Re: A Spam Message That Got Through!
Evan Platt a écrit : At 10:48 PM 2/17/2006, you wrote: Today I got a spam message which seems, at least for a newbie like me, succeeded in passing SA for some reason! I'm calling SA through amavisd-new and have my Rules Du Jour updated (manual updates so far) I would like to block such messages therefore, I'm seeking your kind assistance in determining how it passed the tests and what am I supposed to do in order to prevent these messages? If you'd like to *BLOCK* such messages, use the postfix header_checks to block any mail that is both from AND to you. (I can't help you with the syntax there, but I'm sure someone else can. he can't. postfix header_checks look at headers one at a time. he can use procmail/maildrop/... etc. whether this is safe is another issue.
Re: A Spam Message That Got Through!
Yousef Raffah a écrit :
Received: from emailmarketingmasters.com (i538754C0.versanet.de
[83.135.84.192]) by kansai.savoladns.com (Postfix) with SMTP id
7B42810073 for [EMAIL PROTECTED]; Fri, 17 Feb 2006 18:43:21 +0300 (AST)
you could
- use njabl's dynablock to block the client (83.135.84.192). (Don't use
sorbs).
- reject helo when it's emailmarketingmasters.com
- greylist clients that match /\d{5}/ (don't block as this is unsafe).
Re: A Spam Message That Got Through!
Hi Youzef, I am suggesting something that has been discussed controversially in the past: dont let the mail even reach SA I would assume that mail reaching my mailserver and saying it is from my domain would be mail submitted by one of my users, so I have changed the MTA to require authentication. At the time I did that, the only valid mail with forged sender was some kind of ebay notification, but they seem to have changed that. Your headers dont show anything about SA testing; there was a discussion about SA not scanning messages occasionally Also I would expect that emailmarketingmasters.com should show up in various RBLs - check whether you have network tests enabled Wolfgang Hamann Today I got a spam message which seems, at least for a newbie like me, succeeded in passing SA for some reason! I'm calling SA through amavisd-new and have my Rules Du Jour updated (manual updates so far) I would like to block such messages therefore, I'm seeking your kind assistance in determining how it passed the tests and what am I supposed to do in order to prevent these messages? Here are the headers of the message Return-Path: [EMAIL PROTECTED] Received: from 10.10.10.50 by mailsrv with ESMTP id 44344701140190415; Fri, 17 Feb 2006 18:33:35 +0300 Received: from kansai.savoladns.com ([10.10.10.10]) by imssr with trend_isnt_name_B; Fri, 17 Feb 2006 18:43:31 +0300 Received: from kansai.savoladns.com ([127.0.0.1]) by localhost (kansai.savoladns.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19503-12 for [EMAIL PROTECTED]; Fri, 17 Feb 2006 18:43:23 +0300 (AST) Received: from emailmarketingmasters.com (i538754C0.versanet.de [83.135.84.192]) by kansai.savoladns.com (Postfix) with SMTP id 7B42810073 for [EMAIL PROTECTED]; Fri, 17 Feb 2006 18:43:21 +0300 (AST) Received: from 208.153.96.3 (SquirrelMail authenticated user [EMAIL PROTECTED]); by emailmarketingmasters.com with HTTP id J85Gz008484008; Fri, 17 Feb 2006 15:42:56 + Message-Id: [EMAIL PROTECTED] Date: Fri, 17 Feb 2006 15:42:56 + (18:42 AST) Subject: In the Heart of Your Business! From: Alishia Hurst [EMAIL PROTECTED] To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/html X-Priority: 3 X-Virus-Scanned: amavisd-new at savola.com Notice that the sender used my address as their E-mail address (forged mail) Running: SA SpamAssassin Client version 3.1.0 amavisd-new-2.3.3 (20050822) Postfix 2.2.5 Sincerely, Yousef Raffah Senior Systems Administrator SSIS - The Savola Group --
Re: A Spam Message That Got Through!
