On Fri, 2009-01-09 at 08:25 +0100, Harald Binkle wrote:
> Hi,
> Here is the header of one of those spam mails coming through:
>
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) * on
> hermes.intranet.jam-software.com * at Wed, 07 Jan 2009 14:56:26 +0100
> X-Spam-Status: No, hits=2.0, required= 5.0, autolearn=no, shortcircuit=no
> X-Spam-Report: * 0.3 JAM_DO_STH_HERE BODY: Body contains
> Click/Order/Press... Here
> * 0.2 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to
> image area
> * 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of
> words
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
> * [score: 0.9875]
> * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> * 0.9 SARE_UN7 RAW: SARE_UN7
> * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> * [41.209.78.136 listed in zen.spamhaus.org]
> * -6.3 AWL AWL: From: address is in the auto white-list
> Received: from hacos (41.209.78.136) by Hermes.intranet.jam-software.com
> (192.168.123.96) with Microsoft SMTP Server id 8.1.291.1; Wed, 7 Jan 2009
> 14:55:37 +0100
Assuming that's the IP used for AWL, your AWL database seems to be dirty
or broken. Unless you actually are physically located in Sudan...
> X-Originating-IP: [20.447.77.419]
This is just plain wrong. :)
> So as you can see the AWL is the only applied rule which made this spam come
> through.
> And of cause our own addresses are not on the whitelist.
I guess I'd carefully check the AWL database. Or maybe just start over
fresh. Any chance of wrong (possibly auto) learned messages?
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
