Spam bypassing filters?

[nzkiwi]

I get a lot of Spam which seems to be bypassing DSPAM . What's the reason for this?

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 9362 invoked by uid 399); 5 May 2007 10:24:02 -0000
X-Virus-Scan: Scanned by ClamAV 0.90.1 (no viruses);
Sat, 05 May 2007 06:24:05 -0400
Received: from pd9582814.dip.t-dialin.net (HELO pD9582C76.dip.t-dialin.net) (217.88.40.20)
by mail4.m****here.biz with SMTP; 5 May 2007 10:24:02 -0000
Received-SPF: none (mail4.m****here.biz: domain at over.net does not designate permitted sender hosts)
identity=mailfrom; client-ip=217.88.40.20;
envelope-from=<[email protected]>;
Return-Path: <[email protected]>
Received: from 84.52.138.34 (HELO mail2.over.net)
by domain.com with (8.03.3/8.18.7) ESMTP id qf97v905upuwu7
for [email protected]; Sat, 5 May 2007 10:24:10 -0060
Received: from w9.xciv.org ([180.199.97.91])
by 6kuoq.xciv.org (7.02.8.20002002/6.64.3) with ESMTP id a9XK2h38404497
for [email protected]; Sat, 5 May 2007 10:24:10 -0060
From: "RAJ Lindstedt" <[email protected]>
To: <[email protected]>
Subject: RAJ - 100% results.
Date: Sat, 5 May 2007 10:24:10 -0060
Message-ID: <01c78eff$855567c0$6c822ecf@mormonismssuppose>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C78F10.48DE37C0"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
Thread-Index: Aca6Q'0M62B<@=7G.X)1+7.E0680VM==

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C78F10.48DE37C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

It's not surprise that more than 600,000 medic choice the prescription drug Viagra for their patients with SpammerLOL dysfunction(ED).Fact is, when taken correctly, Viagra works for most men. Studies show that it works for up to 4 out of 5 men (versus 1 out of 4 on sugar pill).

Viagra improves ohZerectionSpamions for most men no matter how long they have had ED, what caused it, how often they have it, or how old they are. We provide you 100% results after using our products.

See our site!



------=_NextPart_000_0006_01C78F10.48DE37C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html xmlns=3D"urn:schemas-microsoft-comfficeffice" xmlns:w=3D"urn:sc=
hemas-microsoft-comffice:word" xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-1">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
</head>
<body>
<BODY>
<P> It's not surprise that more than 600,000 medic choice the prescription =
drug Viagra for their patients with SpammerLOL dysfunction(ED).</P>
<BR>
<P>Fact is, when taken correctly, Viagra works for most men. Studies show t=
hat it works for up to 4 out of 5 men (versus 1 out of 4 on sugar pill).</P=


<BR>
<P>Viagra improves ohZerectionSpamions for most men no matter how long they have had =
ED, what caused it, how often they have it, or how old they are. We provide=
you 100% results after using our products.</P><BR>

<A HREF=3D"http://verbroot.hk">See our site!</a>
</BODY>

</body>
</html>

------=_NextPart_000_0006_01C78F10.48DE37C0--

 

[nzkiwi]

Is any one able to explain to me (in simple terms) why so much of the Spam I receive does not appear to have been processed by either DSPAM or Spam Assassin? I have Spam filtering enabled. Spam check level is set to Very agressive, Mark as Spam, and MaxScore level set to Undefined. Yet most emails have no "X-Spam-" headers or "X-DSPAM-" headers. For example:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 28783 invoked by uid 399); 10 May 2007 10:42:47 -0000
X-Virus-Scan: Scanned by ClamAV 0.90.1 (no viruses);
Thu, 10 May 2007 06:42:49 -0400
Received: from unknown (HELO -1213585872) (222.131.49.146)
by mail4.m****here.biz with SMTP; 10 May 2007 10:42:47 -0000
Received-SPF: none (mail4.m****here.biz: domain at graniitti.net does not designate permitted sender hosts)
identity=mailfrom; client-ip=222.131.49.146;
envelope-from=<[email protected]>;
Received: from graniitti.net (-1213957072 [-1213681552])
by girdersandgears.com (Qmailv1) with ESMTP id AC593975A4
for <[email protected]>; Thu, 10 May 2007 10:42:50 +0000
Date: Thu, 10 May 2007 10:42:50 +0000
From: Barbara Albert <[email protected]>
X-Mailer: The Bat! (v2.00.0) Personal
X-Priority: 3
Message-ID: <[email protected]>
To: Info <[email protected]>
Subject: FDA approved on-line pharmacies
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------3520551C70BDFA6"
X-Virus-Scanned: Norton

