1) Because real mail servers HELO with their machine name and domain. 2) The report is there...default configuration for SA doesn't make the report an attachment...it puts the report into the body, and moves the original body of the message into a MIME attachment (someone correct me if I'm wrong...I don't use the default setup, preferring to put the report into the headers).
On Fri, 6 Aug 2004, lists wrote: > > From: spam [mailto:[EMAIL PROTECTED] > Sent: Friday, August 06, 2004 12:00 AM > To: [EMAIL PROTECTED] > Subject: Why is ATT.net comimg up as spam due to numeric helo? And why is > there no report attachment? > > > Return-path: <[EMAIL PROTECTED]> > Envelope-to: [EMAIL PROTECTED] > Delivery-date: Wed, 04 Aug 2004 21:54:26 -0500 > Received: from [10.1.7.252] (helo=antispam.efastfunding.com) > by nat.efastfunding.com with esmtp (Exim 4.31) > id 1BsYOf-0003jH-W2 > for [EMAIL PROTECTED]; Wed, 04 Aug 2004 21:54:26 -0500 > Received: from mtiwmhc12.worldnet.att.net ([204.127.131.116]) > by antispam.efastfunding.com with esmtp (Exim 4.34) > id 1BsYMP-0000DQ-Kg > for [EMAIL PROTECTED]; Wed, 04 Aug 2004 21:52:16 -0500 > Received: from 204.127.135.40 ([204.127.135.40]) > by worldnet.att.net (mtiwmhc12) with SMTP > id <2004080502505411200a96oie>; Thu, 5 Aug 2004 02:50:54 +0000 > Received: from [68.83.219.35] by 204.127.135.40; > Thu, 05 Aug 2004 02:50:53 +0000 > From: [EMAIL PROTECTED] > To: "Robert *********" <[EMAIL PROTECTED]> > Date: Thu, 05 Aug 2004 02:50:53 +0000 > Message-Id: > <080520040250.2244.4111A08D0007D241000008C421602807480A0A99D2040A0E080C0703@ > att.net> > X-Mailer: AT&T Message Center Version 1 (Jul 19 2004) > X-Authenticated-Sender: bWljaGFlbC53ZWVAYXR0Lm5ldA== > MIME-Version: 1.0 > X-SA-Exim-Connect-IP: 204.127.131.116 > X-SA-Exim-Mail-From: [EMAIL PROTECTED] > Subject: ****SPAM****[5.5] Re: Robert @ Efast > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 3.0.0-pre2 (2004-07-09) on > antispam.efastunding.com > X-Spam-Level: ***** > X-Spam-Status: Yes, score=5.5 required=5.0 tests=AWL,BAYES_00,HTML_80_90, > HTML_BADTAG_00_10,HTML_MESSAGE,HTML_NONELEMENT_00_10, > MIME_BOUND_NEXTPART,MIME_HTML_MOSTLY,MIME_MISSING_BOUNDARY, > NO_REAL_NAME,RCVD_BY_IP,RCVD_DOUBLE_IP_LOOSE,RCVD_NUMERIC_HELO > autolearn=no version=3.0.0-pre2 > Content-Type: multipart/mixed; boundary="----------=_4111A0E0.5F6E5122" > X-SA-Exim-Version: 4.0 (built Fri, 11 Jun 2004 12:29:51 -0500) > X-SA-Exim-Scanned: Yes (on antispam.efastfunding.com) > > This is a multi-part message in MIME format. > > ------------=_4111A0E0.5F6E5122 > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: 8bit > > Spam detection software, running on the system "antispam.efastunding.com", > has identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > [EMAIL PROTECTED] for details. > > Content analysis details: (5.5 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.2 NO_REAL_NAME From: does not include a real name > 0.7 RCVD_BY_IP Received by mail server with no name > 3.4 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO > 0.0 HTML_80_90 BODY: Message is 80% to 90% HTML > 0.0 HTML_BADTAG_00_10 BODY: HTML message is 0% to 10% bad tags > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.0000] > 1.2 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are > non-standard 2.0 MIME_MISSING_BOUNDARY RAW: MIME section missing boundary > 0.7 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary > 0.0 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses > -0.1 AWL AWL: From: address is in the auto white-list > > The original message was not completely plain text, and may be unsafe to > open with some email clients; in particular, it may contain a virus, or > confirm that your address can receive spam. If you wish to view it, it may > be safer to save it to a file and open it with an editor. > > > > -- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org To be notified of updates to the web site, visit http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a message to: [EMAIL PROTECTED] with a message of: subscribe
