Hello all,
I have a quick question here regarding something I've noticed with email recently. I have on my admin side of my hosting account, SpamAssassin setup to catch any SPAM email that rates 2.9 or higher which seems to be effective for me. I am running Exim 4.76 and SA 3.3.1 and just updated DA to 1.401.
However I am consistently getting email that clearly is spam based on my visual scan of the content and it comes through with -0.5 or type of point rating. I've even been getting fake FaceBook emails with -99.0 values even though when looking at headers it's from a russian or chinese email server.
My question to everyone here is, how can I go about fine tuning SA/Exim to flag these emails correctly? Do I need to update rules? What do I need to do? Just for everyone's information, I double checked my whitelist to make sure the below email was not in there and it was not in my whitelist.
Here is a sample email header from a common type of spam:
My email address and server addresses have been blacked out for security:
Return-path: <return-6-342-bawalker=********.***@lm.scnlm.com>
Envelope-to: bawalker@********.***
Delivery-date: Mon, 09 Jan 2012 12:47:32 -0600
Received: from mail by stargatesg1.********-*******.*** with spam-scanned (Exim 4.76)
(envelope-from <return-6-342-bawalker=********.***@lm.scnlm.com>)
id 1RkKFh-0008TW-SB
for bawalker@********.***; Mon, 09 Jan 2012 12:47:32 -0600
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
stargatesg1.********-*******.***
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=2.9 tests=BAYES_00,HTML_MESSAGE,
MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,SHORT_TERM_PRICE,
T_FILL_THIS_FORM_SHORT autolearn=no version=3.3.1
Received: from sitemail2.everyone.net ([216.200.145.36] helo=imta-38.everyone.net)
by stargatesg1.********-*******.*** with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.76)
(envelope-from <return-6-342-bawalker=********.***@lm.scnlm.com>)
id 1RkKFh-0008TT-HB
for bawalker@********.***; Mon, 09 Jan 2012 12:47:25 -0600
Received: from pps.filterd (omta002 [127.0.0.1])
by imta-38.everyone.net (8.14.4/8.14.4) with SMTP id q09IigXE001696
for <bawalker@********.***>; Mon, 9 Jan 2012 10:47:24 -0800
X-Eon-Delivered-To: <bawalker@********.***>
X-Eon-Dm: dm0222
Received: from smtp1-4.lm.levelogic.com (64.157.40.132 [64.157.40.132])
by dm0222.mta.everyone.net (EON-INBOUND) with SMTP id dm0222.4ed9d014.769e575
for <bawalker@********.***>; Mon, 9 Jan 2012 10:47:13 -0800
Received: (qmail 6071 invoked by uid 48); 9 Jan 2012 18:47:10 -0000
Date: 9 Jan 2012 18:47:10 -0000
Message-ID: <[email protected]>
To: bawalker@********.***
Subject: It's Time for an Index Trade - Market's Ready to Move
From: "SmallCap Network" <[email protected]>
Reply-To: [email protected]
MIME-Version: 1.0
X-Mailer-LID: 6
X-Mailer-SID: 342
X-Mailer-Sent-By: 1
X-Mailer-Info: ZwDmYTqlLF5apzS6paSvrxOypau5ozcholj2
Content-Type: multipart/alternative; charset="UTF-8"; boundary="b1_ab5733d4ff319af90b52af07431fae5b"
Sender: <return-6-342-bawalker=********.***@lm.scnlm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.5.7110,1.0.211,0.0.0000
definitions=2012-01-09_06:2012-01-09,2012-01-09,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=99
phishscore=0 bulkscore=100 adultscore=0 classifier=spam adjust=0
reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1201090172
I have a quick question here regarding something I've noticed with email recently. I have on my admin side of my hosting account, SpamAssassin setup to catch any SPAM email that rates 2.9 or higher which seems to be effective for me. I am running Exim 4.76 and SA 3.3.1 and just updated DA to 1.401.
However I am consistently getting email that clearly is spam based on my visual scan of the content and it comes through with -0.5 or type of point rating. I've even been getting fake FaceBook emails with -99.0 values even though when looking at headers it's from a russian or chinese email server.
My question to everyone here is, how can I go about fine tuning SA/Exim to flag these emails correctly? Do I need to update rules? What do I need to do? Just for everyone's information, I double checked my whitelist to make sure the below email was not in there and it was not in my whitelist.
Here is a sample email header from a common type of spam:
My email address and server addresses have been blacked out for security:
Return-path: <return-6-342-bawalker=********.***@lm.scnlm.com>
Envelope-to: bawalker@********.***
Delivery-date: Mon, 09 Jan 2012 12:47:32 -0600
Received: from mail by stargatesg1.********-*******.*** with spam-scanned (Exim 4.76)
(envelope-from <return-6-342-bawalker=********.***@lm.scnlm.com>)
id 1RkKFh-0008TW-SB
for bawalker@********.***; Mon, 09 Jan 2012 12:47:32 -0600
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
stargatesg1.********-*******.***
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=2.9 tests=BAYES_00,HTML_MESSAGE,
MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,SHORT_TERM_PRICE,
T_FILL_THIS_FORM_SHORT autolearn=no version=3.3.1
Received: from sitemail2.everyone.net ([216.200.145.36] helo=imta-38.everyone.net)
by stargatesg1.********-*******.*** with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.76)
(envelope-from <return-6-342-bawalker=********.***@lm.scnlm.com>)
id 1RkKFh-0008TT-HB
for bawalker@********.***; Mon, 09 Jan 2012 12:47:25 -0600
Received: from pps.filterd (omta002 [127.0.0.1])
by imta-38.everyone.net (8.14.4/8.14.4) with SMTP id q09IigXE001696
for <bawalker@********.***>; Mon, 9 Jan 2012 10:47:24 -0800
X-Eon-Delivered-To: <bawalker@********.***>
X-Eon-Dm: dm0222
Received: from smtp1-4.lm.levelogic.com (64.157.40.132 [64.157.40.132])
by dm0222.mta.everyone.net (EON-INBOUND) with SMTP id dm0222.4ed9d014.769e575
for <bawalker@********.***>; Mon, 9 Jan 2012 10:47:13 -0800
Received: (qmail 6071 invoked by uid 48); 9 Jan 2012 18:47:10 -0000
Date: 9 Jan 2012 18:47:10 -0000
Message-ID: <[email protected]>
To: bawalker@********.***
Subject: It's Time for an Index Trade - Market's Ready to Move
From: "SmallCap Network" <[email protected]>
Reply-To: [email protected]
MIME-Version: 1.0
X-Mailer-LID: 6
X-Mailer-SID: 342
X-Mailer-Sent-By: 1
X-Mailer-Info: ZwDmYTqlLF5apzS6paSvrxOypau5ozcholj2
Content-Type: multipart/alternative; charset="UTF-8"; boundary="b1_ab5733d4ff319af90b52af07431fae5b"
Sender: <return-6-342-bawalker=********.***@lm.scnlm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.5.7110,1.0.211,0.0.0000
definitions=2012-01-09_06:2012-01-09,2012-01-09,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=99
phishscore=0 bulkscore=100 adultscore=0 classifier=spam adjust=0
reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1201090172