On Sat, 2006-02-18 at 08:05 +, [EMAIL PROTECTED] wrote: Hi Youzef, Hello Wolfgang I am suggesting something that has been discussed controversially in the past: dont let the mail even reach SA I would assume that mail reaching my mailserver and saying it is from my domain would be mail submitted by one of my users, so I have changed the MTA to require authentication. At the time I did that, the only valid mail with forged sender was some kind of ebay notification, but they seem to have changed that. I have my postfix check SPF records, as far as I remember, check my postconf -n at the bottom of the message Your headers dont show anything about SA testing; there was a discussion about SA not scanning messages occasionally That's why I'm worried about it not showing anything related to SA in the headers!! Also I would expect that emailmarketingmasters.com should show up in various RBLs - check whether you have network tests enabled here is my postconf -n which shows I have several network tests enabled (RBLs if I'm not mistaking) postconf -n biff = no bounce_queue_lifetime = 1d command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix default_destination_concurrency_limit = 30 delay_warning_time = 1h disable_vrfy_command = yes empty_address_recipient = MAILER-DAEMON header_checks = regexp:/etc/postfix/header_checks home_mailbox = .maildir/ inet_interfaces = all local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydestination = mydomain = savoladns.com myhostname = kansai.savoladns.com mynetworks = 127.0.0.0/8, 222.22.1.191/32, 222.22.1.157/32, 172.31.12.10/32, 222.22.1.105/32 myorigin = savola.com newaliases_path = /usr/bin/newaliases notify_classes = resource, software, protocol proxy_interfaces = 212.12.174.6 queue_directory = /var/spool/postfix queue_minfree = 12000 readme_directory = /usr/share/doc/postfix-2.2.5/readme relay_domains = $transport_maps relay_recipient_maps = hash:/etc/postfix/relay_recipients sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname ESMTP smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination check_recipient_access hash:/etc/postfix/roleaccount_exception reject_multi_recipient_bounce check_helo_access pcre:/etc/postfix/helo_checks reject_non_fqdn_hostname reject_invalid_hostname check_policy_service unix:private/policy-spf check_sender_access hash:/etc/postfix/sender_access reject_rbl_client relays.ordb.org reject_rbl_client cbl.abuseat.org reject_rbl_client sbl-xbl.spamhaus.org check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions reject_rhsbl_sender dsn.rfc-ignorant.org permit smtpd_restriction_classes = greylist strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/virtual proxy:ldap:/etc/postfix/ldap-aliases.cf Wolfgang Hamann Today I got a spam message which seems, at least for a newbie like me, succeeded in passing SA for some reason! I'm calling SA through amavisd-new and have my Rules Du Jour updated (manual updates so far) I would like to block such messages therefore, I'm seeking your kind assistance in determining how it passed the tests and what am I supposed to do in order to prevent these messages? Here are the headers of the message Return-Path: [EMAIL PROTECTED] Received: from 10.10.10.50 by mailsrv with ESMTP id 44344701140190415; Fri, 17 Feb 2006 18:33:35 +0300 Received: from kansai.savoladns.com ([10.10.10.10]) by imssr with trend_isnt_name_B; Fri, 17 Feb 2006 18:43:31 +0300 Received: from kansai.savoladns.com ([127.0.0.1]) by localhost (kansai.savoladns.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19503-12 for [EMAIL PROTECTED]; Fri, 17 Feb 2006 18:43:23 +0300 (AST) Received: from emailmarketingmasters.com (i538754C0.versanet.de [83.135.84.192]) by kansai.savoladns.com (Postfix) with SMTP id 7B42810073 for [EMAIL PROTECTED]; Fri, 17 Feb 2006 18:43:21 +0300 (AST) Received: from 208.153.96.3 (SquirrelMail authenticated user [EMAIL PROTECTED]); by emailmarketingmasters.com with HTTP id J85Gz008484008; Fri, 17 Feb 2006 15:42:56 + Message-Id: [EMAIL PROTECTED] Date: Fri, 17 Feb 2006 15:42:56 + (18:42 AST) Subject: In the Heart of Your Business! From: Alishia Hurst [EMAIL PROTECTED] To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/html X-Priority: 3 X-Virus-Scanned: amavisd-new at savola.com Notice that the sender used my address as their E-mail address (forged
RE: A Spam Message That Got Through!
