Discussion:
spam-
Ejaz
2013-11-08 07:51:30 UTC
Permalink
Pls, help to stop spam messages, below header for one of the example of
spam messages our users keep receiving huge number of such messages.



My setup mailscaner/postfix/clamav/spamassasin/mailwatch.



Any help would be highly appreciated.



Received on: 08/11/13 10:08:17

Received by: mailgate5.cyberia.net.sa

Received from:

178.76.217.156 [Add to Whitelist | Add to Blacklist]



Received Via:



IP Address



Hostname



Country



RBL



Spam



Virus



All



178.76.217.156 (Reverse Lookup Failed) (GeoIP Lookup Failed) [ ] [ ] [ ]
[ ]



ID: 5E90EAE6CC1.A5345

Message Headers: Received: from clonx (unknown [178.76.217.156])

by mailgate5.cyberia.net.sa (Postfix) with SMTP id 5E90EAE6CC1

for <mejaz at cyberia.net.sa>; Fri, 8 Nov 2013 10:08:10 +0300 (AST)

Received: (qmail 5455 by uid 393); Fri, 8 Nov 2013 07:11:18 -0300

From: "Enlargement pils Free trial sample"
<guernseyparticiple at wikimedia.org>

To: <mejaz at cyberia.net.sa>

Subject: Uncensored models pics

Date: Fri, 8 Nov 2013 06:47:39 -0300

Message-ID: <005b01cedc73$8debbe70$a9c33b50$@org>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_005A_01CEDC73.8DEBBE70"

X-Mailer: Microsoft Office Outlook 12.0

Thread-Index: AcjkztUsBXgoB+tXKZk5ZYQYXbRHBg==

Content-Language: en-us

From:

guernseyparticiple at wikimedia.org [Add to Whitelist | Add to Blacklist]



To: mejaz at cyberia.net.sa

Subject: Uncensored models pics

Size: 6.4Kb

Anti-Virus/Dangerous Content Protection

Virus: N

Blocked File: N

Other Infection: N

SpamAssassin

Spam: N Action(s): deliver, header, "X-Spam-Status:, No"

High Scoring Spam: N

SpamAssassin Spam: N

Listed in RBL: N

Spam Whitelisted: N

Spam Blacklisted: N

SpamAssassin Autolearn: N

SpamAssassin Score: 5.07

Spam Report:



Score



Matching Rule



Description



0.80 BAYES_50

0.00 FSL_HELO_NON_FQDN_1

0.00 HTML_MESSAGE

1.45 RCVD_IN_BRBL_LASTEXT

0.79 RDNS_NONE

0.78 SPF_NEUTRAL

1.25 URIBL_JP_SURBL









Regards,

Mohammed Ejaz

CYBERIAR SAUDI ARABIA

P.O.Box 301079, Riyadh 11372, Saudi Arabia

Tel: +966 11 464 7114 Ext. 140

Fax: +966 11 465 4735





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/ac19092c/attachment.html
Richard Mealing
2013-11-08 13:46:39 UTC
Permalink
Hi Ejaz,

What do you have set for "Required SpamAssassin Score" in your MailScanner.conf file?


Thanks,
Rich

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz
Sent: 08 November 2013 07:52
To: 'MailScanner discussion'
Cc: users-help at spamassassin.apache.org
Subject: spam-


Pls, help to stop spam messages, below header for one of the example of spam messages our users keep receiving huge number of such messages.

My setup mailscaner/postfix/clamav/spamassasin/mailwatch.

Any help would be highly appreciated.

Received on: 08/11/13 10:08:17
Received by: mailgate5.cyberia.net.sa
Received from:
178.76.217.156 [Add to Whitelist | Add to Blacklist]

Received Via:

IP Address

Hostname

Country

RBL

Spam

Virus

All

178.76.217.156 (Reverse Lookup Failed) (GeoIP Lookup Failed) [ ] [ ] [ ] [ ]

ID: 5E90EAE6CC1.A5345
Message Headers: Received: from clonx (unknown [178.76.217.156])
by mailgate5.cyberia.net.sa (Postfix) with SMTP id 5E90EAE6CC1
for <mejaz at cyberia.net.sa<mailto:mejaz at cyberia.net.sa>>; Fri, 8 Nov 2013 10:08:10 +0300 (AST)
Received: (qmail 5455 by uid 393); Fri, 8 Nov 2013 07:11:18 -0300
From: "Enlargement pils Free trial sample" <guernseyparticiple at wikimedia.org<mailto:guernseyparticiple at wikimedia.org>>
To: <mejaz at cyberia.net.sa<mailto:mejaz at cyberia.net.sa>>
Subject: Uncensored models pics
Date: Fri, 8 Nov 2013 06:47:39 -0300
Message-ID: <005b01cedc73$8debbe70$a9c33b50$@org>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_005A_01CEDC73.8DEBBE70"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcjkztUsBXgoB+tXKZk5ZYQYXbRHBg==
Content-Language: en-us
From:
guernseyparticiple at wikimedia.org<mailto:guernseyparticiple at wikimedia.org> [Add to Whitelist | Add to Blacklist]

