On Fri, 2007-06-15 at 08:30 -0500, Michael Sullivan wrote:
> On Fri, 2007-06-15 at 10:41 +0100, Graeme Fowler wrote:
> > On Thu, 2007-06-14 at 21:04 -0500, Michael Sullivan wrote:
> > > I've got a problem. A lot of spammish emails are getting through, and
> > > looking at their headers reveals that some of them have X-Spam status of
> > > "Not checked" and others don't have X-Spam headers at all. How can I
> > > ensure that all mail is checked for spam? Here's my ACL:
> >
> > Where does the "X-Spam" status header you mention get generated? It
> > isn't in your ACL:
> >
> > > acl_check_data:
> > >
> > > # Deny if the message contains a virus. Before enabling this check,
> > > you
> > > # must install a virus scanner and set the av_scanner option above.
> > > #
> > > # deny malware = *
> > > # message = This message contains a virus ($malware_name).
> > >
> > > # Add headers to a message if it is judged to be spam. Before enabling
> > > this,
> > > # you must install SpamAssassin. You may also need to set the
> > > spamd_address
> > > # option above.
> > > #
> > >
> > > warn message = Subject: [*SPAM*] $h_Subject
> > > spam = nobody
> > >
> > > add_header = X-Spam_score: $spam_score\n\
> > > X-Spam_score_int: $spam_score_int\n\
> > > X-Spam_bar: $spam_bar\n\
> > > X-Spam_report: $spam_report
> > >
> > > # Accept the message.
> > >
> > > accept
> >
> > You're not rejecting message, since you only have a "warn" there. As far
> > as I can see, all messages will be passed to SpamAssassin with that ACL
> > (there's no condition to be satisfied) so all messages should be
> > checked.
>
> I don't want to reject them, at this point.
> >
> > I believe, however, that you should have multiple "add_header" lines
> > (one for each one) rather than trying to escape them in that way.
> >
> I've altered two lines in the ACL to say this:
>
> add_header = X-Spam_bar: $spam_bar\n\
> add_header = X-Spam_report: $spam_report
>
> I hope it works. The trouble is, some messages are being marked as
> spam, while the majority are not...
> > Have you restarted Exim since adding this config?
> >
> Several times
> > Graeme
For example, here are the headers from two different spammish emails - one was marked as spam, and the other wasn't:
Marked spam:
Return-path: <lejxrghvvxaao@???>
Envelope-to: michael@???
Delivery-date: Fri, 15 Jun 2007 12:47:29 -0500
Received: from [210.22.84.4] (helo=70.234.122.254) by
baby.espersunited.com with smtp (Exim 4.67) (envelope-from
<lejxrghvvxaao@???>) id 1HzFtQ-0005ke-6N for
michael@???; Fri, 15 Jun 2007 12:47:29 -0500
From: ?$B@nK?(B?$B5]??;R?(B <lejxrghvvxaao@???>
Reply-To: lejxrghvvxaao@???
To: michael@???
Date: Sat, 16 Jun 2007 03:48:05 -0800 (06:48 CDT)
X-Info: michael@???
MIME-Version: 1.0
Content-Type: text/plain
List-Id: 8
X-Spam_score: 9.1
X-Spam_score_int: 91
X-ACL-Warn: add_header = X-Spam_bar: +++++++++
X-ACL-Warn: add_header = X-Spam_report: Spam detection software, running
on the system "baby.espersunited.com", has identified this incoming
email as possible spam. The original message has been attached to this
so you can view it (if it isn't spam) or label similar future email. If
you have any questions, see the administrator of that system for
details. Content
preview: ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ [yŽÊzƒtƒFƒƒ‚ƒ“•ÙŒìŽm]‚³‚ñ‚©‚çƒ[ƒ‹‚ª“Í‚«‚Ü‚µ‚½I yŒ–¼z@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @—·‚è28ÎB‘Ò‚¿‚«‚ꂸ‚à‚¤‚Ù‚Ú—‡B‘‚—ˆ‚Ä(‹©)@ [...] Content analysis details: (9.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.3 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 3.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should 2.3 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 1.3 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
Subject: [*SPAM*] ?$B$I$&$7$F$b?(B
X-Evolution-Source: imap://michael@baby.espersunited.com/
Not marked:
Return-path: <iynieola@???>
Envelope-to: michael@???
Delivery-date: Fri, 15 Jun 2007 12:53:17 -0500
Received: from [189.4.8.229] (helo=opentur.com) by baby.espersunited.com
with smtp (Exim 4.67) (envelope-from <iynieola@???>) id
1HzFyy-0005kn-VH for michael@???; Fri, 15 Jun 2007 12:53:17
-0500
Received: from mail.gimmicc.net ([Sat, 16 Jun 2007 03:34:51 +0900]) by
rly04.hottestmile.com with SMTP; Sat, 16 Jun 2007 03:34:51 +0900
Received: from unknown (153.115.144.108) by nntp.pinxodet.net with SMTP;
Sat, 16 Jun 2007 03:19:56 +0900
Message-ID: <8CF49004.1F485D95@???>
Date: Sat, 16 Jun 2007 03:04:01 +0900 (Fri, 13:04 CDT)
From: Hallie <iynieola@???>
User-Agent: Opera/7.02 (Windows NT 5.1; U)
X-Accept-Language: en-us
MIME-Version: 1.0
To: Ashlee <michael@???>
Subject: Addie wants you to check out this shop
Content-Type: multipart/related;
boundary="------------525188226024666613055258"
X-Evolution-Source:
imap://michael@baby.espersunited.com/
So why was one checked and the other not?