Today I got a spam message which seems, at least for a newbie like me, succeeded in passing SA for some reason! I'm calling SA through amavisd-new and have my Rules Du Jour updated (manual updates so far) I would like to block such messages therefore, I'm seeking your kind assistance in determining how it passed the tests and what am I supposed to do in order to prevent these messages? Yousef Raffah If you have only received one spam so far, you have either done a very good job of setting up your system or your spam threshold is set too low. Do you really think it is possible to stop every single piece of spam (without a lot of false positives)? Don't you think spammers know about blacklists and SpamAssassin? They work very hard at composing messages that will not get blocked by SpamAssassin. If you are one of the first to receive a spam mailer from them, their mail may not yet be in any network based blacklists. You should use sa-learn to feed this message to Bayes. If you get the same message a number of times, you should consider learning how to create custom rules (which involves some basic understanding of regex). Without the entire message I don't think anyone can determine if there is some problem with your system, or if this particular spam simply scored low because the spammer is good at what they do. BTW, it is helpful to see what rules hit. Since you don't have the X-Spam-Status report, it will be difficult to diagnose. There is no way to know on our end if the sender was whitelisted or auto-whitelisted. In amavisd-new you should lower $sa_tag_level_deflt so both spam and ham get the X-Spam-Status header. $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level; # undef is interpreted as lower than any spam level and make sure .royah.com is included in your @local_domains_maps because the headers will only get written if the domain is considered local. Gary V _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
RE: A Spam Message That Got Through!
On Sat, 2006-02-18 at 08:45 -0700, Gary V wrote: Without the entire message I don't think anyone can determine if there is some problem with your system, or if this particular spam simply scored low because the spammer is good at what they do. BTW, it is helpful to see what rules hit. This is the body of the message: Corporate image can say a lot of things about your company. Contemporary rhythm of life is too dynamic. Sometimes it takes only several seconds for your company to be remembered or to be lost amonq competitors. Get your logo, business stationery or website done right now! Fast turnaround: you will see severaI loqo variants in three business days. Satisfaction quaranteed: we provide unIimited amount of changes; you can be sure: it wiIl meet your needs and fit your business. FlexibIe discounts: loqo improvement, additionaI formats, bulk orders, special packages. Creative design for competitive price: have a look at it right now! __ not interested... Since you don't have the X-Spam-Status report, it will be difficult to diagnose. There is no way to know on our end if the sender was whitelisted or auto-whitelisted. In amavisd-new you should lower $sa_tag_level_deflt so both spam and ham get the X-Spam-Status header. $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level; # undef is interpreted as lower than any spam level and make sure .royah.com is included in your @local_domains_maps because the headers will only get written if the domain is considered local. Should I have .royah.com in my @local_domains_maps even if the postfix +amavisd-new+SA machine is just a gateway and does not have local accounts? Many thanks for your reply Sincerely, Yousef Raffah Senior Systems Administrator SSIS - The Savola Group -- Aren't you using Firefox? Get it at getfirefox.com yousef.raffah.com signature.asc Description: This is a digitally signed message part
RE: A Spam Message That Got Through!
On Sat, 2006-02-18 at 08:45 -0700, Gary V wrote: Without the entire message I don't think anyone can determine if there is some problem with your system, or if this particular spam simply scored low because the spammer is good at what they do. BTW, it is helpful to see what rules hit. This is the body of the message: Corporate image can say a lot of things about your company. Contemporary rhythm of life is too dynamic. Sometimes it takes only several seconds for your company to be remembered or to be lost amonq competitors. Get your logo, business stationery or website done right now! Fast turnaround: you will see severaI loqo variants in three business days. Satisfaction quaranteed: we provide unIimited amount of changes; you can be sure: it wiIl meet your needs and fit your business. FlexibIe discounts: loqo improvement, additionaI formats, bulk orders, special packages. Creative design for competitive price: have a look at it right now! __ not interested... I can certainly see why this is not considered spam. There is not much here at all that would make this different from a ham message. I created a message with these contents and sent it to myself from my yahoo account and is was considered ham. Nothing in the body triggered a rule. This is one of those types of messages that I would feed to Bayes, then delete and forget about. If I got the the same message a number of times I would possibly create a custom rule based on the Subject. Most likely a custom rule for this would only be good for about a week, then I would probably never see another message with the same subject again, so after a week the rule would be a complete waste. I think you simply need to accept the fact that there is stuff like this that will make it through. Since you don't have the X-Spam-Status report, it will be difficult to diagnose. There is no way to know on our end if the sender was whitelisted or auto-whitelisted. In amavisd-new you should lower $sa_tag_level_deflt so both spam and ham get the X-Spam-Status header. $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level; # undef is interpreted as lower than any spam level and make sure .royah.com is included in your @local_domains_maps because the headers will only get written if the domain is considered local. Should I have .royah.com in my @local_domains_maps even if the postfix +amavisd-new+SA machine is just a gateway and does not have local accounts? Yes, and any other domains for which this gateway relays mail. This is necessary if you want to see X-Spam type headers. Many thanks for your reply Sincerely, Yousef Raffah _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
RE: A Spam Message That Got Through!
