Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default Obvious spam allowed

    I am running v9.2.1 with Spam Blocker. There have been no changes on the system for many months - except the standard automatic updates.

    Everything is working fine *except* I have seen obvious spam message being allowed through to the mail server. The most recent one looked like this:

    Subject: Best online pharmacy providing all your RX med needs!

    Cialis will ensure that you never go soft in bed again

    http://www.surepickswin.com/wp-admin/css/r7y5.<extension removed>

    There was no effort made to obscure the subject or the content - it is the most blatant type of spam. This message scored a 2.5 on the Spam Filter. I have another implementation of Spam Assassin on my MDaemon mail server where it received an 8.8 score. There have been no custom rules added. The load on UT should be low and it is has plenty of CPU horsepower.

    Seems like I started seeing one or two a day starting about a week ago. Any ideas why a message like this would be allowed through?

  2. #2
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,325

    Default

    do you have the add spam headers option checked? if so, check the X-SPAM line from the message header. I'll bet it probably includes BAYES_00, which will indicate your bayes database is hosed.

  3. #3
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Yes, spam headers are turned on. I just checked about 5 recent messages and 1 had BAYES_00 but the other 4 did not. These were all non-spam messages.

    If I only see BAYES_00 1 out of 5 times what does that tell me?

    Also curious is that at least 2 or 3 of these messages are flagged with DATE_IN_FUTURE but they were all sent today.

    What next?

  4. #4
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Here is today's version with a score of 1.3! This score is obviously not even close to the required 4.3 for spam.

    Any idea why this is going through the filter so handily?


    *********************************
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - EPI.epikitchen.com
    X-AntiAbuse: Original Domain - itc-inc.net
    X-AntiAbuse: Originator/Caller UID/GID - [504 501] / [47 12]
    X-AntiAbuse: Sender Address Domain - EPI.epikitchen.com
    X-spam-status: No, score=1.3 required=4.3 tests=ONLINE_PHARMACY,TVD_VISIT_PHARMA,DATE_IN_FUTURE_03_06,BAYES_80,CTASD_SPAM_UNKNOWN
    X-Spam-Flag: NO

    Subject: Begin a new life of sexual freedom with these medicines

    Safe reliable licensed online pharmacy drugstore. FDA approved.

    http://pa91.com/wangzhe1/css/1kk1e1.<extension removed>

    *********************************

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Who is the Untangle using for DNS resolution?

    I find it very suspicious that none of the DNS based tests (most of them) ever fire in your case.
    Last edited by dmorris; 07-09-2012 at 09:00 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    I am on Time Warner cable and UT is using their DNS servers.

    209.18.47.61
    209.18.47.62

  7. #7
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,040

    Default

    I'd try testing from here:

    http://www.crynwr.com/spam/
    m.


    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.

    It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,040

    Default

    Also, BAYES_XX indicates the probability of a match in your bayes database. XX is a percentage of a match.

    It doesn't indicate whether the match was in a positive or negative direction.

    DATE_IN_FUTURE_03_06 means that the Date of the message is set to 3 to 6 hours ahead of when the server received it. ie, if the server saw the message at 1pm, and the message has a Date of 4pm, it would trigger that rule.
    m.


    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.

    It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,325

    Default

    Quote Originally Posted by mrunkel View Post
    Also, BAYES_XX indicates the probability of a match in your bayes database. XX is a percentage of a match.

    It doesn't indicate whether the match was in a positive or negative direction.
    Are you sure on that? That is definitely NOT the way I understand the BAYES scores.

    BAYES_00 = not spam, adjust score negative (towards good)
    BAYES_50 = could be spam, small positive score adjustment
    BAYES_80 = very probable spam, bigger positive score adjustment
    BAYES_95 = almost certain spam, bigger positive score adjustment
    BAYES_99 = yep, it's spam, no doubt, big positive score adjustment

    there are a few other intermediate scores, but those are the main ones. I think the ones between 00 and 50 don't adjust the score either way (at least by the default SA rules... Untangle's ruleset may be different)

    (here's the default SA scoring: http://spamassassin.apache.org/tests_3_3_x.html)
    Last edited by johnsonx42; 07-09-2012 at 02:57 PM.

  10. #10
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Quote Originally Posted by mrunkel View Post
    I'd try testing from here:

    http://www.crynwr.com/spam/
    I *think* I understood what this test is supposed to be doing. So following the directions I did a telnet from the mail server to the ns1.crynwr.com server. The results show the same for each of the 8 tests.

    ***************************
    Testing your <test name here>. See http://www.crynwr.com/spam/ for more info.
    Could not connect to <mail server ip address>: Connection refused
    ***************************

    If I understand the test results then UT is blocking as expected.

    I have another one of these obvious spam messages that came in later today that is below. It is interesting to note that the X-AntiAbuse headers are filled out on most of the spam like this that is getting through. Is it possible that the X-AntiAbuse header has any bearing on allowing these message through the filter?

    Subject: Your meds are our business. Order online today and get worldwide
    shipping.
    From: azuor@www.mellsa.com
    Reply-To: azuor@www.mellsa.com
    Message-Id: <E1SoI3y-0001th-GW@jupiter.indo-server.com>
    Date: Tue, 10 Jul 2012 00:47:58 +0700
    X-AntiAbuse: This header was added to track abuse, please include it with
    any abuse report
    X-AntiAbuse: Primary Hostname - jupiter.indo-server.com
    X-AntiAbuse: Original Domain - itc-inc.net
    X-AntiAbuse: Originator/Caller UID/GID - [1432 1426] / [47 12]
    X-AntiAbuse: Sender Address Domain - jupiter.indo-server.com
    X-spam-status: No, score=3.8 required=4.3
    tests=SUBJECT_FUZZY_MEDS,BAYES_60,CTASD_SPAM_UNKNOWN
    X-Spam-Flag: NO

    Online ordering for mens medications. Guaranteed shipping with insurance

    http://www.worldperfect.dk/css/5mpsg.php

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2