Again, you're looking in the wrong place. spamdyke doesn't examine the message headers, so it doesn't matter what they contain. Instead, find some of spamdyke's lines in your maillog file, then look for the "origin_ip" and "origin_rdns" entries.
For example: Sep 2 11:28:27 iconoclast spamdyke[5815]: DENIED_IP_IN_RDNS from: [email protected] to: [email protected] origin_ip: 75.120.51.45 origin_rdns: 75-120-51-45.dyn.centurytel.net auth: (unknown) Sep 2 12:18:57 iconoclast spamdyke[4233]: DENIED_IP_IN_RDNS from: [email protected] to: [email protected] origin_ip: 77.7.107.37 origin_rdns: nrbg-4d076b25.pool.mediaways.net auth: (unknown) Those two connections were filtered because the originating IP address was found in the rDNS name, along with a keyword (in the second example, the IP is encoded in hexadecimal). Here's the part that seems to confuse most people: finding a keyword by itself isn't enough. spamdyke must ALSO find the IP address. The five headers you gave below don't show any rDNS names that include IP addresses, so there are no possible keywords that would have blocked those messages. You could try graylisting or blacklists. Are you training SpamAssassin's learning filter to distinguish spam from ham? On my server, I have catch-all addresses configured on inactive domains to funnel all incoming mail to a single box. I then use those messages as input for SpamAssassin. I'm always amazed at how much mail is received at random addresses in domains that have been registered but never used. -- Sam Clippinger Christoph Kuhle (Expat Email Ltd) wrote: > > In a recent thread, Sam very kindly shared his keywords with us. As a > matter of interest, I went to some recent emails to see if I could > find any of those keywords in there. I don’t **think** any of the > words are there. I have put 5 examples of recent Spam that got through > and wondered if there is anything in the headers which seasoned users > might be able to identify, leading to something that I need to add to > some of my additional files. > > From another bit of advice, I suspect that Example 5 (which came > through our secondary mail servers) could have happened because the > Spammer specifically chose to send it via our lower priority MX > record. We have not yet put an even lower order MX record which points > back to our own server (in case they simply looked for the lowest > priority record). > > If there is anything glaring, could you possibly let me know? > > Kind regards, and many thanks in advance. > > Christoph > > *_EXAMPLE 1_* > > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > > plesk2.ourserver.co.uk > > X-Spam-Level: *** > > X-Spam-Status: No, score=3.5 required=4.0 tests=BAYES_99 autolearn=no > > version=3.2.5 > > Received: (qmail 29751 invoked from network); 30 Aug 2009 05:46:34 +0100 > > Received: from greenip.ntnu.edu.tw (HELO mg2.ntnu.edu.tw) (140.122.65.195) > > by plesk2.ourserver.co.uk with SMTP; 30 Aug 2009 05:46:33 +0100 > > Received-SPF: pass (plesk2.ourserver.co.uk: local policy designates > 140.122.65.195 as permitted sender) > > Received: from mg2.ntnu.edu.tw (localhost [127.0.0.1]) > > by mg2.ntnu.edu.tw (Postfix) with ESMTP id C22A7414E36; > > Sun, 30 Aug 2009 10:43:27 +0800 (CST) > > Received: from (localhost [127.0.0.1]) > > by mg2.ntnu.edu.tw (NOPAM 20080507(G2)) with ESMTP id 5AB6AC10 > > Sun Aug 30 10:41:45 2009 > > (envelope-from MAIL FROM:<[email protected]>) > > Received: from ntnu.edu.tw (ms2.ntnu.edu.tw [140.122.65.158]) > > by mg2.ntnu.edu.tw (Postfix) with ESMTP id 371C9416021; > > Sun, 30 Aug 2009 10:26:10 +0800 (CST) > > From: "Patrick K.W Chan" <[email protected]> > > Reply-To: [email protected] > > Subject: Business Suggestion > > Date: Sun, 30 Aug 2009 10:26:10 +0800 > > Message-Id: <[email protected]> > > X-Mailer: Open WebMail 2.51 20050228 > > X-OriginatingIP: 78.138.3.235 ([email protected]) > > MIME-Version: 1.0 > > Content-Type: text/plain; > > charset=big5 > > To: undisclosed-recipients:; > > X-NOPAM-Status: type=0; (GSD async, s=100) > > X-NOPAM-DIAG: > > *_EXAMPLE 2_* > > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > > plesk2.ourserver.co.uk > > X-Spam-Level: *** > > X-Spam-Status: No, score=3.9 required=4.0 > tests=BAYES_50,DATE_IN_PAST_96_XX, > > HTML_MESSAGE,MIME_HTML_ONLY,MSGID_FROM_MTA_HEADER autolearn=no > version=3.2.5 > > Received: (qmail 8305 invoked from network); 31 Aug 2009 15:09:50 +0100 > > Received: from bestresults1.net (76.73.21.162) > > by plesk2.ourserver.co.uk with SMTP; 31 Aug 2009 15:09:49 +0100 > > Received-SPF: pass (plesk2.ourserver.co.uk: local policy designates > 76.73.21.162 as permitted sender) > > Message-Id: <[email protected]> > > From: [email protected] > > To: [email protected] > > Content-Type: text/html; > > charset=us-ascii > > Content-Transfer-Encoding: 7bit > > Date: Sun, 31 Aug 2008 10:08:32 -0600 > > Subject: Free Website Analysis Report! Get ranked high in the search > engines. > > Received: from bestresults1.net [76.73.21.162] by 1vu.bestresults1.net > with SMTP; Sun, 31 Aug 2008 10:08:32 -0600 > > *_EXAMPLE 3_* > > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > > plesk2.ourserver.co.uk > > X-Spam-Level: *** > > X-Spam-Status: No, score=3.9 required=4.0 tests=BAYES_00,HTML_MESSAGE, > > MISSING_HEADERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK, > > SUBJ_ALL_CAPS,US_DOLLARS_3 autolearn=no version=3.2.5 > > Received: (qmail 28640 invoked from network); 27 Aug 2009 13:54:06 +0100 > > Received: from agsmtp02.state.ky.us (HELO agsmtp02.eas.ds.ky.gov) > (162.114.80.56) > > by plesk2.ourserver.co.uk with SMTP; 27 Aug 2009 13:54:06 +0100 > > Received-SPF: pass (plesk2.ourserver.co.uk: SPF record at ky.gov > designates 162.114.80.56 as permitted sender) > > Received: from AGMBX06.eas.ds.ky.gov ([162.114.80.49]) by > agsmtp02.eas.ds.ky.gov with Microsoft SMTPSVC(6.0.3790.3959); > > Thu, 27 Aug 2009 08:53:53 -0400 > > X-MimeOLE: Produced By Microsoft Exchange V6.5 > > Content-class: urn:content-classes:message > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="----_=_NextPart_001_01CA2715.6D36AD3D" > > Subject: APPLY FOR A LOAN HERE > > Date: Thu, 27 Aug 2009 08:53:51 -0400 > > Message-ID: > <[email protected]> > > X-MS-Has-Attach: > > X-MS-TNEF-Correlator: > > Thread-Topic: APPLY FOR A LOAN HERE > > Thread-Index: AconFWt262/x4xfJT6mvmLrIC66u9w== > > From: "Poe, Chris (KYTC-D05)" <[email protected]> > > Bcc: > > Return-Path: [email protected] > > X-OriginalArrivalTime: 27 Aug 2009 12:53:53.0894 (UTC) > FILETIME=[6EB9B060:01CA2715] > > *_EXAMPLE 4_* > > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > > plesk2.ourserver.co.uk > > X-Spam-Level: * > > X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,HTML_MESSAGE, > > RCVD_IN_NJABL_PROXY autolearn=no version=3.2.5 > > Received: (qmail 23483 invoked from network); 26 Aug 2009 12:39:46 +0100 > > Received: from b-fa2-1186.noc.ntt-west.nsk.ne.jp (61.198.80.186) > > by plesk2.ourserver.co.uk with SMTP; 26 Aug 2009 12:39:45 +0100 > > Received-SPF: neutral (plesk2.ourserver.co.uk: 61.198.80.186 is > neither permitted nor denied by SPF record at orgshrink.com) > > Received: from 61.198.80.186 by orgshrink.com.s5b1.psmtp.com; Wed, 26 > Aug 2009 20:39:24 +0900 > > Message-ID: <000d01ca2641$dc2d81a0$6400a...@pluralisti> > > From: "Winifred Bartley" <[email protected]> > > To: <[email protected]> > > Subject: We can help you have your health back. > > Date: Wed, 26 Aug 2009 20:39:24 +0900 > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="----=_NextPart_000_0007_01CA2641.DC2D81A0" > > X-Priority: 3 > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook Express 6.00.2900.2180 > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 > > *_EXAMPLE 5_* > > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > > plesk2.ourserver.co.uk > > X-Spam-Level: *** > > X-Spam-Status: No, score=3.5 required=4.0 tests=BAYES_60,DIET_1, > > FB_EXTRA_INCHES,HTML_MESSAGE autolearn=no version=3.2.5 > > Received: (qmail 32552 invoked from network); 25 Aug 2009 17:24:10 +0100 > > Received: from lon-mail-relay-2.gradwell.net (193.111.201.135) > > by plesk2.ourserver.co.uk with SMTP; 25 Aug 2009 17:24:10 +0100 > > Received-SPF: neutral (plesk2.ourserver.co.uk: 193.111.201.135 is > neither permitted nor denied by SPF record at quad-bikes.com) > > Received: from [190.144.97.84] (helo=CYFLKOXZ) > > by lon-mail-relay-2.gradwell.net with esmtp (Exim 4.52 (FreeBSD)) > > id 1MfyoR-000F1d-FH; Tue, 25 Aug 2009 17:23:59 +0100 > > Received: from 190.144.97.84 by mx1.123-reg.co.uk; Tue, 25 Aug 2009 > 11:23:57 -0500 > > Message-ID: <000d01ca25a0$7210d020$6400a...@estela563> > > From: "Anastasia King" <[email protected]> > > To: <[email protected]> > > Subject: Even the most beautiful women would want to be by your side. > > Date: Tue, 25 Aug 2009 11:23:57 -0500 > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="----=_NextPart_000_0007_01CA25A0.7210D020" > > X-Priority: 3 > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook Express 6.00.2900.2180 > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 > > ------------------------------------------------------------------------ > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