... On Sat, 2006-02-18 at 08:45 -0700, Gary V wrote: Without the entire message I don't think anyone can determine if there is some problem with your system, or if this particular spam simply scored low because the spammer is good at what they do. BTW, it is helpful to see what rules hit. This is the body of the message: Corporate image can say a lot of things about your company. Contemporary rhythm of life is too dynamic. Sometimes it takes only several seconds for your company to be remembered or to be lost amonq competitors. Get your logo, business stationery or website done right now! Fast turnaround: you will see severaI loqo variants in three business days. Satisfaction quaranteed: we provide unIimited amount of changes; you can be sure: it wiIl meet your needs and fit your business. FlexibIe discounts: loqo improvement, additionaI formats, bulk orders, special packages. Creative design for competitive price: have a look at it right now! __ not interested... I can certainly see why this is not considered spam. There is not much here at all that would make this different from a ham message. I created a message with these contents and sent it to myself from my yahoo account and is was considered ham. Nothing in the body triggered a rule. This is one of those types of messages that I would feed to Bayes, then delete and forget about. If I got the the same message a number of times I would possibly create a custom rule based on the Subject. Most likely a custom rule for this would only be good for about a week, then I would probably never see another message with the same subject again, so after a week the rule would be a complete waste. I think you simply need to accept the fact that there is stuff like this that will make it through. ... A knowledge of history and a good BAYES + digest tests (DCC, Razor, and Pyzor) will kill these. This is the recent reincarnation of the old set of trylogos domains - examples: trylogos.com-MUNG try-logos.com-MUNG trylogos-inc.biz-MUNG try-logos-ltd.biz-MUNG try-logos-inc.biz-MUNG try-x-logos.biz-MUNG trylogos-studio.com-MUNG trylogos-team.com-MUNG trylogos-llc.com-MUNG ad nasuem Interesting connection to some Eastern European porn domains for those who check them out. One of the new ones is logomarka.net-MUNG. Almost all are registered at Parava (both old and new). These are actually very unusual phishing spam (from Leo/Yambo/Pavka or a related party) - If you respond, they will request *lots* of data from you. As far as I know, net tests are the way to catch these. So if you aren't running the URIBLs and digests, you won't ever get them (though MTA RBLs to kill off zombie delivery will work). BTW. The recent one locally scores 31.6 points hitting the following rules: DATE_IN_PAST_24_48. DCC_CHECK. DIGEST_MULTIPLE. INVALID_DATE. MSGID_FROM_MTA_ID. RAZOR2_CF_RANGE_51_100. RAZOR2_CHECK. RCVD_IN_XBL. SPF_HELO_FAIL. URIBL_JP_SURBL. URIBL_OB_SURBL. URIBL_RHS_ABUSE. URIBL_RHS_DSN. URIBL_RHS_NOCOMPLAINTS. URIBL_RHS_NOSTDMAIL. URIBL_RHS_POST. URIBL_RHS_URIBL_BLACK. URIBL_RHS_WHOIS. URIBL_SC_SURBL. URIBL_WS_SURBL. URIBL_XS_SURBL Though when it arrived, the SURBLs and URIBL didn't all have it listed yet; The digests already did (they react faster - it is their nature). Paul Shupak [EMAIL PROTECTED] Some similar text from year old spam and one from a week and a half ago: Sample #1 (from a comcast zombie - 1 Jun 2005) Our art team creates a custom logo for you, based on your needs. Years of experience have taught us how to create a logo that makes a statement that is unique to you. In a professiona l manner we learn about your image and how you would like the world to perceive you and your company. With this information we then create a logo that is not only unique but reflects the purpose of you and your company. For value and a logo that reflects your image, take a few minutes and visit Try Logos! http://www4.trylogos-inc.biz-MUNG/ Sincerely, Logo Design Team http://www4.trylogos-inc.biz/uns.php Sample #2 (from a comcast zombie - 12 Jul 2005) - Note the Try Logos! --- - Note the use of a warez domain (most of the trylogos domains were suspended) - -- Also check the whois and see a Kuvayev porn domain used for DNS --- Our art team creates a custom logo for you, based on your needs. Years of experience have taught us how to create a logo that makes a statement that is unique to you. In a pr ofessional manner we learn
RE: A Spam Message That Got Through!
