Re: [IMail Forum] errant spam checking???"

FIRST Internet Mail Administrators Sat, 30 Aug 2003 16:59:49 +0000

What you see below is concatenated.  I see a lot of instances where the X-header as 
displayed in the email shows only the particular phrase/url/etc that was matched.


The best you can go on is that it is getting tagged based upon a phrase that begins 
with the word 'credit'.

I've never turned on debugging to get that detailed information, and so in the logs I 
don't know if it also suffers from the same concatenation, but I do know that in the 
X-header that is inserted it will not always show the full phrase that actually 
triggered.  It may be the same for the logs as well.

Mike Tindor

---------- Original Message ----------------------------------
From: "RMilner" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 29 Aug 2003 19:28:46 -0400

$1 to anyone who can figure this one out....

from the spam log....


08:29 18:08 SMTPD(005001FC) [00001772] <domain.com> VALIDATION: (HELO)
domain.com performing DNS lookup for HELO domain 2byead.com
08:29 18:08 SMTPD(005001FC) [00001772] <domain.com> VALIDATION: (HELO)
domain.com received reply from DNS server for HELO domain 2byead.com
08:29 18:08 SMTPD(005001FC) [00001772] <domain.com> VALIDATION: (MAIL FROM)
domain.com validating MAIL FROM address
[EMAIL PROTECTED]
08:29 18:08 SMTPD(005001FC) [00001772] <domain.com> VALIDATION: (MAIL FROM)
domain.com SUCCEEDED for user [EMAIL PROTECTED]
08:29 18:08 SMTPD(005001FC) [00001772] <domain.com> VALIDATION: (REVDNS)
domain.com performing reverse dns lookup on address (157.151.52.252)
08:29 18:08 SMTPD(005001FC) [00001772] <domain.com> VALIDATION: (REVDNS)
domain.com reverse DNS validation SUCCEEDED for address (157.151.52.252)
08:29 18:08 SMTP(0434000B) Got White List and Content Filter for domain.com
08:29 18:08 SMTP(0434000B) searching for phrases
08:29 18:08 SMTP(0434000B) matched phrase [credit]


from the header........


Received: from 2byead.com [157.151.52.252] by domain.com
  (SMTPD32-8.02) id AEF05001FC; Fri, 29 Aug 2003 18:08:48 -0400
Content-Type: multipart/alternative;
boundary="----------=_1062186063-31128-0"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Return-Path: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Received: from img.2byead.com by 2byead.com id
<[EMAIL PROTECTED]> for [EMAIL PROTECTED]; Fri, 29 Aug 2003
22:04:59 GMT
From: "Shanna" <[EMAIL PROTECTED]>
Subject: I am single again, we need to meet!
Date: Fri, 29 Aug 2003 22:04:59 GMT
Message-Id: <[EMAIL PROTECTED]>
Errors-To: <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
List-Unsubscribe: <http://www.2byead.com/unsub.php?id=GHBAADDCB5IHI600>,
<mailto:[EMAIL PROTECTED]>
X-IMAIL-SPAM-PHRASE: credit
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-IMail-Rule: H~X-IMAIL-SPAM:[EMAIL PROTECTED] Data- X-IMAIL-SPAM-PHRASE:
credit
X-UIDL: 362000269


Now, I do not even have the word "credit" by itself as a spam phrase, but
thats not even the real mystery (even though it could be) .....


Here is the entire body/source of the email:


<html>
<body>
<img src=
"http://img.2byead.com:8080/images/01/878.671003321.62219.06.1062194699.gif";
>
</body>
</html>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<title>Untitled Document</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>



<body>

<A HREF=
"http://www.2byead.com/link.php?GHBAADDCB6GCCBJ6HBHFF00"; ><img src =
"http://images.eretrogamer.com/americansingles/600x400_32k_meetSingles.jpg";
width="600" height="400" border="0"></a>

</body>

</html>


<!-- footer -->
<p>
<center>
<font face="arial" size="-2">
<img src="http://www.2byead.com:8080/images/foot/f1a.gif"; align="top">
TheInsidersEdge.
<br>
<img src="http://www.2byead.com:8080/images/foot/f2a.gif"; align="top">
[EMAIL PROTECTED]
<br>
<a href="http://www.2byead.com/s_uns.php?id=GHBAADDCB1IHI200";><img src="
http://www.2byead.com:8080/images/foot/f3a.gif"; border="0" align="top"></A>
<img src="http://www.2byead.com:8080/images/foot/f3b.gif"; align="top">
<a href="
mailto:[EMAIL PROTECTED]
">
[EMAIL PROTECTED]</a>
<br>
<img src="http://www.2byead.com:8080/images/foot/f4a.gif"; align="top">
<p>
<img src="http://www.2byead.com:8080/images/foot/f5a.gif"; align="top">
2byead.com.
<p>
Friday 08/29/03 15:08:51-62219
</font>
</center>
<!-- /footer -->




Does anyone see ANYTHING that even looks like the word "credit" in the
source????? So what triggered the phrase "credit" which by itself isn't even
in my spam phrase list?

If you can figure out part 1, here are the phrases beginning with the word
"credit" in my spam list. Can anyone see from this list which phrase would
trigger on the word "credit" by itself (if the word was actually in the
source).



credit rebuilding service
creditors bid on your existing mortgage
credit card required
credit card dedbt
credit card debt
creditors calling
credit profile in 24 hours
creditors harassing
credit online
credit repair
credit card approval
credit yourself online







To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

 




________________________________________________________________
Sent via the WebMail system at 1st.net


 
                   

To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

Re: [IMail Forum] errant spam checking???"

Reply via email to