Hello,
First, I figured out why I was getting duplicates of every spam message
forwarded to my spam address. It was because the email address I entered
for ccSpamInDomain is actually an alias for the same email used for
sendAllSpam. That was simpler than I thought it would be.
However, we have a user who's getting tons of spam. It is marked as spam
with the {ASSP-SPAM} [MessageLimit][tagging] prefixes and the headers
even show a high tagging score, well above what should have it flagged.
I found one message in the logs for example. This is what the log says:
Sep-12-14 07:35:22 m-21721-03024 [Worker_2] 100.43.187.172
<nore...@esurgas.us> to: u...@domain.com Message-Score: added -10
(spfpValencePB) for SPF pass, total score for this message is now -10
Sep-12-14 07:35:22 m-21721-03024 [Worker_2] 100.43.187.172
<nore...@esurgas.us> to: u...@domain.com Message-Score: added -10 for
Home Country Bonus US (DORIS_MARTINSSON), total score for this message
is now -20
Sep-12-14 07:35:22 m-21721-03024 [Worker_2] [BombHeaderRe]
100.43.187.172 <nore...@esurgas.us> to: u...@domain.com [scoring]
(BombHeaderRe '2 Sep 2014 04:03:20 -0700')
Sep-12-14 07:35:22 m-21721-03024 [Worker_2] 100.43.187.172
<nore...@esurgas.us> to: u...@domain.com Message-Score: added 50 for
BombHeaderRe '2 Sep 2014 04:03:20 -0700', total score for this message
is now 30
Sep-12-14 07:35:28 m-21721-03024 [Worker_2] 100.43.187.172
<nore...@esurgas.us> to: u...@domain.com FileScan: scanned 50448 bytes
in message
Sep-12-14 07:35:28 m-21721-03024 [Worker_2] 100.43.187.172
<nore...@esurgas.us> to: u...@domain.com Bayesian Check [scoring] -
Prob: 1.00000 => spam
Sep-12-14 07:35:28 m-21721-03024 [Worker_2] 100.43.187.172
<nore...@esurgas.us> to: u...@domain.com Message-Score: added 49 for
Bayesian Probability: 1.00000, total score for this message is now 79
Sep-12-14 07:35:28 m-21721-03024 [Worker_2]
[MessageLimit][tagging][testmode] 100.43.187.172 <nore...@esurgas.us>
to: u...@domain.com [spam found] and possibly passing because testmode,
otherwise blocked (MessageScore 79, limit 50) [Pure Garcinia Cambogia
Extract] -> spam/Pure_Garcinia_Cambogia_Extract--1496652.eml
Sep-12-14 07:35:28 m-21721-03024 [Worker_2] 100.43.187.172
<nore...@esurgas.us> to: u...@domain.com spam found and passing () [Pure
Garcinia Cambogia Extract] ->
spam/Pure_Garcinia_Cambogia_Extract--1496652.eml
This is what feature matching says with the analyze option:
• SPF-check returned OK for 100.43.187.172 ->
garciniacambo...@esurgas.us, esurgas.us
• SPF: pass (cache) ip=100.43.187.172
mailfrom=garciniacambo...@esurgas.us helo=esurgas.us
• BombHeader RE: 'highest match: "2 Sep 2014 04:03:20 -0700" with
valence: 25 - PB value = 50'
• matching bombHeaderRe(): '0'
• URIBL check: 'OK'
• Valid Format of HELO: 'esurgas.us'
• IP in Helo check: 'OK'
• RBLCheck returned OK for 100.43.187.172:
• 100.43.187.172 SenderBase: status=not classified, data=US,
DORIS_MARTINSSON, , , , 26
Thank you all.
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
