On 12/20/2016 05:11 AM, Glen Page wrote:
> Here is the header info from a message that I got from our Dean. It got
> flagged as Spam somewhere along the way.
...
> {Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS
> CANCELLED FOR TONIGHT
> To: cl...@lists.thet.net students2...@lists.thet.net
> X-Thetnet-Mailscanner-Information: Please contact the ISP for more information
> Sender: admin-boun...@lists.thet.net
> List-Archive: <http://lists.thet.net/mailman/private/admin/>
> Authentication-Results: mx.google.com; dkim=neutral (body hash did not
> verify) header.i=@thet-net.20150623.gappssmtp.com; spf=fail (google.com:
> domain of admin-boun...@lists.thet.net does not designate 104.219.98.14 as
> permitted sender) smtp.mailfrom=admin-boun...@lists.thet.net
> X-Received: by 10.55.20.95 with SMTP id e92mr9675564qkh.54.1481993433047;
> Sat, 17 Dec 2016 08:50:33 -0800 (PST)
> X-Received: by 10.13.204.67 with SMTP id o64mr6487069ywd.47.1481993249239;
> Sat, 17 Dec 2016 08:47:29 -0800 (PST)
> Return-Path: <admin-boun...@lists.thet.net>
> List-Help: <mailto:admin-requ...@lists.thet.net?subject=help>
> X-Original-To: ad...@lists.thet.net
> X-Original-To: employ...@lists.thet.net
> X-Original-To: cl...@lists.thet.net
> X-Thetnet-Mailscanner-Spamscore: sssssss, sssssss, sssss, sssss
> X-Gm-Message-State:
> AKaTC03CGHzT3zezdGpZ3HNvRPiPVZelD2bKmhcA8Wn9WsDZT93E/DWWFFAFrbExpkGdZ0xWfYUPvqPLwJXAyg==
> List-Id: Interactive mailing list for TA Administrators <admin.lists.thet.net>
> X-Mailman-Version: 2.1.12
> X-Greylist: whitelisted by SQLgrey-1.7.6
> X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net;
> s=20161025;
> h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
> bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=;
> b=XDw9OtI9GY0saYUhV9g6nVzCeS2/FHyuJUbb3YrEZtrQAg+GOI9B1chbVDYuIDm9Ip
> EpVs8ERwixZfcbO+hRhz21h6dmm1kRorFGHjVKUjt9fOONcqX0C3i0FPy+VHgxf4nPnT
> 5wzEquSIGU7I5YoUNFK7AR6pqPCRXqEaS4t9Aa0Q9njL2Y2XEh+dw1z1e3XreibJMMr6
> kYmbFTM6YcxBprB6XJCHzVI4R51a9L2CmxJCHn8X+ULXsligpbAIr8vnMxT8QjAxejM6
> A1kiQZG57hSs4B/8R8TQeX3jj2QpF1XULvdkLgxDlskybV2LdQP2tTpDf9aI0TnXO+bg ralw==
> X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM, SpamAssassin (cached,
> score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70,
> HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
> SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (cached,
> score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70,
> HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
> SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached,
> score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70,
> HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
> SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809,
> required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00,
> RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)
> X-Thetnet-Mailscanner: Found to be clean, Found to be clean, Found to be
> clean, Found to be clean
> List-Post: <mailto:ad...@lists.thet.net>
> Errors-To: admin-boun...@lists.thet.net
> Message-Id:
> <cacaqbrtud-haaof54gcwrqqffha6q3gmqvbnecrmnzvngfi...@mail.gmail.com>
> X-Spam-Status: Yes, Yes, Yes, Yes
> X-Thetnet-Mailscanner-From: admin-boun...@lists.thet.net
> Mime-Version: 1.0
> Precedence: list
> Received: by 10.80.136.105 with SMTP id c38csp743701edc; Sat, 17 Dec 2016
> 08:50:33 -0800 (PST)
> Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com with
> ESMTPS id n185si342354qke.282.2016.12.17.08.50.32 (version=TLS1
> cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016 08:50:32 -0800 (PST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by
> dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17 Dec 2016
> 11:49:56 -0500 (EST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by
> dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17 Dec 2016
> 11:49:04 -0500 (EST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by
> dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17 Dec 2016
> 11:48:05 -0500 (EST)
> Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com
> [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7
> for <cl...@lists.thet.net>; Sat, 17 Dec 2016 11:47:29 -0500 (EST)
> Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for
> <cl...@lists.thet.net>; Sat, 17 Dec 2016 08:47:29 -0800 (PST)
> Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST)
> Content-Type: multipart/mixed; boundary="===============0140925220=="
> X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7
> Delivered-To: glen.p...@thet.net.test-google-a.com
> Delivered-To: ad...@lists.thet.net
> Delivered-To: employ...@lists.thet.net
> Delivered-To: cl...@lists.thet.net
> X-Beenthere: cl...@lists.thet.net
> X-Beenthere: employ...@lists.thet.net
> X-Beenthere: ad...@lists.thet.net
> Received-Spf: fail (google.com: domain of admin-boun...@lists.thet.net does
> not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14;
> List-Unsubscribe: <http://lists.thet.net/mailman/options/admin>
> List-Unsubscribe: <mailto:admin-requ...@lists.thet.net?subject=unsubscribe>
> List-Subscribe: <http://lists.thet.net/mailman/listinfo/admin>,
> <mailto:admin-requ...@lists.thet.net?subject=subscribe>
> Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=thet-net.20150623.gappssmtp.com; s=20150623;
> h=mime-version:from:date:message-id:subject:to;
> bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=;
> b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk
> JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q
> SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8
> U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328
> XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg==
This message was scanned by MailScanner on thet.net 4 times, once before
the Claws list, once between that and the Employees list, once between
that and the TA Admin list and once on the way out.
It appears from the
X-Thetnet-Mailscanner-Spamscore: sssssss, sssssss, sssss, sssss
header that after the first two times, the score decreased.
The header
X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM, SpamAssassin (cached,
score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70,
HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (cached,
score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70,
HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not
cached, score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL
2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809,
required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00,
RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)
Reflects the SpamAssassin hits from each pass. The first report is
spam, SORBS-SPAM, SpamAssassin (cached, score=7.315, required 5,
BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00,
RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51,
SUSPICIOUS_RECIPS 2.51)
and the last is
spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90,
DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00,
SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)
The score dropped because after the initial passes, tags/prefixes got
added that caused SUBJ_ALL_CAPS to miss (it should have missed on the
second scan, but a cached result was used).
The big hits besides SUBJ_ALL_CAPS are DNS_FROM_AHBL_RHSBL,
SORTED_RECIPS and SUSPICIOUS_RECIPS
DNS_FROM_AHBL_RHSBL looks like a blacklist of some sort, but it is not
in my up to date spamassassin. The others are standard rules in
20_head_tests.cf described as
describe SORTED_RECIPS Recipient list is sorted by address
describe SUSPICIOUS_RECIPS Similar addresses in recipient list
Were it not for the DNS_FROM_AHBL_RHSBL hit, the score would have been <
5 all 4 times.
--
Mark Sapiro <m...@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