A knowledge of history and a good BAYES + digest tests (DCC, Razor, and Pyzor) will kill these. As far as I know, net tests are the way to catch these. So if you aren't running the URIBLs and digests, you won't ever get them (though MTA RBLs to kill off zombie delivery will work). Paul Shupak [EMAIL PROTECTED] This illustrates the importance of seeing the X-Spam headers and providing a complete picture. I'm sure that the problem mail as shown (incomplete I must assume) should have hit at least hit one network based test (unless you are one of the unfortunate first people to receive this spam). If it did not hit at least one, then we might assume there may indeed be ways to improve the situation. Make sure network based test are performed; set: $sa_local_tests_only = 0; in your amavisd.conf. And if DCC and Razor are installed, make sure they are enabled in v310.pre. Gary V _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
RE: A Spam Message That Got Through!
A knowledge of history and a good BAYES + digest tests (DCC, Razor, and Pyzor) will kill these. As far as I know, net tests are the way to catch these. So if you aren't running the URIBLs and digests, you won't ever get them (though MTA RBLs to kill off zombie delivery will work). Paul Shupak [EMAIL PROTECTED] This illustrates the importance of seeing the X-Spam headers and providing a complete picture. I will make an assumption the sample was missing important information (like a URI). It's quite possible the problem mail should have hit at least hit one network based test (unless you are one of the unfortunate first people to receive this spam). If it did not hit at least one, then there may indeed be ways to improve the situation. Make sure network based test are not disabled; set: $sa_local_tests_only = 0; in your amavisd.conf. And if DCC and Razor are installed, make sure they are enabled in v310.pre. Gary V _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
RE: A Spam Message That Got Through!
On Sat, 2006-02-18 at 09:53 -0700, Gary V wrote: On Sat, 2006-02-18 at 08:45 -0700, Gary V wrote: Without the entire message I don't think anyone can determine if there is some problem with your system, or if this particular spam simply scored low because the spammer is good at what they do. BTW, it is helpful to see what rules hit. This is the body of the message: Corporate image can say a lot of things about your company. Contemporary rhythm of life is too dynamic. Sometimes it takes only several seconds for your company to be remembered or to be lost amonq competitors. Get your logo, business stationery or website done right now! Fast turnaround: you will see severaI loqo variants in three business days. Satisfaction quaranteed: we provide unIimited amount of changes; you can be sure: it wiIl meet your needs and fit your business. FlexibIe discounts: loqo improvement, additionaI formats, bulk orders, special packages. Creative design for competitive price: have a look at it right now! __ not interested... I can certainly see why this is not considered spam. There is not much here at all that would make this different from a ham message. I created a message with these contents and sent it to myself from my yahoo account and is was considered ham. Nothing in the body triggered a rule. This is one of those types of messages that I would feed to Bayes, then delete and forget about. If I got the the same message a number of times I would possibly create a custom rule based on the Subject. Most likely a custom rule for this would only be good for about a week, then I would probably never see another message with the same subject again, so after a week the rule would be a complete waste. I think you simply need to accept the fact that there is stuff like this that will make it through. Sure I will accept that and thank you very much for your kind explanations :) Since you don't have the X-Spam-Status report, it will be difficult to diagnose. There is no way to know on our end if the sender was whitelisted or auto-whitelisted. In amavisd-new you should lower $sa_tag_level_deflt so both spam and ham get the X-Spam-Status header. $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level; # undef is interpreted as lower than any spam level and make sure .royah.com is included in your @local_domains_maps because the headers will only get written if the domain is considered local. Should I have .royah.com in my @local_domains_maps even if the postfix +amavisd-new+SA machine is just a gateway and does not have local accounts? Yes, and any other domains for which this gateway relays mail. This is necessary if you want to see X-Spam type headers. Great, now I have it set as: @local_domains_maps = ( [ .$mydomain, '.royah.com' ] ); Many thanks for your reply Sincerely, Yousef Raffah _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ Sincerely, Yousef Raffah Senior Systems Administrator SSIS - The Savola Group -- Aren't you using Firefox? Get it at getfirefox.com yousef.raffah.com signature.asc Description: This is a digitally signed message part
RE: A Spam Message That Got Through!
