Wow! The message I've send some minutes ago to this list has failed CMDSPACE on my server:
01/07/2004 15:56:40 Q1e1703c7006c33ca SPAMHEADERS:10 nNOLEGITCONTENT:-10 CMDSPACE:100 SPAMCHK:-255 ISDATE-EN:-10 . Total weight = -165. 01/07/2004 15:56:40 Q1e1703c7006c33ca R1 Message OK 01/07/2004 15:56:40 Q1e1703c7006c33ca Subject: RE: [Declude.JunkMail] New CMDSPACE test in latest interim release 01/07/2004 15:56:40 Q1e1703c7006c33ca From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 217.199.8.245 ID: 01/07/2004 15:56:40 Q1e1703c7006c33ca SPAMHEADERS=WARN CMDSPACE=IGNORE SPAMCHK=WARN ISDATE-EN=WARN Without the whitelisting for declude list messages my message has reaced our threshold of 100 points. (I've set CMDSPACE to 100 to catch some legit message with an CMDSPACE FP) I use MS Outlook 2003. Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Matthew Bramble > Sent: Wednesday, January 07, 2004 3:40 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] New CMDSPACE test in latest > interim release > > FP to report. So far I've managed to only hold one that > didn't get deleted, but this one was legit, but didn't get > held. It's from a company that sends out notifications by > E-mail, and the headers look like they at least modified the > mailer's source code if not written it themselves. > > Received: from D-11654.newsemergency.com [216.205.75.2] by xxxxxxxxx > (SMTPD32-7.15) id A532B730256; Wed, 07 Jan 2004 09:18:26 -0500 > Message-ID: <[EMAIL PROTECTED]> > <newmsg.cgi?mbx=Main&[EMAIL PROTECTED] > twork.net> > X-EM-Version: 5, 0, 0, 21 > X-EM-Registration: #01F0551810F20d001200 > From: "THE EMERGENCY EMAIL NETWORK" > <[EMAIL PROTECTED]> > <newmsg.cgi?mbx=Main&[EMAIL PROTECTED]> > To: <xxxxxxxx> <newmsg.cgi?mbx=Main&[EMAIL PROTECTED]> > Subject: Your Sign up Info > Date: Wed, 7 Jan 2004 09:20:18 -0500 > MIME-Version: 1.0 > Content-type: text/plain; charset=US-ASCII > X-MailPure: > ================================================================== > X-MailPure: IPNOTINMX: Failed, IP is not listed in MX or A > records (weight 0). > X-MailPure: NOLEGITCONTENT: Failed, no legitimate content > detected (weight 0). > X-MailPure: HELOBOGUS: Failed, bogus connecting server name > (weight 4). > X-MailPure: CMDSPACE: Failed, improperly formatted SMTP > commands (weight 4). > X-MailPure: > ================================================================== > X-MailPure: Spam Score: 8 > X-MailPure: Scan Time: 09:18:32 on 01/07/2004 > X-MailPure: Spool File: D15320b7302563c93.SMD > X-MailPure: Server Name: D-11654.newsemergency.com > X-MailPure: SMTP Sender: [EMAIL PROTECTED] > X-MailPure: Received From: mail781.emergencyemailnetwork.net > [216.205.75.2] > X-MailPure: > ================================================================== > X-MailPure: Spam and virus blocking services provided by MailPure.com > X-MailPure: > ================================================================== > X-Declude-Date: 01/07/2004 14:20:18 [1] > X-RCPT-TO: <xxxxxx> <newmsg.cgi?mbx=Main&[EMAIL PROTECTED]> > Status: U > X-UIDL: 373475498 > > > > > > R. Scott Perry wrote: > > > > >> It took about 1 minute to figure out that this will be a very > >> valuable test as I'm seeing similar hit rates. What matters most > >> though is the type of thing that will FP, and what other > tests will > >> generally fail along with it. I'm guessing that an FP > with CMDSPACE > >> will probably also tend to FP with BADHEADERS, and I might need to > >> balance that out. > > > > > > Actually, that's one reason why this test should be so useful. An > > E-mail should only fail both CMDSPACE and BADHEADERS if [1] the MUA > > and MTA are the same, and *seriously* broken (as is the case with > > spamware), or [2] the MUA and MTA are separate, but both > broken. #1 > > is the case with some web mailers, but time should tell > whether or not > > E-mail is likely to fail both tests. > > > >> Could you describe that one FP that you found so that I > know what to > >> look out for? Was this an instance where some small-time > newsletter > >> sender was using the same bad software that the spammers > use, or was > >> it something else like some Web script? If it's really > rare and tied > >> to an X-Mailer, maybe we could counterbalance it with a filter??? > > > > > > It was sent with Lotus Notes, but connecting to the IP of their > > mailserver shows "220 SMTP Proxy Server Ready", so they are likely > > running a special proxy server. Interestingly, the only > Google hits > > for "SMTP Proxy Server Ready" appear to be on servers run > by spammers. > > :) > > > >> Regardless, it appears that the FP rate of this thing will far out > >> perform any other technical tests as well as the hit rate. > That's HUGE! > > > > > > It does appear to be huge. Let's hope it really is, and that it > > lasts. :) > > > > -Scott > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
