Still having spam issues

K

keat63

Verified User
Joined
Jun 19, 2013
Messages
31
I'm assuming that our server has been updated, as the amount of spam hitting the spam box has dropped from about 180 per day down to around 30 per day.

However, during the little bug period, i did notice that "Spam Filters" wasn't quite working as it should. I assumed part of the bug.

Well it transpires that they still don't appear to be working correctly.
I have a filter for the word "viagra".
Any email containing this word, should be instantly dropped.
But they are still being delivered in to the spam folder.

Any thoughts.. maybe my host tweaked something to alleviate the bug, and now it needs tweaking back ?
 
Content preview: Viagra 30 pills 100mg -20% USD 81.90
Viagra,Plavix,Cialis,Lipitor,Synthroid,Levitra,Propecia
==================================================================== Best
prices in the market Payment: VISA Discounts for returning customers FDA
approved productas 350000+ satisfied -customers Click here Good luck [...]


Content analysis details: (14.2 points, 4.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 MISSING_DATE Missing Date: header
0.0 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis'
2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
1.4 FB_CIALIS_LEO3 BODY: Uses a mis-spelled version of cialis.
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5617]
1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?46.225.251.193>]
0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[46.225.251.193 listed in zen.spamhaus.org]
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[46.225.251.193 listed in dnsbl.sorbs.net]
2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: takistore.com.tr]
0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
0.3 DRUGS_ERECTILE Refers to an erectile drug
0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.[/I]
 
Maybe try to add the word with capital letter "V", I don't know if it makes a difference. It might. The email only have it with capital "V".
 
Its already in the list along with about 20 other variants, and since yesterday with a comma on the end, just in case.
But still getting through the spam filters.
 
I'm confused.

I created a test email from another domain with the word "skeeter" in the message.
This was delivered OK.

I then added the word "skeeter" to the spam filter rule, and switched it to deliver to spam rather than drop. The message was delivered to spam as expected.

I then reconfigured to drop the email and sent it again. This time it wasn't delivered. so must have been dropped.

So can anyone explain how the viagra ones are getting through. The rule is
Block all e-mail containing the word: Viagra
 
The only logical explanation that I can come up with is either they found some way of bypassing the filter (unlikely)

Or the way Spam Assassin and The Filter rule are working together.

Could Spam Assassin be looking at the mail, determining that it's spam and subsequently delivering it to the spam folder, therefor bypassing the filter rule altogether.

Something to do with post 38 in this thread ?
http://forum.directadmin.com/showthread.php?t=46371&page=2
 
You probably need to see and examine RAW Message Format of the email (i.e. original code), as some letters in the word might be encoded (quoted-printable for example), but you still see them as a single word when viewing in your email program. And the filters do exact match without considering of the Content-Transfer-Encoding of the message.
 
I downloaded the message as a .msg attachment, and opened it with windows notepad, the word Viagra is clearly visible in there. So I'm stumped.
 
What are your SpamAssassin settings? And how does /etc/virtual/domain.com/filter look like?

Note to replace domain.com with your real domain name.
 
I'm not sure i have access to the etc folder.

I've included screen shots showing my SpamAssasin settings and a brief view of the filter rules, of which the word "viagra" is in the list multiple times.

Got another 6 or so today.
SpamAssasin is obviously picking them up as general spam, but i'm at a loss as to why the spam filter isn't dropping them.
 

Attachments

  • sa.jpg
    sa.jpg
    142.9 KB · Views: 63
  • filter.jpg
    filter.jpg
    157.6 KB · Views: 74
Regarding, SA settings, I mostly wanted to see how the spam emails are delivered: as an attachment, or not.
Regarding, I'd like to see the raw file instead of the list from DA.


keat63 said:
I'm not sure i have access to the etc folder.
Click to expand...

If you don't... then you should refer your question to the hosting company from which you buy hosting.
 
It also has this UTF code in the header
=?utf-8?q?=F0=9F=92=B0?=

Maybe this is how it's bypassing the filter ?
 
The email is being quarantined as an attachment, pic attached.
 

Attachments

  • v-word.jpg
    v-word.jpg
    207.8 KB · Views: 63
# created by DirectAdmin, version 1.33.1

Is this a typo in the filter, or is our server running something different.
I thought DA was on 1.43 ?
 
According to rules in filter.txt, if the email is marked as SPAM by SpamAssassin, then other filter rules are ignored.
 
Which is exactly what i suspected might be happening.
Any ideas how I suggest my host fixes this ?

I assume a simple code change ?
 
You must log in or register to reply here.
Back
Top