ConfigServer Community Forum

I am getting lots more spam on the server and keep updating my rules to include new domains. Seems everyday there are more and more emails getting through to my outlook (and customers on the server) Outllok is picking up lots and putting in the Junk mail but more and more stay in the inbox and not even outlook picks them up.
here is a sample header message. What do you think could be done? I notice the MailScanner-SpamScore: s or "sss" on all these type emails/ BTW I hid my personal email on this example)

Return-path: <time@tel3canada.net>
Envelope-to:XX@XXXXXXX.com
Delivery-date: Mon, 21 Nov 2011 11:42:54 -0600
Received: from smtp.tel3canada.net ([94.154.124.191])
by golf.heretohost.com with esmtp (Exim 4.69)
(envelope-from <time@tel3canada.net>)
id 1RSXtH-0004Sf-0x
for XX@XXXX.com; Mon, 21 Nov 2011 11:42:47 -0600
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=tel3canada.net;
h=Message-ID:From:Date:Mime-Version:Subject:To:Content-Type:Content-Transfer-Encoding; i=time@tel3canada.net;
bh=o1Xq15DIsa7wdcNsOCd0Z3IhitA=;
b=FU7vBM1F0sdESAXTFDTNUHUq9K8BaAmCG34XuT4RW051Z1vIDoOHT9+d+68V0r3aBNKOJdpDw6w1
noQJjWP/qL8BO+FIvcaA1PP5EEJa7QYwgk3hDzxahuswgzbBXTCe/+mwMjoMI93TUIHAIqCx/psz
3sP5VNRWs1tlgSPrLtk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=tel3canada.net;
b=TbY06BZ9XnzyC3YonzJHL1A4sPnFpyS9N+Cm/Osi2HzqQAYMSu8Zo4nIBsm9X+9s1H/VAMY0C4YN
0QJEPMsZuOe6Wxvj01gx/OjP3OT+TVJT1aNVTyVQx4hAWLSBqPuLFMIecRn/UfA5BXXvAboU5bur
RyAK3Xgxt42qKW43C1w=;
Message-ID: <5630116823869342803@smtp.tel3canada.net>
From: "US TimeAttendance Software" <time@tel3canada.net>
Date: Mon, 21 Nov 2011 11:12:40 -0500
Mime-Version: 1.0
Subject: Make employee management easier than ever!
To: <XX@XXXXXX.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
X-HereToHost-MailScanner-Information: Please contact the ISP for more information
X-HereToHost-MailScanner-ID: 1RSXtH-0004Sf-0x
X-HereToHost-MailScanner: Found to be clean
X-HereToHost-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=1.7, required 4, LOTS_OF_MONEY 0.00, SPF_PASS -0.00,
URIBL_DBL_SPAM 1.70)
X-HereToHost-MailScanner-SpamScore: s
X-HereToHost-MailScanner-From: time@tel3canada.net
X-Spam-Status: No

You might try adding additional RBLs. Barracuda.org can pick up a good portion of it but be cautious with SORBS as that list is very quick to block free providers. Although we've had good success with multiple RBLs, the IP provided in that message only shows on 3 of the more obscure lists so that probably wouldn't help much in this particular case.

There is some information that suggests using the SA Learn function (available in MailWatch) can improve over time the scoring in the Bayes database.

Out of frustration I've also used CIDR blocking in CSF to prevent some of the more egregious connections but that can have some unintended consequences - ie: blocking legit customers.

Easy solutions are hard to come by.

yes thanks for the info. exactly there are no easy solutions.

Assuming that you have already been through the suggestions in this FAQ, there's not much more advice we can offer aside from writing your own spam rules, using additional RBLs and training your bayes database as sawbuck mentions.

http://www.configserver.com/techfaq/index.php?faqid=51

Regards,
Sarah