On Sat, 2006-02-18 at 17:13 -0700, Gary V wrote: A knowledge of history and a good BAYES + digest tests (DCC, Razor, and Pyzor) will kill these. As far as I know, net tests are the way to catch these. So if you aren't running the URIBLs and digests, you won't ever get them (though MTA RBLs to kill off zombie delivery will work). Paul Shupak [EMAIL PROTECTED] This illustrates the importance of seeing the X-Spam headers and providing a complete picture. I'm sure that the problem mail as shown (incomplete I must assume) should have hit at least hit one network based test (unless you are one of the unfortunate first people to receive this spam). If it did not hit at least one, then we might assume there may indeed be ways to improve the situation. Make sure network based test are performed; set: $sa_local_tests_only = 0; in your amavisd.conf. And if DCC and Razor are installed, make sure they are enabled in v310.pre. I have $sa_local_tests_only = 0; but how can I ensure the other part? I mean the v310.pre? I'm sorry but I couldn't get it Gary V _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ Sincerely, Yousef Raffah Senior Systems Administrator SSIS - The Savola Group -- Aren't you using Firefox? Get it at getfirefox.com yousef.raffah.com signature.asc Description: This is a digitally signed message part
RE: A Spam Message That Got Through!
On Sun, 2006-02-19 at 08:30 +0300, Yousef Raffah wrote: On Sat, 2006-02-18 at 17:13 -0700, Gary V wrote: A knowledge of history and a good BAYES + digest tests (DCC, Razor, and Pyzor) will kill these. As far as I know, net tests are the way to catch these. So if you aren't running the URIBLs and digests, you won't ever get them (though MTA RBLs to kill off zombie delivery will work). Paul Shupak [EMAIL PROTECTED] This illustrates the importance of seeing the X-Spam headers and providing a complete picture. I'm sure that the problem mail as shown (incomplete I must assume) should have hit at least hit one network based test (unless you are one of the unfortunate first people to receive this spam). If it did not hit at least one, then we might assume there may indeed be ways to improve the situation. Make sure network based test are performed; set: $sa_local_tests_only = 0; in your amavisd.conf. And if DCC and Razor are installed, make sure they are enabled in v310.pre. I have $sa_local_tests_only = 0; but how can I ensure the other part? I mean the v310.pre? I'm sorry but I couldn't get it oops, I got it now :) it is under /etc/mail/spamassassin/ Gary V _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ Sincerely, Yousef Raffah Senior Systems Administrator SSIS - The Savola Group -- Aren't you using Firefox? Get it at getfirefox.com yousef.raffah.com Sincerely, Yousef Raffah Senior Systems Administrator SSIS - The Savola Group -- Aren't you using Firefox? Get it at getfirefox.com yousef.raffah.com signature.asc Description: This is a digitally signed message part
Re: A Spam Message That Got Through!
At 10:48 PM 2/17/2006, you wrote: Today I got a spam message which seems, at least for a newbie like me, succeeded in passing SA for some reason! I'm calling SA through amavisd-new and have my Rules Du Jour updated (manual updates so far) I would like to block such messages therefore, I'm seeking your kind assistance in determining how it passed the tests and what am I supposed to do in order to prevent these messages? If you'd like to *BLOCK* such messages, use the postfix header_checks to block any mail that is both from AND to you. (I can't help you with the syntax there, but I'm sure someone else can. Here are the headers of the message Headers wouldn't tell you (or me) what the message would score on another system - the full body of the message would.
