My ASSP uses test mode. causing the subject to be prefixed with [SPAM] which I catch downstream. (in case that matters). The problem I'm having is that mail with a faked from address (different from MAIL FROM) is getting through unmarked.
Below is an analysis of such a message. As you can see ASSP is identifying from != mail from. I have DONOSPOOFING4FROM checked, and DONOSPOOFING set to score. Yet the message below was not tagged as SPAM, and scores 0. Can someone explain why? (I have linkedin.com in a whitelist, but that should not count for spoofed from!?) Thanks Michellehttps://mail.ocg.ca/owa/?ae=Item&t=IPM.Note&a=New# ---------------- sender and reply addresses: MAIL FROM: bryannaale...@sepag.ch Sender: messages-nore...@bounce.linkedin.com From: passw...@linkedin.com recipient addresses: RCPT TO: myn...@mydomain.ca To: myn...@mydomain.ca Feature Matching: • Whitelist: 'messages-nore...@bounce.linkedin.com' • 197.0.48.176 is in SPFCache: status=softfail with helo=[197.0.48.176] • SPF-check returned OK for 197.0.48.176 -> bryannaale...@sepag.ch, [197.0.48.176] • SPF: softfail (cache) ip=197.0.48.176 mailfrom=bryannaale...@sepag.ch helo=[197.0.48.176] • DMARC-check returned OK • URIBL check: 'OK' • Not a Valid Format of HELO: '[197.0.48.176]' • Invalid Format of HELO: 'highest match: "197.0.48" with valence: 5 - PB value = 5' • matching invalidFormatHeloRe(file:files/invalidhelo.txt[line 4]): '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' • IP in Helo check: 'OK' • 199.101.160.51 is in RBLCache: inserted as ok at 2013-03-08 18:07:58 • 64.182.103.22 is in RBLCache: inserted as ok at 2013-03-01 06:04:34 • RBLCheck returned OK for 197.0.48.176: DNSBL: neutral, 197.0.48.176 listed in l2.apews.org psbl.surriel.com • domain sepag.ch has valid MXA record: all01.mx.genotec.ch 82.195.224.56 • 197.0.48.176 is in RWLCache: status=not listed • 197.0.48.0 has a Griplist value of 0.8 Bayesian Analysis: - word stemming engine is used Bad Words Bad Prob Good Words Good Prob [addr] sender 0.0000 sender [addr] 0.0000 sender [addr] 0.0002 [addr] sender 0.0501 rcpt [addr] 0.9275 ssub now 0.8742 ssub connecting 0.1345 connecting ssub 0.1546 ssub your 0.8228 your ssub 0.8225 [addr] sender 0.7839 now ssub 0.7759 of your 0.7701 of ssub 0.7677 ssub of 0.7676 now part 0.2405 network ssub 0.2610 ssub network 0.2835 part ssub 0.7057 ssub is 0.6992 is ssub 0.6990 ssub part 0.6983 helo smtprandnumberdnsexit.com 0.6426 smtprandnumberdnsexit.com rcpt 0.6293 keep ssub 0.6012 Bayesian Spam Probability: combined probability: 0.00000000 - got 25 - used 60 most significant results ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test