Re: [exim] OT - Not all messages being checked for spam

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MGraeme Fowler at <-
MPeter Bowyer at ->
Delete this message
Reply to this message
Author: Michael Sullivan
Date:  
To: Graeme Fowler
CC: exim-users
Subject: Re: [exim] OT - Not all messages being checked for spam
On Fri, 2007-06-15 at 08:30 -0500, Michael Sullivan wrote:
> On Fri, 2007-06-15 at 10:41 +0100, Graeme Fowler wrote:
> > On Thu, 2007-06-14 at 21:04 -0500, Michael Sullivan wrote:
> > > I've got a problem. A lot of spammish emails are getting through, and
> > > looking at their headers reveals that some of them have X-Spam status of
> > > "Not checked" and others don't have X-Spam headers at all. How can I
> > > ensure that all mail is checked for spam? Here's my ACL:
> >
> > Where does the "X-Spam" status header you mention get generated? It
> > isn't in your ACL:
> >
> > > acl_check_data:
> > > 
> > >   # Deny if the message contains a virus. Before enabling this check,
> > > you
> > >   # must install a virus scanner and set the av_scanner option above.
> > >   #
> > > #  deny    malware    = *
> > > #          message    = This message contains a virus ($malware_name).

> > >
> > > # Add headers to a message if it is judged to be spam. Before enabling
> > > this,
> > > # you must install SpamAssassin. You may also need to set the
> > > spamd_address
> > > # option above.
> > > #
> > >
> > > warn message = Subject: [*SPAM*] $h_Subject
> > > spam = nobody
> > >
> > > add_header = X-Spam_score: $spam_score\n\
> > > X-Spam_score_int: $spam_score_int\n\
> > > X-Spam_bar: $spam_bar\n\
> > > X-Spam_report: $spam_report
> > >
> > > # Accept the message.
> > >
> > > accept
> >
> > You're not rejecting message, since you only have a "warn" there. As far
> > as I can see, all messages will be passed to SpamAssassin with that ACL
> > (there's no condition to be satisfied) so all messages should be
> > checked.
>
> I don't want to reject them, at this point.
> >
> > I believe, however, that you should have multiple "add_header" lines
> > (one for each one) rather than trying to escape them in that way.
> >
> I've altered two lines in the ACL to say this:
>
> add_header = X-Spam_bar: $spam_bar\n\
> add_header = X-Spam_report: $spam_report
>
> I hope it works. The trouble is, some messages are being marked as
> spam, while the majority are not...
> > Have you restarted Exim since adding this config?
> >
> Several times
> > Graeme

For example, here are the headers from two different spammish emails - one was marked as spam, and the other wasn't: 

Marked spam:
Return-path: <lejxrghvvxaao@???>
Envelope-to: michael@???
Delivery-date: Fri, 15 Jun 2007 12:47:29 -0500
Received: from [210.22.84.4] (helo=70.234.122.254) by
baby.espersunited.com with smtp (Exim 4.67) (envelope-from
<lejxrghvvxaao@???>) id 1HzFtQ-0005ke-6N for
michael@???; Fri, 15 Jun 2007 12:47:29 -0500
From: ?$B@nK?(B?$B5]??;R?(B <lejxrghvvxaao@???>
Reply-To: lejxrghvvxaao@???
To: michael@???
Date: Sat, 16 Jun 2007 03:48:05 -0800  (06:48 CDT)
X-Info: michael@???
MIME-Version: 1.0
Content-Type: text/plain
List-Id: 8
X-Spam_score: 9.1
X-Spam_score_int: 91
X-ACL-Warn: add_header = X-Spam_bar: +++++++++
X-ACL-Warn: add_header = X-Spam_report: Spam detection software, running
on the system "baby.espersunited.com", has identified this incoming
email as possible spam.  The original message has been attached to this
so you can view it (if it isn't spam) or label similar future email.  If
you have any questions, see the administrator of that system for
details. Content
preview:  ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ [yŽÊzƒtƒFƒƒ‚ƒ“•ÙŒìŽm]‚³‚ñ‚©‚烁[ƒ‹‚ª“Í‚«‚Ü‚µ‚½I yŒ–¼z@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @—·‚è28ÎB‘Ò‚¿‚«‚ꂸ‚à‚¤‚Ù‚Ú—‡B‘‚­—ˆ‚Ä(‹©)@ [...]  Content analysis details:   (9.1 points, 5.0 required) pts rule name              description ---- ---------------------- -------------------------------------------------- 2.3 FROM_LOCAL_NOVOWEL     From: localpart has series of non-vowel letters 3.2 RCVD_HELO_IP_MISMATCH  Received: HELO and IP do not match, but should 2.3 DATE_IN_FUTURE_12_24   Date: is 12 to 24 hours after Received: date 1.3 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
Subject: [*SPAM*] ?$B$I$&$7$F$b?(B
X-Evolution-Source: imap://michael@baby.espersunited.com/


Not marked:
Return-path: <iynieola@???>
Envelope-to: michael@???
Delivery-date: Fri, 15 Jun 2007 12:53:17 -0500
Received: from [189.4.8.229] (helo=opentur.com) by baby.espersunited.com
with smtp (Exim 4.67) (envelope-from <iynieola@???>) id
1HzFyy-0005kn-VH for michael@???; Fri, 15 Jun 2007 12:53:17
-0500
Received: from mail.gimmicc.net ([Sat, 16 Jun 2007 03:34:51 +0900]) by
rly04.hottestmile.com with SMTP; Sat, 16 Jun 2007 03:34:51 +0900
Received: from unknown (153.115.144.108) by nntp.pinxodet.net with SMTP;
Sat, 16 Jun 2007 03:19:56 +0900
Message-ID: <8CF49004.1F485D95@???>
Date: Sat, 16 Jun 2007 03:04:01 +0900 (Fri, 13:04 CDT)
From: Hallie <iynieola@???>
User-Agent: Opera/7.02 (Windows NT 5.1; U)
X-Accept-Language: en-us
MIME-Version: 1.0
To: Ashlee <michael@???>
Subject: Addie wants you to check out this shop
Content-Type: multipart/related;
boundary="------------525188226024666613055258"
X-Evolution-Source: imap://michael@baby.espersunited.com/

So why was one checked and the other not?



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] server with underscored HeloRe: [exim] Cannot send mails to @hotmail.com addresses->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)