cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unmarked SPAM - very obvious

fishter
Grafter
Posts: 78
Registered: ‎26-06-2007

Unmarked SPAM - very obvious

‎31-08-2007 9:57 PM

I got the following in an email header which was marked as "innocent"
My own SpamAssassin rated it as a score of 27, where under 5 is not spam.
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on myth.fishter.org.uk
X-Spam-Level: ***************************
X-Spam-Status: Yes, score=27.2 required=5.0 tests=BAYES_99,FH_HELO_EQ_D_D_D_D,
	HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR2,NORMAL_HTTP_TO_IP,
	RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,
	STOX_REPLY_TYPE,TVD_FINGER_02,URIBL_BLACK,URIBL_JP_SURBL autolearn=spam
	version=3.2.3
X-Spam-Report: 
	*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
	*      [score: 1.0000]
	*  0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE
	*  2.1 TVD_FINGER_02 TVD_FINGER_02
	*  0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
	*  4.3 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
	*  4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
	*       2)
	*  0.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
	*  2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
	*      [Blocked - see <http://www.spamcop.net/bl.shtml?74.135.102.144>]
	*  0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
	*      [74.135.102.144 listed in dnsbl.sorbs.net]
	*  3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
	*      [74.135.102.144 listed in zen.spamhaus.org]
	*  0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
	*  0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
	*  1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
	*      above 50%
	*      [cf:  60]
	*  0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
	*  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
	*      [cf:  60]
	*  2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
	*      [URIs: 91.104.40.177]
	*  1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
	*      [URIs: 91.104.40.177]
Received: from myth.fishter.org.uk (myth.fishter.org.uk [127.0.0.1])
	by myth.fishter.org.uk (8.13.8/8.13.8) with ESMTP id l7VJn9ml010244
	for <xx@xx>; Fri, 31 Aug 2007 20:49:13 +0100
X-Daemon-Classification: INNOCENT
Envelope-to: xx@xx
Delivery-date: Fri, 31 Aug 2007 18:35:58 +0000
Received: from mail.plus.net [212.159.10.1]
	by myth.fishter.org.uk with POP3 (fetchmail-6.3.6)
	for <xx@xx> (single-drop); Fri, 31 Aug 2007 20:49:13 +0100 (BST)
Received: from 74-135-102-144.dhcp.insightbb.com ([74.135.102.144])
	  by pih-sunmxcore09.plus.net with smtp (PlusNet MXCore v2.00) id 1IRBLZ-0005RP-ER 
	  for xx@xx; Fri, 31 Aug 2007 18:35:57 +0000
Received: from lsbjg.on ([212.90.64.224]) by 74-135-102-144.dhcp.insightbb.com with Microsoft SMTPSVC(6.0.3790.0); Fri, 31 Aug 2007 13:45:10 -0500
Message-ID: <002f01c7ebff$0edc3990$e0405ad4@lsbjg.on>
From: <yy@yy>
To: <xx@xx>
Subject: dude this is not even on MTV yet
Date: Fri, 31 Aug 2007 13:45:10 -0500
MIME-Version: 1.0
Content-Type: text/plain;
        format=flowed;
        charset="windows-1252";
        reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
x-open-relay: 74.135.102.144 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Fri Aug 31 19:35:58 2007
X-DSPAM-Confidence: 0.5697
X-DSPAM-Improbability: 1 in 133 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
	Delivery-date*31+Aug, 0.00759,
	Date*Fri+31, 0.00863,
	To*fishter.org.uk>, 0.99000,
	Received*fishter.org.uk, 0.99000,
	Received*45+10, 0.01000,
	Received*10+0500, 0.01000,
	Envelope-to*fishter.org.uk, 0.99000,
	my+server, 0.01000,
	Date*31+Aug, 0.01169,
	Received*0500, 0.01761,
	Received*31+Aug, 0.02679,
	Received*31+Aug, 0.02679,
	Received*45, 0.03809,
	server+This, 0.03832,
	Received*13+45, 0.04430,
	Received*31, 0.07800,
	Received*31, 0.07800,
	Click+on, 0.08310,
	server, 0.08790,
	x-open-relay*is, 0.91095,
	x-open-relay*a, 0.91095,
	x-open-relay*black+list, 0.91095,
	x-open-relay*list, 0.91095,
	x-open-relay*bl.spamcop.net, 0.91095,
	x-open-relay*at, 0.91095,
	x-open-relay*at+bl.spamcop.net, 0.91095,
	x-open-relay*black, 0.91095
Message 1 of 13
(4,602 Views)
0 Thanks
12 REPLIES 12
linux
Grafter
Posts: 146
Registered: ‎23-08-2007

