[exim] Spam slipping through exiscan?

Top Page
Delete this message
Reply to this message
Author: Steve Zinski
Date:  
To: exim-users
Subject: [exim] Spam slipping through exiscan?
Hello, I am using an acl in exiscan to reject spam at smtp time. Everything
works great most of the time, but occasionaly a message or two gets through
even though the header clearly shows that the message was scored as spam.

The only thing that appears to be common with these messages that get
through is that the message is addressed to an email address that forwards
to another local address (i.e., domains@??? is a forwarder to
steve@???). And, the messages in question appear to be addressed to
multiple recipients. Anyway, I am stumped. My exim acl works fine 90% of the
time, but it's just a few messages that get through... And you will see that
I'm dropping messages with a score of 7+ and the message that got through
was scored 15.8.

I'd appreciate some help. Thanks very much.

Steve

---------------------------------------------------
Here is my exim acl:

#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender

  # Reject messages with a SpamAssassin score >7
  deny     message = Rejected: Flagged as spam (score = $spam_score).
           spam = nobody:true
           condition = ${if >{$spam_score_int}{70}{1}{0}}


accept

---------------------------------------------------
Log snippet from exim_mainlog (domains obscucated to protect privacy):

2006-07-25 06:52:09 1G5KWG-0007jX-2y <= Dirk.Stevens@???
H=(STUDIO-DA08EB7F.ao3hoee5.org) [58.69.5.99] P=esmtp S=4368
id=36566679493107.F224B4D819@8L9SQD2
2006-07-25 06:52:11 1G5KWG-0007jX-2y => steve <domains@???>
R=virtual_sa_user T=virtual_sa_userdelivery
2006-07-25 06:52:11 1G5KWH-0007lv-G4 <= Dirk.Stevens@??? U=scz
P=local-bsmtp S=5474 id=36566679493107.F224B4D819@8L9SQD2
2006-07-25 06:52:11 1G5KWH-0007lv-G4 => steve <steve@???>
R=virtual_user T=virtual_userdelivery
2006-07-25 06:52:11 1G5KWH-0007lv-G4 Completed2006-07-25 06:52:12
1G5KWG-0007jX-2y => matt@??? <matt@???> R=lookuphost
T=remote_smtp H=gmail-smtp-in.l.google.com [64.233.185.114]
2006-07-25 06:52:12 1G5KWG-0007jX-2y Completed

---------------------------------------------------
Message header:

Return-path: <Dirk.Stevens@???>
Envelope-to: steve@???
Delivery-date: Tue, 25 Jul 2006 06:52:11 -0400
Received: from scz by vps.mydomain.net with local-bsmtp (Exim 4.52)
        id 1G5KWH-0007lv-G4
        for steve@???; Tue, 25 Jul 2006 06:52:11 -0400
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on vps.mydomain.net
X-Spam-Level: ***************
X-Spam-Status: Yes, score=15.8 required=5.0 tests=BAYES_99,FORGED_RCVD_HELO,
        HTML_MESSAGE,MIME_HTML_ONLY,SUBJ_ILLEGAL_CHARS,URIBL_JP_SURBL,
        URIBL_SBL,URIBL_WS_SURBL autolearn=no version=3.1.3
X-Spam-Report:
        *  0.1 FORGED_RCVD_HELO Received: contains a forged HELO
        *  4.3 SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal
characters
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
        *      [score: 1.0000]
        *  0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
        *  1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
        *      [URIs: audionjn.com]
        *  4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
        *      [URIs: audionjn.com]
        *  2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
        *      [URIs: audionjn.com]
Received: from [58.69.5.99] (helo=STUDIO-DA08EB7F.ao3hoee5.org)
        by vps.mydomain.net with esmtp (Exim 4.52)
        id 1G5KWG-0007jX-2y; Tue, 25 Jul 2006 06:52:08 -0400
Message-ID: <36566679493107.F224B4D819@8L9SQD2>
From: "Dirk" <Dirk.Christiansen@???>
To: <matt@???>
Subject: New'n'hot Most quality products for anyone who wants to become a
champion in bed
Date: Tue, 25 Jul 2006 18:51:12 +0800
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: q6CLqeQvMbe84ynkDLYXq1LtXcuZ9NCGNFcM
Content-Type: text/html;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit