cancel
Showing results for 
Search instead for 
Did you mean: 

Missed spam

Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Missed spam

Any idea why this was not identified as spam?
Return-path: <advertising.worldwide@not-a-valid-domain.com>
Envelope-to: abc@xyz.plus.com
Delivery-date: Sun, 14 Dec 2008 14:15:39 +0000
Received: from [212.159.7.102] (helo=mx.pcl-ipin03.plus.net)
  by fhw-sunmxcore21.plus.net with esmtp (PlusNet MXCore v2.00) id 1LBrkx-0000j2-0N
  for abc@xyz.plus.com; Sun, 14 Dec 2008 14:15:39 +0000
Authentication-Results: mx.pcl-ipin03.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=63.242.151.210;
  receiver=mx.pcl-ipin03.plus.net;
  envelope-from="advertising.worldwide@not-a-valid-domain.com";
  x-sender="advertising.worldwide@not-a-valid-domain.com";
  x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=63.242.151.210;
  receiver=mx.pcl-ipin03.plus.net;
  envelope-from="advertising.worldwide@not-a-valid-domain.com";
  x-sender="advertising.worldwide@not-a-valid-domain.com";
  x-conformance=sidf_compatible
Received-SPF: Pass identity=helo; client-ip=63.242.151.210;
  receiver=mx.pcl-ipin03.plus.net;
  envelope-from="advertising.worldwide@not-a-valid-domain.com";
  x-sender="postmaster@per-usa.org";
  x-conformance=sidf_compatible
X-Group: Quarantine
X-SBRS: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjBzALOjREnV9iuEgWdsb2JhbACBSxuFIopoKYE6AQEWIk44A4UQsz6Cfg
X-IronPort-AV: E=McAfee;i="5300,2777,5463"; a="5692174"
X-IronPort-AV: E=Sophos;i="4.36,218,1228089600";
  d="scan'208";a="5692174"
Received: from phl-30-d-210.phl.dsl.cerfnet.com (HELO per-usa.org) ([63.242.151.210])
  by mx.pcl-ipin03.plus.net with ESMTP; 14 Dec 2008 14:15:38 +0000
Received: from User ([91.103.88.254]) by per-usa.org with Microsoft SMTPSVC(6.0.3790.1830);
Sun, 14 Dec 2008 09:22:08 -0500
Reply-To: <advertising.worldwide@not-a-valid-domain.com>
From: "Advertising Worldwide"<advertising.worldwide@not-a-valid-domain.com>
Date: Sun, 14 Dec 2008 15:14:11 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <PRIMARYQcqnWwAeRaNg000002ff@per-usa.org>
X-OriginalArrivalTime: 14 Dec 2008 14:22:08.0828 (UTC) FILETIME=[59007FC0:01C95DF7]
To:
X-pn-pstn: Spam 0
Subject: Boost your profits! Get your name known!
Do you want your name to be known ?
Here is your chance. Advertising Worldwide can offer you customers from everywhere around the world via E-Mail.

We also offer newsletter services, inbox mailling and many others.
Feel free to contact us anytime at advertising.worldwide@gmail.com

Thank you for your time !
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
12 REPLIES
paulby
Grafter
Posts: 1,619
Registered: 26-07-2007

Re: Missed spam

This too:
Quote

Return-path: <xxxxxxxxxxx@hotmail.com>
Envelope-to: xxxxxxxx@xxxxx.plus.com
Delivery-date: Sun, 14 Dec 2008 19:16:48 +0000
Received: from [212.159.7.98] (helo=mx.pcl-ipin02.plus.net)
     by fhw-sunmxcore07.plus.net with esmtp (PlusNet MXCore v2.00) id 1LBwSO-00065j-GM
     for xxxx@xxxxxxx.plus.com; Sun, 14 Dec 2008 19:16:48 +0000
Authentication-Results: mx.pcl-ipin02.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=65.55.116.106;
     receiver=mx.pcl-ipin02.plus.net;
     envelope-from="xxxxxxxxxxx@hotmail.com";
     x-sender="xxxxxxxxxxxxx@hotmail.com";
     x-conformance=sidf_compatible
Received-SPF: Pass identity=mailfrom; client-ip=65.55.116.106;
     receiver=mx.pcl-ipin02.plus.net;
     envelope-from="xxxxxxxxxxxxx@hotmail.com";
     x-sender="xxxxxxxxxxxxx@hotmail.com";
     x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=65.55.116.106;
     receiver=mx.pcl-ipin02.plus.net;
     envelope-from="xxxxxxxxxxxxx@hotmail.com";
     x-sender="postmaster@blu0-omc3-s31.blu0.hotmail.com";
     x-conformance=sidf_compatible
X-SBRS: 4.5
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvhiAFTqRElBN3RqkWdsb2JhbACCQyw/gy2DeIVAg0ABAQEBCQsKBxEDFRStLoEtCIFBiGeBbgiBCA
X-IronPort-AV: E=McAfee;i="5300,2777,5463"; a="10672759"
X-IronPort-AV: E=Sophos;i="4.36,219,1228089600";
     d="scan'208,217";a="10672759"
Received: from blu0-omc3-s31.blu0.hotmail.com ([65.55.116.106])
     by mx.pcl-ipin02.plus.net with ESMTP; 14 Dec 2008 19:16:48 +0000
Received: from BLU106-W50 ([65.55.116.73]) by blu0-omc3-s31.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
     Sun, 14 Dec 2008 11:16:47 -0800
Message-ID: <BLU106-W505CC951DA8B58651CDB21E1F70@phx.gbl>
Content-Type: multipart/alternative;
     boundary="_14afb30a-c5d4-4a87-bb7a-0f50700de1a8_"
X-Originating-IP: [190.29.139.221]
From:  <xxxxxxxxxxxxx@hotmail.com>
To: <xxxxxxx.xxxxxxx@plus.com>; <xxxxxxxx.xxxxxxx@msn.com>
Date: Sun, 14 Dec 2008 11:16:47 -0800
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Dec 2008 19:16:47.0753 (UTC) FILETIME=[82765F90:01C95E20]
X-pn-pstn: Spam 0
Subject: Viagra&Cilalis = 68$, VXPL = Big Pennis !
Viagra&Cilalis = 68$, VXPL = Big Pennis !
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008

and this
Quote
Return-path: <xxxxxxxxxxxxx@hotmail.com>
Envelope-to: xxxx@xxxxx.plus.com
Delivery-date: Sat, 13 Dec 2008 20:50:25 +0000
Received: from [212.159.7.102] (helo=mx.pcl-ipin03.plus.net)
     by fhw-sunmxcore21.plus.net with esmtp (PlusNet MXCore v2.00) id 1LBbRR-0000pT-3o
     for xxxx@xxxxxxx.plus.com; Sat, 13 Dec 2008 20:50:25 +0000
Authentication-Results: mx.pcl-ipin03.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=65.55.116.111;
     receiver=mx.pcl-ipin03.plus.net;
     envelope-from="xxxxxxxxxxxxx@hotmail.com";
     x-sender="xxxxxxxxxxxxx@hotmail.com";
     x-conformance=sidf_compatible
Received-SPF: Pass identity=mailfrom; client-ip=65.55.116.111;
     receiver=mx.pcl-ipin03.plus.net;
     envelope-from="xxxxxxxxxxxxx@hotmail.com";
     x-sender="xxxxxxxxxxxxx@hotmail.com";
     x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=65.55.116.111;
     receiver=mx.pcl-ipin03.plus.net;
     envelope-from="xxxxxxxxxxxxx@hotmail.com";
     x-sender="postmaster@blu0-omc3-s36.blu0.hotmail.com";
     x-conformance=sidf_compatible
X-SBRS: 4.8
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvZwAMyuQ0lBN3RvlGdsb2JhbACCQyw/gyyDeAGIfgEBAQEJCwgJEQMprX6BLQiBV4EsiA+BbQiBCA
X-IronPort-AV: E=McAfee;i="5300,2777,5463"; a="5023039"
X-IronPort-AV: E=Sophos;i="4.36,217,1228089600";
     d="scan'208,217";a="5023039"
Received: from blu0-omc3-s36.blu0.hotmail.com ([65.55.116.111])
     by mx.pcl-ipin03.plus.net with ESMTP; 13 Dec 2008 20:50:24 +0000
Received: from BLU106-W34 ([65.55.116.73]) by blu0-omc3-s36.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
     Sat, 13 Dec 2008 12:50:23 -0800
Message-ID: <BLU106-W34018F856531841D19A6C4D7F60@phx.gbl>
Content-Type: multipart/alternative;
     boundary="_534c1639-70ce-4a1e-a6fc-e9fbb2fa92b2_"
X-Originating-IP: [201.52.103.237]
From: <xxxxxxxxxxxxx@hotmail.com>
To: <xxxxxxxx@msn.com>, <xxxxx@xxxxxxxx.plus.com>, <xxxxxxxx@valliant.net>,
     <xxxxxx@aol.com>, <xxxxx@xxxxxx.plus.com>
Date: Sat, 13 Dec 2008 12:50:23 -0800
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 13 Dec 2008 20:50:23.0895 (UTC) FILETIME=[6B87E270:01C95D64]
X-pn-pstn: Spam 0
Subject: Pharmacy Online Cialis Discount 4pillss free
Pharmacy Online Cialis Discount 4pillss free
_________________________________________________________________
Send e-mail anywhere. No map, no compass.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008

The single line message in each was a clickable link.
ramidoodle
Grafter
Posts: 265
Registered: 28-09-2008

Re: Missed spam

Hi Jelv,
You've received an email that has orginiated from 91.103.88.254. This IP address has a bad reputation due to spamming, Reputation Lookup
The email body has doesn't indicate that it is a blatant spam, so semantic tagging is very likely to fail here and pass the email as genuine Sad
Having checked your account, you have edge protection (reputation filter) off. It might be the right decision to have Edge protection off now as the white and the black list vagueness currently being investigated by both PlusNet and IronPort.
For Paul, it appears to be different! The email should have been tagged as spam due to the contents unless the sender email has been successfully white-listed. Having checked the SPF headers it seems that this email has been sent from a genuine hotmail email account, this might be reason behind passing the message as genuine! not %100 sure  Undecided
Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Re: Missed spam

Thanks for the explanation Rami.
This suggests to me that there is a serious design flaw in your system. If the blatant spam blocking (edge protection) is off, surely the fact that the sender is on one of the bad reputation lists should be included in the scoring which would probably mean it should be treated as spam and in my case quarantined. Looking at the headers it has
X-SBRS: None

Does that mean it wasn't scored at all?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
paulby
Grafter
Posts: 1,619
Registered: 26-07-2007

Re: Missed spam

With mine, none of the addresses are whitelisted on the account concerned.
There are several of this type a day, all from different Hotmail or Yahoo! addresses and all delivered as legitimate mail.
ramidoodle
Grafter
Posts: 265
Registered: 28-09-2008

Re: Missed spam

Thanks for bring this into my attention. gonna flag it tomorrow Smiley
According to IronPort Best Practice, if X-SBRS = none this indicates a spammer, so the least we should do is to throttle the email! I don't really know if this has been configured or not. the question is, was it set to none because you have Edge protection off? in another word, do IronPort set the SBRS but ignore them if the edge protection is off?
Same for you Paul, if the sender is not Trusted/Whitelisted then content dictionary should judge if this is spam or not even if it has been sent from a valid source. again, not sure if the content dictionary for profanity.txt and sexual_content.txt is switched On.
The only thing I'm sure of is that Bob will answer my questions tomorrow  Wink He always does!
Superuser
Superuser
Posts: 8,876
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Missed spam

Jelv's message includes the X-Group: Quarantine header ahead of the X-SBRS: None one.
X-Group: Quarantine
X-SBRS: None
I haven't noticed one of those before. Is IronPort trying to say something that current processing ignores?
David
ramidoodle
Grafter
Posts: 265
Registered: 28-09-2008

Re: Missed spam

Hmm, I might need to enable the Ironport quarantine option and check if the header will include the x-group in for an email with sbrs of none, otherwise it definitely means that Iron port is trying to say it has been throttled but further configuration is required, based on bellow:  Shocked
Quote
In some cases, the fact that a sender does not yet have a SenderBase Reputation Score is evidence that this sender may be a spammer. it is recommended that you can add SBRS "none" directly to a sender group that gets the "Throttled" policy, for example to your SUSPECT sender group.

Quote
Note: A score of "none" does not equate to a score of "0." . A score of 0.0 means that SenderBase has collected equal amounts of positive and negative information about this sender, and has assigned it a neutral reputation.

Quote
Sender Group - Suspectlist; SBRS -7 to -2; Senders with poor reputation will be heavily throttled to reduce the amount of spam they can send

Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Re: Missed spam

From another perfectly clean normal work related email:
X-Group: Quarantine
X-SBRS: 2.9
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmcEAEghQklQBl2dgWdsb2JhbACCLBYtjy2BNQEBFiK7GQGCfA
X-IronPort-AV: E=McAfee;i="5300,2777,5461"; a="3683236"
X-IronPort-AV: E=Sophos;i="4.36,211,1228089600";

and from the forum notification of your post:
X-Group: Quarantine
X-SBRS: 4.8
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlgBACcvRUnUnw4UlGdsb2JhbACTUwEBAQEJCwgJEQO5QIJ+
X-IronPort-AV: E=McAfee;i="5300,2777,5464"; a="6075189"
X-IronPort-AV: E=Sophos;i="4.36,220,1228089600";
  d="scan'208";a="6075189"

I suspect that it just means I have quarantine turned on for that domain.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Superuser
Superuser
Posts: 8,876
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Missed spam

Thanks jelv, that does seem to be the explanation., so nothing subtle.
David
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Missed spam

Surely the presence of this header shows that, having been given a 'warning' score by the Reputation Sensor, the message has been further investigated and scored?
Quote
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjBzALOjREnV9iuEgWdsb2JhbACBSxuFIopoKYE6AQEWIk44A4UQsz6Cfg

I'm guessing that all these messages passed the spam filter because of the problem with aggressiveness being set at 0 (problem 54433) ?Huh
Chris
Community Veteran
Posts: 26,341
Thanks: 598
Fixes: 8
Registered: 10-04-2007

Re: Missed spam

How was this one missed? (X-SBRS: -1.7)
Return-path: <educationindia@educationindia.net.in>
Envelope-to: abc@xyz.plus.com
Delivery-date: Mon, 22 Dec 2008 05:19:54 +0000
Received: from [212.159.7.33] (helo=mx.ptn-ipin01.plus.net)
  by fhw-sunmxcore05.plus.net with esmtp (PlusNet MXCore v2.00) id 1LEdCr-0003OX-NX
  for abc@xyz.plus.com; Mon, 22 Dec 2008 05:19:53 +0000
Authentication-Results: mx.ptn-ipin01.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=124.124.222.93;
  receiver=mx.ptn-ipin01.plus.net;
  envelope-from="educationindia@educationindia.net.in";
  x-sender="educationindia@educationindia.net.in";
  x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=124.124.222.93;
  receiver=mx.ptn-ipin01.plus.net;
  envelope-from="educationindia@educationindia.net.in";
  x-sender="educationindia@educationindia.net.in";
  x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=124.124.222.93;
  receiver=mx.ptn-ipin01.plus.net;
  envelope-from="educationindia@educationindia.net.in";
  x-sender="postmaster@educationindia.net.in";
  x-conformance=sidf_compatible
X-Group: Quarantine
X-SBRS: -1.7
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkslAIuyTkl8fN5dU2dsb2JhbACCVxghjyYNgRsBFggNCBBWpyBYjweFBYE+
X-IronPort-AV: E=McAfee;i="5300,2777,5471"; a="11909344"
X-IronPort-AV: E=Sophos;i="4.36,261,1228089600";
  d="scan'208,217";a="11909344"
Received: from unknown (HELO educationindia.net.in) ([124.124.222.93])
  by mx.ptn-ipin01.plus.net with ESMTP; 22 Dec 2008 05:19:24 +0000
Received: from MailServer02 ([172.16.52.11]) by educationindia.net.in ( NoticeWare Corporate Email Server 5.2.3.5 ) ; Sun, 21 Dec 2008 00:53:26 +0530
x-origin-ip: 172.16.52.11
From: "EIILM UNIVERSITY" <educationindia@educationindia.net.in>
To: abc@xyz.plus.com
Sender: "EIILM UNIVERSITY" <educationindia@educationindia.net.in>
Mime-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0229C11B_0.084B926A"
Date: Sun, 21 Dec 2008 00:53:26 +0530
Message-ID: <20081220192326203.7EE028F35DC2454F@MailServer02>
Reply-To: "EIILM UNIVERSITY" <info@eiilmuniversity.ac.in>
X-Priority: 3 (Normal)
Importance: Normal
X-pn-pstn: Spam 0
Subject:
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 38,209
Thanks: 906
Fixes: 54
Registered: 15-06-2007

Re: Missed spam

here is an obvious one missed
Quote
Return-path: <apache@grgrjapan.com>
Envelope-to: me@username.plus.com
Delivery-date: Mon, 22 Dec 2008 05:49:34 +0000
Received: from [212.159.7.97] (helo=mx.pcl-ipin01.plus.net)
  by fhw-sunmxcore06.plus.net with esmtp (PlusNet MXCore v2.00) id 1LEdfZ-0007mT-Ur
  for me@username.plus.com; Mon, 22 Dec 2008 05:49:33 +0000
Authentication-Results: mx.pcl-ipin01.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=218.228.66.78;
  receiver=mx.pcl-ipin01.plus.net;
  envelope-from="apache@grgrjapan.com";
  x-sender="service@mail-abbeynational.com";
  x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=218.228.66.78;
  receiver=mx.pcl-ipin01.plus.net;
  envelope-from="apache@grgrjapan.com";
  x-sender="apache@grgrjapan.com";
  x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=218.228.66.78;
  receiver=mx.pcl-ipin01.plus.net;
  envelope-from="apache@grgrjapan.com";
  x-sender="postmaster@mail.grgrjapan.com";
  x-conformance=sidf_compatible
X-SBRS: 1.6
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aj7LAN+4Tkna5EJOdGdsb2JhbAAOgTKBARUJBQodE4Q1hAkDgVeFAxWBGQEMgTaQKpQTAoEOA4FfWCOOZIUFgT4
X-IronPort-AV: E=McAfee;i="5300,2777,5471"; a="11269447"
X-IronPort-AV: E=Sophos;i="4.36,261,1228089600";
  d="scan'208,217";a="11269447"
Received: from unknown (HELO mail.grgrjapan.com) ([218.228.66.78])
  by mx.pcl-ipin01.plus.net with ESMTP; 22 Dec 2008 05:49:32 +0000
Received: by mail.grgrjapan.com (Postfix, from userid 4Cool
id C04DB118DB3; Mon, 22 Dec 2008 14:49:31 +0900 (JST)
To: me@username.plus.com
From: Abbey National plc <service@mail-abbeynational.com>
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
Content-Transfer-encoding: 8bit
Reply-To: Abbey National plc <service@mail-abbeynational.com>
Message-ID: <11c4206bf9b132e2a9a82d714dc300b6@>
X-Priority: 1
X-MSmail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Date: Mon, 22 Dec 2008 14:49:31 +0900 (JST)
X-pn-pstn: Spam 0
Subject: Secure Your Savings With Abbey