If you want a helping hand interpreting the headers of a specific e-mail go to http://www.postini.com/support/header_analyzer.php

Phil

Thanks Phil - I've added that link to the specific topic I started about interpreting the headers.

A query:

I've just received an email from the PUG forums which came through Postini to criticalpath01, then pih-sunmxcore18.plus.net. It has the X-PN-VirusFiltered: by PlusNet MXCore (v2.00) header but no DSPAM headers - why?

Have been on the postini trial for a few days and it seems to be working well.  However, over the weekend, one of my named mailboxes received 222 spam emails of the 'mail delivery failure' type.  The other mailboxes were OK.  How did postini miss these?

Can you post or PM me the headers and I'll find out, without them I'd just be guessing.


Phil

PM sent.

Incidentally it might amuse you to see who made the post that resulted in the email being sent - I reckon it was all his fault!

I've just received another email from the PUG forums which bypassed DSPAM - this one went through a different mx.core. Is there something in place to do this?

Got the headers and found out why there are no DSPAM headers.

We have that e-mail address and one other from PUG whitelisted in DSPAM so that they could never be incorrectly classified. When we whitelist an address in DSPAM it doesn't get processed in any way and therefore does not have the headers.

Phil

Hi
Could someone tell me what 'X-Daemon-Classification: INNOCENT' is at the top of the header. Its one of the few items on a header I haven't sussed yet.

BTW The email came in via Postini and MX.last, bypassing the CP box.

This may be a bit of an obvious question but here goes: Why are the PUG addresses whitelisted when these forums are not?

I guess Dspam is yet to mark these forum notifications as [-SPAM-], at least not on a wide-scale basis

Unfortunately I am not seeing the same results as you.  Yesterday 6 emails were delivered which by looking at the subject alone are obvious spam.  Fortunately my anti spam software picked these up and correctly identified them.

So far, to me, postini appears to be no better than any of the other anti spam measures.

Certainly. If anybody has an example then I'd be happy to look at getting it added to Postini's list of trusted IPs.

I think when I've seen it, it was just the headers from the spam, do you want to try making a post with a set of spam headers and I'll see what happens?

Legendary PJ

I went live as trialist at about 17:00 on 4-Dec (First message 17:22; previous message 6:24pm, date & time of Bob's notification Tuesday 4th December 2007).  Below is my report of the first full weeks observations.

Postini Routing and Effect
Routing via Postini over the first seven full days since first message routed via postini:
·   Most of the 24 HAM messages since 17:22 on Tuesday 4th December 2007 have been routed via Postini
·   Over the same period, only some 56% of SPAM messages (34 out of 61 total) have been routed via Postini
·   % per day not routed via postini not substantially changed (except that first 2 days had a higher % via postini!)
·   67% were routed via criticalpath (41 out of 61), and 95% of these were tagged X-MAA: Suspected Spam (BUT this classification did not result in getting header tagged [SPAM] - should it have?)
·   Of the 21 not routed via criticalpath, only 6 had been routed via postini.  Of the 15 remaining, most had come from .com domains, some with respectable sounding names like albatros@btinternet.com or haibo@nokia.com
·   The number of Spam messages in my inbox has reduced from an average of 13 per day in the week before postini, back to 9 per day.  The average between 1-Nov and 3-Dec however was 8.  I’m far from sure if postini is really helping!
To summarise, I suspect that the only significant positive effect postini is doing at present for me is reducing the volume of messages labelled [-SPAM-].  What I really want is to reduce the number of Spams that get in my inbox on my PC.

“X-MAA: Suspected Spam”
Of all 346 SPAM received from 1-Nov-2007 (1st day criticalpath appeared) to 11-Dec, 205 (59%) have been routed via criticalpath.  Of these 205, 186 (91%) were tagged “X-MAA: Suspected Spam”.  I am aware of no HAM messages tagged “X-MAA: Suspected Spam”, not even the one false positive tagged [SPAM] by DSPAM.
If critical path really performs this well, it would currently seem to be the best route for reducing SPAM in our inboxes – could PlusNet arrange to have this all tagged as [-SPAM-]?
Since Sun-9-Dec at 15:56 I have switched my Norton AntiSpam on again, set to minimum level (to avoid any false positives) but added a manual check for “X-MAA: Suspected Spam” resulting in any messages tagged in the header by criticalpath to be tagged in the Subject line with “[Norton AntiSpam] “, which causes OE6 to file them in a special folder.  I then treat this folder in the about the same way as my Spam folder on SquirrelMail, dealing with it at a much lower priority – and hopefully never finding any HAM messages in it!

[-SPAM-] marked files
I downloaded all these for period 27-Nov to 11-Dec-2007.  Analysis of subset to my email adress suggests a similar breakdown re routing and “X-MAA: Suspected Spam” to those above.

Next Moves
I must learn more about criticalpath.  I will start by finding the usergroup.
Any advice?
I will of course continue monitoring postini, and hope the % of mail coming via postini increases and the effectiveness improves.


See http://www.cvpages.plus.c...ad/PlusNet/Postini-01.pdf for 5 page report giving above as first page, and then 3 pages of copies of header extracts as evidence, then 1 page of an embedded Excel speadsheet giving numbers.  Change .pdf for .doc to get Word2000 format version.

You will not have gone live on Postini at a particular point in time - PN updated the DNS MX entries on the authoritative servers but these updates will have taken some time to filter around the internet. Your stats will be corrupted by the inclusion of the first couple of days - evidence the number of emails not coming through Postini.

As Bob has pointed out, some spammers are using very old MX records - I've been on Postini for over a week and I'm still seeing some emails coming in not via Postini. Somewhere I think Bob talked about blocking any direct contact to mx.last (not via Postini) which would kill those, but I guess that is some weeks away.

I've seen many reports that spam volumes are rising - the fact that you've seen a small drop is significant.

Critical path has been decommissioned so you will not see any X-MAA headers now.

There has been talk this morning that there will be a header added to signify that Postini thought an email was spam (at the moment this doesn't result in [-SPAM-] being added to the subject - that is a little while away). Have you been analysing the Postini added headers to see which it thinks are spam? - I've been doing some and so far it has been 100% accurate.