06:51:01 +0100
Message-ID: <483E3635.7070509@MYEMAIL.COM>
Date: Thu, 29 May 2008 06:51:01 +0100
From: "Erwin" <>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: "Pat" <JOE@MYEMAIL.COM>
Subject: {Spam?} Really win casino
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spero-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 1K1a6b-0006ny-Cr
X-Spero-MailScanner: No Virus Found.
X-Spero-MailScanner-SpamCheck: spam(no watermark or sender address)
X-Spero-MailScanner-From:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Win, win, win with us - really casino <A HREF="http://mexx-style.cn/">http://mexx-style.cn/</A>
</body>
</html>
====================================

main_exim log:

2008-05-29 06:51:12 H=84.120.161.199.dyn.user.ono.com [84.120.161.199] Warning: Sender rate 0.0 / 1h
2008-05-29 06:51:13 1K1a6b-0006ny-Cr <= <> H=84.120.161.199.dyn.user.ono.com [84.120.161.199] P=smtp S=895 id=483E3635.7070509@MYEMAIL.COM T="Really win casino"
2008-05-29 06:51:15 cwd=/var/spool/MailScanner/incoming/3913 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1K1a6b-0006ny-Cr
2008-05-29 06:51:15 1K1a6b-0006ny-Cr => JOE <JOE@MYEMAIL.COM> R=virtual_user T=virtual_userdelivery
2008-05-29 06:51:15 1K1a6b-0006ny-Cr Completed
Sarah
Moderator
Posts: 934
Joined: 09 Dec 2006, 22:49

Post by Sarah »

The clue is in the SpamCheck report in the headers:

X-Spero-MailScanner-SpamCheck: spam(no watermark or sender address)

MailScanner's watermarking rule has been triggered because there was no sender. Go into the MailScanner Configuration and search for Watermarking. There is a whole section with multiple settings and you can disable it entirely or tweak it to your liking. I presume that MailScanner doesn't bother checking the mail further if it has matched the watermark test, and just applies whatever action is configured for the watermark test.

Regards,
Sarah
nabuhonodozor
Junior Member
Posts: 48
Joined: 29 Oct 2007, 07:01

Post by nabuhonodozor »

Thanks Sarah,
That was the cause!
I tweak watermark settings and now all those mails have gone.

Thanks !
Piotr
Post Reply