Re: Unmarked SPAM - very obvious

‎31-08-2007 10:36 PM

Spam filters are not 100% reliable. Nor will they ever be. Nor can they ever be. Deal with it.
Message 2 of 13
(1,415 Views)
0 Thanks
fishter
Grafter
Posts: 78
Registered: ‎26-06-2007

Re: Unmarked SPAM - very obvious

‎31-08-2007 11:47 PM

I'm not complaining, I'm hoping that someone more knowledgeable than me can look at the information and determine whether or not the particular mail server that handled it was working properly.
To my mind, any spam detection solution that notes that the mail came from an open relay and is still only 1 in 133 chance of being spam is broken.
I've already forwarded the mail to the training address and it's been "learnt" by my own spam solution.  I'm just trying to do as much as possible to stop the ever-rising tide of rubbish that we seem to collect in our inboxes, whether it's our own careless fault or the result of malicious attacks like the one PlusNet suffered.
Message 3 of 13
(1,416 Views)
0 Thanks
carrot63
Grafter
Posts: 599
Registered: ‎12-07-2007

Re: Unmarked SPAM - very obvious

‎01-09-2007 6:24 AM

Quote from: linux
Spam filters are not 100% reliable. Nor will they ever be. Nor can they ever be.

No, but they certainly can do considerably better than the PN spam system, which barely scrapes 60% accuracy. The OPs query seems quite fair to me.
Quote from: linux
Deal with it.

Bit harsh perhaps? We do all deal with it on a daily basis, usually more than once a day. Which tends to reinforce the opinion that spam filtering of PN mail is very much less accurate than the average, particularly in regard to false positives.
Message 4 of 13
(1,416 Views)
0 Thanks
dave
Plusnet Help Team
Plusnet Help Team
Posts: 12,261
Thanks: 327
Fixes: 4
Registered: ‎04-04-2007

Re: Unmarked SPAM - very obvious

‎01-09-2007 9:51 PM

Hi,
The open relay tag isn't actually used as part of the determination, it's in the mail header as a piece of legacy information from when it was used. Dspam will pick up on it and use it as one or more of the factors.
It's always difficult running spam filtering on userbase where there's this many users, we have in excess of a million mailboxes. Spam filtering will often work better on a local level because it will base the spam detection and learn from just the mail that you get whereas the filtering we do is based on learning from mail sent in by a limited selection of customers so there are no guarantees that it will learn that the spam you are getting is spam (or not spam as the case may be) as quick. A local filter you can stick three spams in and it will pick up straight away any more are spam, but three out of the thousands that are sent to the spam address may not be learnt.
I sometimes think that the best way of filtering spam is for everyone to run a local spam filter, maybe something that reminds me of how the TV ratings are calculated. A sub-section of customers all run local spam filtering using Spamassassin or similar and train their local clients with the spam/not spam and their results are collated hourly/daily to use on the customer base as a whole. I've no idea if that could work, but what do you think? You're determining the spam of a million customers based on the spam of say 500, you can still have the spam/not spam addresses for everyone to use.
Dave Tomlinson
Enterprise Architect - Network & OSS
Plusnet Technology
Message 5 of 13
(1,416 Views)
0 Thanks
Strat
Community Veteran
Posts: 31,320
Thanks: 1,609
Fixes: 565
Registered: ‎14-04-2007

Re: Unmarked SPAM - very obvious

‎01-09-2007 10:54 PM

In our company I run a network of some 20 users.
I enabled f9 spam filtering a few weeks ago and my 'customers' are really noticing the difference.
I could have taken all the glory for easing their lives but I confessed.
It makes more work for me checking for false positives cleaning the spam box two or three times a day but that's life.
I did have reservations about it when first announced but now I find it well worth while.
Dick
Windows 10 Firefox 109.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine
Message 6 of 13
(1,416 Views)
0 Thanks
fishter
Grafter
Posts: 78
Registered: ‎26-06-2007

Re: Unmarked SPAM - very obvious

‎03-09-2007 4:49 PM

@Dave
I think it sounds like a good idea.  However, I think it's already been implemented in Razor.  It's a collaborative database of spam.
Message 7 of 13
(1,416 Views)
0 Thanks
dave
Plusnet Help Team
Plusnet Help Team
Posts: 12,261
Thanks: 327
Fixes: 4
Registered: ‎04-04-2007

Re: Unmarked SPAM - very obvious

‎03-09-2007 6:40 PM

Interesting, that's worth a look at.
Dave Tomlinson
Enterprise Architect - Network & OSS
Plusnet Technology
Message 8 of 13
(1,416 Views)
0 Thanks
zubel
Community Veteran
Posts: 3,793
Thanks: 4
Registered: ‎08-06-2007

Re: Unmarked SPAM - very obvious

‎04-09-2007 9:42 AM

As is DCC.  I mentioned it before.
Plusnet could even run their own DCC server to allow flooding of checksums to other servers and help the worldwide spam problem - I'm sure you guys process enough messages to qualify Smiley
Maybe two suggestions for PugIT?
B.
Message 9 of 13
(1,416 Views)
0 Thanks
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Unmarked SPAM - very obvious

‎04-09-2007 4:15 PM

Quote from: Barry
Maybe two suggestions for PugIT?

Thanks for this suggestion.  I've noted the two filtering suggestions in the PUG forums (here) with a view to adding this as a PUGIT issue.
David
David
Message 10 of 13
(1,416 Views)
0 Thanks
MrToast
Grafter
Posts: 550
Registered: ‎31-07-2007

Re: Unmarked SPAM - very obvious

‎04-09-2007 11:01 PM

But if these check sum schemes started to have effect the SPAMers would just use the ever increasing botnet processing power to generate more diverse content.... wouldn't they.
Better to work on reputations for legitimate email sources?
Message 11 of 13
(1,416 Views)
0 Thanks
zubel
Community Veteran
Posts: 3,793
Thanks: 4
Registered: ‎08-06-2007

Re: Unmarked SPAM - very obvious

‎05-09-2007 8:31 AM

Quote from: MrToast
But if these check sum schemes started to have effect the SPAMers would just use the ever increasing botnet processing power to generate more diverse content.... wouldn't they.

Spammers are already working on generating more diverse content.  I would suggest this would be "one more string to the fiddle" in the anti-spam solution
Quote from: MrToast
Better to work on reputations for legitimate email sources?

Again - the "one more string" theory Smiley
B.
Message 12 of 13
(1,416 Views)
0 Thanks
pdavidson
Grafter
Posts: 147
Registered: ‎08-06-2007

Re: Unmarked SPAM - very obvious

‎05-09-2007 8:46 AM

Quote from: fishter
@Dave
I think it sounds like a good idea.  However, I think it's already been implemented in Razor.  It's a collaborative database of spam.

I'm glad Razor has already come up. I use a webmail client that has fantastic spam filtering - had a look at some of the headers yesterday and noticed that the filtering was from Razor. I hadn't got around to mentioning it to anyone yet.
/slaps own wrist
It's definitely one to look at.
Message 13 of 13
(1,416 Views)
0 Thanks