To: mejaz at cyberia.net.sa<mailto:mejaz at cyberia.net.sa>
Subject: Uncensored models pics
Size: 6.4Kb
Anti-Virus/Dangerous Content Protection
Virus: N
Blocked File: N
Other Infection: N
SpamAssassin
Spam: N Action(s): deliver, header, "X-Spam-Status:, No"
High Scoring Spam: N
SpamAssassin Spam: N
Listed in RBL: N
Spam Whitelisted: N
Spam Blacklisted: N
SpamAssassin Autolearn: N
SpamAssassin Score: 5.07
Spam Report:

Score

Matching Rule

Description

0.80 BAYES_50
0.00 FSL_HELO_NON_FQDN_1
0.00 HTML_MESSAGE
1.45 RCVD_IN_BRBL_LASTEXT
0.79 RDNS_NONE
0.78 SPF_NEUTRAL
1.25 URIBL_JP_SURBL




Regards,
Mohammed Ejaz
CYBERIA(r) SAUDI ARABIA
P.O.Box 301079, Riyadh 11372, Saudi Arabia
Tel: +966 11 464 7114 Ext. 140
Fax: +966 11 465 4735

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/6c07d4fe/attachment.html
Ejaz
2013-11-08 15:39:46 UTC
Permalink
In my Mailscanner.conf the default score was set to 6, now I have reduced to
5. But fears is that some false positive can happen.

Regards,

Mohammed Ejaz

CYBERIAR SAUDI ARABIA

P.O.Box 301079, Riyadh 11372, Saudi Arabia

Tel: +966 11 464 7114 Ext. 140

Fax: +966 11 465 4735



From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard
Mealing
Sent: Friday, November 8, 2013 4:47 PM
To: 'MailScanner discussion'
Subject: RE: spam-



Hi Ejaz,



What do you have set for "Required SpamAssassin Score" in your
MailScanner.conf file?





Thanks,

Rich



From: mailscanner-bounces at lists.mailscanner.info
<mailto:mailscanner-bounces at lists.mailscanner.info>
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ejaz
Sent: 08 November 2013 07:52
To: 'MailScanner discussion'
Cc: users-help at spamassassin.apache.org
<mailto:users-help at spamassassin.apache.org>
Subject: spam-





Pls, help to stop spam messages, below header for one of the example of
spam messages our users keep receiving huge number of such messages.



My setup mailscaner/postfix/clamav/spamassasin/mailwatch.



Any help would be highly appreciated.



Received on: 08/11/13 10:08:17

Received by: mailgate5.cyberia.net.sa

Received from:

178.76.217.156 [Add to Whitelist | Add to Blacklist]



Received Via:



IP Address



Hostname



Country



RBL



Spam



Virus



All



178.76.217.156 (Reverse Lookup Failed) (GeoIP Lookup Failed) [ ] [ ] [ ]
[ ]



ID: 5E90EAE6CC1.A5345

Message Headers: Received: from clonx (unknown [178.76.217.156])

by mailgate5.cyberia.net.sa (Postfix) with SMTP id 5E90EAE6CC1

for <mejaz at cyberia.net.sa <mailto:mejaz at cyberia.net.sa> >; Fri, 8 Nov
2013 10:08:10 +0300 (AST)

Received: (qmail 5455 by uid 393); Fri, 8 Nov 2013 07:11:18 -0300

From: "Enlargement pils Free trial sample" <guernseyparticiple at wikimedia.org
<mailto:guernseyparticiple at wikimedia.org> >

To: <mejaz at cyberia.net.sa <mailto:mejaz at cyberia.net.sa> >

Subject: Uncensored models pics

Date: Fri, 8 Nov 2013 06:47:39 -0300

Message-ID: <005b01cedc73$8debbe70$a9c33b50$@org>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_005A_01CEDC73.8DEBBE70"

X-Mailer: Microsoft Office Outlook 12.0

Thread-Index: AcjkztUsBXgoB+tXKZk5ZYQYXbRHBg==

Content-Language: en-us

From:

guernseyparticiple at wikimedia.org <mailto:guernseyparticiple at wikimedia.org>
[Add to Whitelist | Add to Blacklist]



To: mejaz at cyberia.net.sa <mailto:mejaz at cyberia.net.sa>

Subject: Uncensored models pics

Size: 6.4Kb

Anti-Virus/Dangerous Content Protection

Virus: N

Blocked File: N

Other Infection: N

SpamAssassin

Spam: N Action(s): deliver, header, "X-Spam-Status:, No"

High Scoring Spam: N

SpamAssassin Spam: N

Listed in RBL: N

Spam Whitelisted: N

Spam Blacklisted: N

SpamAssassin Autolearn: N

SpamAssassin Score: 5.07

Spam Report:



Score



Matching Rule



Description



0.80 BAYES_50

0.00 FSL_HELO_NON_FQDN_1

0.00 HTML_MESSAGE

1.45 RCVD_IN_BRBL_LASTEXT

0.79 RDNS_NONE

0.78 SPF_NEUTRAL

1.25 URIBL_JP_SURBL









Regards,

Mohammed Ejaz

CYBERIAR SAUDI ARABIA

P.O.Box 301079, Riyadh 11372, Saudi Arabia

Tel: +966 11 464 7114 Ext. 140

Fax: +966 11 465 4735
--
This message has been scanned for viruses and
dangerous content by <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/3d94f8b4/attachment.html
Mark Sapiro
2013-11-08 16:18:20 UTC
Permalink
Post by Ejaz
In my Mailscanner.conf the default score was set to 6, now I have
reduced to 5. But fears is that some false positive can happen.
Spam detection is not an exact science. There will always be false
positives, false negatives or both.

