A month ago I upgraded ASSP 2.2.1(12137) (and also moved to a new partition). Since then, my volume of spam getting through ASSP has increased considerably. Attached below is an example - clearly forged sender. Why isn't ASSP trapping this?
I attached the analysis of the header below. Strangely the probability is showing as 0.50000 for a bunch of messages I tested... I'm not sure how to fix this. Help... Thanks! ----------------- •ISP/Secondary Header:'Received: from [95.56.197.53<javascript:void(0);>] ([95.56.197.53<javascript:void(0);>]) by smtp2.netdorm.com' •Switched to ISP/Secondary IP: '95.56.197.53<javascript:void(0);>' using enhanced Originated IP detection •detected IP's on the mail routing way: 199.101.162.39<javascript:void(0);>(no PTR) •detected source IP: 199.101.162.39<javascript:void(0);> sender and reply addresses: MAIL FROM: angelabrund...@manzoniconsulting.it<javascript:void(0);> Sender: messages-nore...@bounce.linkedin.com<javascript:void(0);> From: passw...@linkedin.com<javascript:void(0);> recipient addresses: RCPT TO: myacco...@mydomain.com<javascript:void(0);> To: myacco...@mydomain.com<javascript:void(0);> Feature Matching: • SPF-check returned OK for 95.56.197.53<javascript:void(0);> -> angelabrund...@manzoniconsulting.it<javascript:void(0);>, [95.56.197.53<javascript:void(0);>] • URIBL check<http://mail.ocg.ca:55555/#ValidateURIBL>: 'OK' • Not a Valid Format of HELO<http://mail.ocg.ca:55555/#DoValidFormatHelo>: '[95.56.197.53<javascript:void(0);>]' • Invalid Format of HELO<http://mail.ocg.ca:55555/#invalidFormatHeloRe>: 'highest match: "95.56.197" with valence: 5 - PB value = 5' • matching invalidFormatHeloRe(file:files/invalidhelo.txt[line 4]<javascript:void(0);>): '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' • IP in Helo check<http://mail.ocg.ca:55555/#DoIPinHelo>: 'OK' • 199.101.162.39<javascript:void(0);> is in RBLCache: inserted as ok at 2012-08-15 11:40:51 • 95.56.197.53<javascript:void(0);> is in RBLCache: inserted as not ok at 2012-08-15 11:40:51 , listed by l2.apews.org{127.0.0.2} zen.spamhaus.org{127.0.0.11} • domain manzoniconsulting.it has valid MXA record: mx1.interac.it 212.183.164.48<javascript:void(0);> • 95.56.197.0<javascript:void(0);> has a Griplist value of 0.8 ________________________________ Bayesian Analysis: Bad Words Bad Prob Good Words Good Prob ________________________________ Bayesian Spam Probability: combined probability: 0.50000000 - got 0 - used 60 most significant results ---------------- Received: from smtp2.netdorm.com (172.31.254.35) by mail.mydomain.com (172.31.254.35) with Microsoft SMTP Server id 8.1.436.0; Wed, 15 Aug 2012 11:40:50 -0400 Received: from smtp2.netdorm.com ([67.214.161.138] helo=smtp2.netdorm.com) by spamfilter.mydomain.com with SMTP (2.2.1); 15 Aug 2012 11:40:49 -0400 Received: from [95.56.197.53] ([95.56.197.53]) by smtp2.netdorm.com (8.13.8/8.13.8) with ESMTP id q7FFf9fd022957 for <myacco...@mydomain.com<mailto:myacco...@mydomain.com>>; Wed, 15 Aug 2012 11:41:11 -0400 Received: from mailb-ea.linkedin.com ([199.101.162.39]) by mx1.interac.it; Wed, 15 Aug 2012 04:40:41 +0600 Sender: <messages-nore...@bounce.linkedin.com<mailto:messages-nore...@bounce.linkedin.com>> Date: Wed, 15 Aug 2012 04:40:41 +0600 From: LinkedIn Password <passw...@linkedin.com<mailto:passw...@linkedin.com>> To: myaccount <myacco...@mydomain.com<mailto:myacco...@mydomain.com>> Message-ID: <430288651.0623442.3275882383774.javamail....@ela2-app1439.prod<mailto:430288651.0623442.3275882383774.javamail....@ela2-app1439.prod>> Subject: Re: Fwd: Better Business Bureau Complaint MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_4847258_8686314084.0929890424051" X-LinkedIn-Template: password_reset X-LinkedIn-Class: ACCT-ADMIN X-LinkedIn-fbl: s-N5P69E8AHU3GMGEJT75CSRO431MBXDC8K3EG6S-K40V2PDRHOKH9R7 X-OriginalArrivalTime: Wed, 15 Aug 2012 04:40:41 +0600 FILETIME=[7D3A5495:E1B208E1] X-Assp-Version: 2.2.1(12137) on spamfilter.mydomain.com X-Assp-Received-SPF: none ip=67.214.161.138 mailfrom=angelabrund...@manzoniconsulting.it<mailto:mailfrom=angelabrund...@manzoniconsulting.it> helo=smtp2.netdorm.com X-Assp-Message-Score: 10 (SPF none) X-Assp-IP-Score: 10 (SPF none) X-Assp-Message-Score: 17 (DNSBL: neutral, 95.56.197.53 listed in l2.apews.org zen.spamhaus.org) X-Assp-IP-Score: 17 (DNSBL: neutral, 95.56.197.53 listed in l2.apews.org zen.spamhaus.org) X-Assp-DNSBL: neutral, 95.56.197.53 listed in (l2.apews.org<-127.0.0.2; zen.spamhaus.org<-127.0.0.11; ) X-Assp-ID: spamfilter.mydomain.com m1-45249-76011 X-Assp-Detected-RIP: 199.101.162.39, 95.56.197.53 X-Assp-Source-IP: 199.101.162.39 X-Assp-Envelope-From: angelabrund...@manzoniconsulting.it<mailto:angelabrund...@manzoniconsulting.it> X-Assp-Intended-For: myacco...@mydomain.com<mailto:myacco...@mydomain.com> Return-Path: angelabrund...@manzoniconsulting.it<mailto:angelabrund...@manzoniconsulting.it> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
