Spamassassin skipping certain messages

S

Strator

Verified User
Joined
Jan 19, 2011
Messages
283
While tweaking spamassassin, I've noticed that there is a certain type of spam that spamassassin doesn't touch in the first place (all via AOL). Headers are below - does anyone have a clue why these get past spamassassin? It's not like they're whitelisted or anything?

Code: 
From - Wed Feb 09 18:32:32 2011
X-Account-Key: account8
X-UIDL: 000008ae4d345414
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 09 Feb 2011 07:45:29 -0800
Received: from [190.253.168.17]
	by server1.myserver.com with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1PnCES-0006jp-BM
	for [email protected]; Wed, 09 Feb 2011 07:45:29 -0800
Received: from smtprly-me01.mx.aol.com (smtprly-me01.mx.aol.com [64.12.207.142]) by cia-md08.mx.aol.com (v129.8) with ESMTP id MAILCIAMA032-253e801d72d72db; Wed, 9 Feb 2011 10:45:21 -0500
Received: from web-mmc-m03 (web-mmc-m03.sim.aol.com [64.12.224.136]) by smtprly-me01.mx.aol.com (v129.8) with ESMTP id MAILSMTPRLYMC025-253e801d72d72db; Wed, 9 Feb 2011 10:45:21 -0500
To: [email protected]
Subject: Canadian Pharmacy
Date: Wed, 9 Feb 2011 10:45:21 -0500
X-MB-Message-Source: WebUI
X-AOL-IP: [190.253.168.17]
X-MB-Message-Type: User
MIME-Version: 1.0
From: [email protected]
Content-Type: multipart/alternative; 
 boundary="--------MB_8CD85E29572957D_2957_2111_web-mmc-m03.sysops.aol.com"
X-Mailer: AOL Webmail 33124-STANDARD 
Received: from [190.253.168.17] by web-mmc-m03.sysops.aol.com (64.12.224.136) with HTTP (WebMailUI); Wed, 9 Feb 2011 10:45:21 -0500
Message-Id: <[email protected]>
X-Spam-Flag:NO
X-AOL-SENDER: [email protected]
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus



From - Mon Feb 07 13:22:34 2011
X-Account-Key: account8
X-UIDL: 0000083f4d345414
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 07 Feb 2011 03:51:53 -0800
Received: from [41.204.65.84]
	by server1.myserver.com with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1PmPd5-00042u-HJ
	for [email protected]; Mon, 07 Feb 2011 03:51:53 -0800
Received: from smtprly-da01.mx.aol.com (smtprly-da01.mx.aol.com [205.188.84.130]) by cia-ma07.mx.aol.com (v129.8) with ESMTP id MAILCIAMA067-afe170a38bc0af; Mon, 7 Feb 2011 12:50:16 +0100
Received: from web-mmc-m01 (web-mmc-m01.sim.aol.com [64.12.224.133]) by smtprly-da01.mx.aol.com (v129.8) with ESMTP id MAILSMTPRLYDD013-afe170a38bc0af; Mon, 7 Feb 2011 12:50:16 +0100
To: [email protected]
Subject: Windows 7 Ultimate 32 bit - -$79.95-
Date: Mon, 7 Feb 2011 12:50:16 +0100
X-MB-Message-Source: WebUI
X-AOL-IP: [41.204.65.84]
X-MB-Message-Type: User
MIME-Version: 1.0
From: [email protected]
Content-Type: multipart/alternative; 
 boundary="--------MB_8CD8188FB02501F4_52C_5250_web-mmc-m01.sysops.aol.com"
X-Mailer: AOL Webmail 33124-STANDARD
Received: from [41.204.65.84] by web-mmc-m01.sysops.aol.com (64.12.224.133) with HTTP (WebMailUI); Mon, 7 Feb 2011 12:50:16 +0100
Message-Id: <[email protected]>
X-Spam-Flag:NO
X-AOL-SENDER: [email protected]
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus



From - Thu Feb 10 19:43:28 2011
X-Account-Key: account8
X-UIDL: 000008e14d345414
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys: cp_bbq                                                                          
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 10 Feb 2011 10:38:46 -0800
Received: from 189.214.46.89.cable.dyn.cableonline.com.mx ([189.214.46.89])
	by server1.myserver.com with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1PnbPh-0004SP-Ao
	for [email protected]; Thu, 10 Feb 2011 10:38:46 -0800
Received: from smtprly-mb02.mx.aol.com (smtprly-mb02.mx.aol.com [64.12.143.156]) by cia-ma02.mx.aol.com (v129.8) with ESMTP id MAILCIADA046-720c89706e3897; Thu, 10 Feb 2011 12:38:45 -0600
Received: from web-mmc-m06 (web-mmc-m06.sim.aol.com [64.12.224.136]) by smtprly-mb02.mx.aol.com (v129.8) with ESMTP id MAILSMTPRLYDE011-720c89706e3897; Thu, 10 Feb 2011 12:38:45 -0600
To: [email protected]
Subject: Give your girl better peaks
Date: Thu, 10 Feb 2011 12:38:45 -0600
X-MB-Message-Source: WebUI
X-AOL-IP: 189.214.46.89.cable.dyn.cableonline.com.mx
X-MB-Message-Type: User
MIME-Version: 1.0
From: [email protected]
Content-Type: multipart/alternative; 
 boundary="--------MB_8CD816E925FF8401_E90_901D3_web-mmc-m06.sysops.aol.com"
X-Mailer: AOL Webmail 33124-STANDARD
Received: from 189.214.46.89.cable.dyn.cableonline.com.mx by web-mmc-m06.sysops.aol.com (64.12.224.136) with HTTP (WebMailUI); Thu, 10 Feb 2011 12:38:45 -0600
Message-Id: <[email protected]>
X-Spam-Flag:NO
X-AOL-SENDER: [email protected]
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 
Perhaps this line in all of your examples:
X-Spam-Flag:NO
Click to expand...
I'm looking into making a change to SpamBlocker to resolve this, but there are still some issues to resolve.