Make sure your SpamAssassin rules are up to date and maybe try adding
some additional rules.

See <http://www.mailscanner.info/gettingthebest.html>
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Terry Hulen Jr
2013-11-08 16:34:13 UTC
Permalink
The first thing I would do is use your MTA to use the most common BL
sites. If you follow this link you will notice that the first IP that you
sent is listed on many BL databases:

http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a178.76.217.156&run=toolpage

I would at least use Barracuda's BL database to block these at the MTA.
Post by Mark Sapiro
Post by Ejaz
In my Mailscanner.conf the default score was set to 6, now I have
reduced to 5. But fears is that some false positive can happen.
Spam detection is not an exact science. There will always be false
positives, false negatives or both.
Make sure your SpamAssassin rules are up to date and maybe try adding
some additional rules.
See <http://www.mailscanner.info/gettingthebest.html>
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/2a8acee5/attachment.html
Tracy Greggs
2013-11-08 23:13:41 UTC
Permalink
I 2nd that! Very few false positives with Barracuda in my experience.



You can also look at what IS being scored in SA on these spams and perhaps
increase the score for some of the items. My personal opinion is that the
default SA score is too low for quite a few of the rules.



Razor, Pyzor and DCC? They are a must IMO. It truly is a balancing act and
you are NEVER going to stop all spam from getting through, but you can catch
the vast majority of it with some diligence.



I am personally a proponent of using geoip blocking with xtables addon for
iptables and blocking all of the major offending countries that I never have
legit email from. I do understand for the global corporate scenario that is
largely not possible to do.



Tracy Greggs



From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Terry Hulen
Jr
Sent: Friday, November 08, 2013 10:34 AM
To: MailScanner discussion
Subject: Re: spam-



The first thing I would do is use your MTA to use the most common BL sites.
If you follow this link you will notice that the first IP that you sent is
listed on many BL databases:

http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a178.76.217.156
<http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a178.76.217.156&run=t
oolpage> &run=toolpage

I would at least use Barracuda's BL database to block these at the MTA.
Post by Ejaz
In my Mailscanner.conf the default score was set to 6, now I have
reduced to 5. But fears is that some false positive can happen.
Spam detection is not an exact science. There will always be false
positives, false negatives or both.

Make sure your SpamAssassin rules are up to date and maybe try adding
some additional rules.

See <http://www.mailscanner.info/gettingthebest.html>

--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131108/7fb6f0e1/attachment.html
Alex Neuman van der Hans
2013-11-09 00:16:28 UTC
Permalink
In my experience a well tuned MailScanner has far more accuracy and performance than a Barracuda machine.
--

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital
Post by Tracy Greggs
I 2nd that! Very few false positives with Barracuda in my experience.
You can also look at what IS being scored in SA on these spams and perhaps increase the score for some of the items. My personal opinion is that the default SA score is too low for quite a few of the rules.
Razor, Pyzor and DCC? They are a must IMO. It truly is a balancing act and you are NEVER going to stop all spam from getting through, but you can catch the vast majority of it with some diligence.
I am personally a proponent of using geoip blocking with xtables addon for iptables and blocking all of the major offending countries that I never have legit email from. I do understand for the global corporate scenario that is largely not possible to do.
Tracy Greggs
2013-11-09 03:00:40 UTC
Permalink
I was referring to the Barracuda RBL at the MTA or scored with SA.

Tracy Greggs

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Alex Neuman
van der Hans
Sent: Friday, November 08, 2013 6:16 PM
To: MailScanner discussion
Subject: Re: spam-

In my experience a well tuned MailScanner has far more accuracy and
performance than a Barracuda machine.
--

Alex Neuman van der Hans
Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

+507-6781-9505
+507-832-6725
+1-440-253-9789 (USA)

Follow @AlexNeuman on Twitter
http://facebook.com/vidadigital
Post by Tracy Greggs
I 2nd that! Very few false positives with Barracuda in my experience.
You can also look at what IS being scored in SA on these spams and perhaps
increase the score for some of the items. My personal opinion is that the
default SA score is too low for quite a few of the rules.
Post by Tracy Greggs
Razor, Pyzor and DCC? They are a must IMO. It truly is a balancing act
and you are NEVER going to stop all spam from getting through, but you can
catch the vast majority of it with some diligence.
Post by Tracy Greggs
I am personally a proponent of using geoip blocking with xtables addon for
iptables and blocking all of the major offending countries that I never have
legit email from. I do understand for the global corporate scenario that is
largely not possible to do.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Continue reading on narkive:
Loading...