Jeff
 
Funny that you would mention X-Spam-Flag, because here's what came in today:

Code: 
From - Tue Feb 15 15:19:12 2011
X-Account-Key: account8
X-UIDL: 000009c64d345414
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 15 Feb 2011 06:16:54 -0800
Received: from omr-d33.mx.aol.com ([205.188.249.131])
	by server1.myserver.com with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1PpLi2-0004yP-7i
	for [email protected]; Tue, 15 Feb 2011 06:16:54 -0800
Received: from oms-db01.r1000.mx.aol.com (oms-db01.r1000.mx.aol.com [205.188.58.1])
	by omr-d33.mx.aol.com (8.14.1/8.14.1) with ESMTP id p1F99ufc014651;
	Tue, 15 Feb 2011 04:09:56 -0500
Message-Id: <[email protected]>
Received: from mtaout-da03.r1000.mx.aol.com (mtaout-da03.r1000.mx.aol.com [172.29.51.131])
	by oms-db01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id B12481C000085;
	Tue, 15 Feb 2011 04:09:54 -0500 (EST)
Received: from WIN-Q9I620H8H9I (unknown [178.33.149.185])
	by mtaout-da03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPA id 0D4BAE0006CF;
	Tue, 15 Feb 2011 04:09:04 -0500 (EST)
Reply-To: <[email protected]>
From: "FBI OFFICE"<[email protected]>
Subject: WE NEED A SOLID PROOF FROM YOU?
Date: Tue, 15 Feb 2011 01:09:55 -0800
MIME-Version: 1.0
Content-Type: text/html;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
x-aol-global-disposition: S
X-SPAM-FLAG:YES
X-AOL-SCOLL-SCORE: 0:5:82283424:93952408  
X-AOL-SCOLL-URL_COUNT: 0  
X-AOL-REROUTE: YES 
x-aol-sid: 3039ac1d33834d5a42b054c8
X-AOL-IP: 178.33.149.185
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
And I don't have any AOL addresses whitelisted - at least not that I know of.

Btw. I have Spamassassin configured to add a header report, so if Spamassassin actually took a look at this one, there would be lines like X-Spam-Version or X-Spam-Status.

(Or are you saying that the - bogus? - X-SPAM-FLAG makes Spamassassin think the mail has already been checked, regardless whether it says "yes" or "no"? :confused: )
 
have the same exact problem and others with spam assassin since i've made a ./build all d

:(
 
Strator said:
(Or are you saying that the - bogus? - X-SPAM-FLAG makes Spamassassin think the mail has already been checked, regardless whether it says "yes" or "no"? :confused: )
Click to expand...
It's based on the existence of the flag, not the value:
Code: 
#EDIT#50:
spamcheck_director:
  driver = accept
  condition = "${if and { \
   {!def:authenticated_id} \
   {!def:h_X-Spam-Flag:} \
   {!eq {$received_protocol}{spam-scanned}} \
   {!eq {$received_protocol}{local}} \
   {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
   {<{$message_size}{100k}} \
   } {1}{0}}"
 retry_use_local_part
 transport = spamcheck
 no_verify
And taking it out looks like it'll create an endless loop, so I'm not taking it out. You're free to experiment.

(The above code is from my latest SpamBlocker Powered exim.conf file, Version 4, but previous versions use similar code.)

Jeff
 
Sounds a bit like what spam protection would look like if it was written by Monty Python.:D

Coordinator: Crucifixion?
Mr. Cheeky: Er, no, freedom actually.
Coordinator: What?
Mr. Cheeky: Yeah, they said I hadn't done anything and I could go and live on an island somewhere.
Coordinator: Oh I say, that's very nice. Well, off you go then.
Click to expand...
 
I am seeing the same problem. All of the spam that makes it into my inbox comes from the aol.com domain and contains the X-SPAM-FLAG. Any ideas how to resolve?
 
*cough*

Is there any update on this? I find it rather ridiculous that any spammer can make it into my inbox by simply setting a flag in their email claiming that it is not actually spam. ;)

X-Spam-Flag: NO
X-Spam-Score: 3.36
X-Spam-Level: ***
X-Spam-Status: No, score=3.36 tagged_above=2 required=5 tests=[ALL_TRUSTED=-1,
BAYES_50=0.8, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=2.398,
FREEMAIL_REPLYTO_END_DIGIT=1.151, T_HK_NAME_FM_MR_MRS=0.01]
autolearn=unavailable
Received: from mail.systexdmis.cn ([127.0.0.1])
by localhost (mail.systexdmis.cn [127.0.0.1]) (amavisd-new, port 10024)
Thu, 11 Jul 2013 16:19:16 +0800 (CST)
Received: from LAPTOP-PC (unknown [41.82.92.233])
by mail.systexdmis.cn (Postfix - by systexdmis.cn) with ESMTPA id 3A9CB1F442F
Date: Thu, 11 Jul 2013 08:35:08 GMT
Mime-version: 1.0
Subject: Re: From Miss Suzan.
From: Miss Suzan. <[email protected]>
Message-Id: <[email protected]>
Reply-To: [email protected]
Click to expand...
 
You must log in or register to reply here.
Back
Top