Occassionally, I'll get one with DSPAM headers like this:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 15820 invoked by uid 399); 9 May 2007 19:34:53 -0000
X-Virus-Scan: Scanned by ClamAV 0.90.1 (no viruses);
Wed, 09 May 2007 15:34:53 -0400
Received: from dspam1.m****here.biz (204.14.110.250)
by mail4.m****here.biz with SMTP; 9 May 2007 19:34:53 -0000
Received-SPF: none (mail4.m****here.biz: domain at roperasw.com does not designate permitted sender hosts)
identity=mailfrom; client-ip=204.14.110.250;
envelope-from=<[email protected]>;
Received: from localhost (dspam1.local [127.0.0.1])
by dspam1.m****here.biz (Postfix) with SMTP id 6B5367A712B
for <[email protected]>; Wed, 9 May 2007 15:34:54 -0400 (EDT)
Received: from mail.tsz.nl (unknown [84.76.220.78])
by dspam1.m****here.biz (Postfix) with ESMTP id 33B5E7A4F5A
for <[email protected]>; Wed, 9 May 2007 15:29:27 -0400 (EDT)
Received: from 12.109.161.7 (HELO mail.roperasw.com)
by domain.com with (8.00.9/8.63.3) ESMTP id el13mcjwtjqxgfo
for [email protected]; Wed, 9 May 2007 19:29:33 -0060
Received: from huq.finmarket.ru ([98.155.194.112])
by ycz6tn.finmarket.ru (6.99.8.20011003/6.05.0) with ESMTP id j4S67f3el799666
for [email protected]; Wed, 9 May 2007 19:29:33 -0060
From: "Liwanda Kieso" <[email protected]>
To: <[email protected]>
Subject: Re:
Date: Wed, 9 May 2007 19:29:33 -0060
Message-ID: <01c79270$5f0d0630$6c822ecf@ibisafghanistan>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C79281.2295D630"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
Thread-Index: Aca6Q5:.43P66DM+J8YB.2PA5W0O==
X-DSPAM-Result: Spam
X-DSPAM-Processed: Wed May 9 15:34:54 2007
X-DSPAM-Confidence: 0.6929
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: 4642225a256211401556874
X-DSPAM-User: [email protected]
X-DSPAM-Factors: 15,
size="3"+face="Times, 0.99000,
Roman"><font, 0.99000,
Date*33+0060, 0.99000,
your+sex, 0.99000,
color="#0000ff", 0.99000,
New+Roman"><font, 0.99000,
all+men, 0.99000,
ohZerectionSpamion+This, 0.99000,
SpammerLOL, 0.99000,
SpammerLOL+dysfunction, 0.99000,
Received*Wed+9, 0.01257,
Date*May, 0.97461,
Date*Wed+9, 0.03641,
ohZerectionSpamion, 0.93290,
Url*hk, 0.90630

but they are in the minority.

Consequently email is not being tagged with "*****SPAM*****". I notice all legitimate email does have DSPAM headers, whereas most Spam does not. How come ?(

 

[Stephen]

do you have secondary mx records set on your domain? That may be the cause, as spammers hve been going to 2nd priority MX record for some time now.

 

[nzkiwi]

Wow, Stephen, that was a quik response

I wasn't sure how to access the MX information, but I've managed to figure it out. This is what is shown when I look at the DNS configuration:

Built in MX records
sub1.domain.com 86400 IN MX 10 gw-mail.domain.com
sub2.domain.com 86400 IN MX 10 gw-mail6.domain.com

Custom MX records
domain.com IN MX 10 dspam.domain.com
domain.com IN MX 20 mail4.domain.com

Does that look right?

 

[Stephen]

No, the custom mx record setting is making it be able to bypass dspam.

 

[nzkiwi]

OK, I activated 'Restore default MX records' and then deleted the custom MX records. The outcome is:

Built in MX records
domain.com 86400 IN MX 10 gw-mail4.domain.com
sub1.domain.com 86400 IN MX 10 gw-mail.domain.com
sub1.domain.com 86400 IN MX 10 gw-mail.domain.com
sub2.domain.com 86400 IN MX 10 gw-mail6.domain.com
sub2.domain.com 86400 IN MX 10 gw-mail6.domain.com

Built in CNAME records
mail.sub1.domain.com 86400 IN CNAME mail.domain.com
mail.sub2.domain.com 86400 IN CNAME mail6.domain.com

I notice there are duplicate entries for the sub domains. Is that correct?

 

[Stephen]

yes, that is fine

 

[nzkiwi]

Thanks Stephen. In fact, thanks to every one a JH. Compared to other providers I have experienced, the support here is wonderful. And for the most part, staff seem to care about the customers.

 

[Stephen]

So no mail seems to be bypassing now?

 

[nzkiwi]

Almost none. I have seen only one message bypassing DSPAM since restoring the default MX records. That's out of a total of 20 Spam messages and 20 genuine messages.

The header of the one message that by-passed DSPAM is:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 7559 invoked by uid 399); 13 May 2007 00:47:45 -0000
X-Virus-Scan: Scanned by ClamAV 0.90.1 (no viruses);
Sat, 12 May 2007 20:47:46 -0400
Received: from ip24-141-173-82.adsl2.versatel.nl (HELO web1079.com) (82.173.141.24)
by mail4.m****here.biz with SMTP; 13 May 2007 00:47:45 -0000
Received-SPF: none (mail4.m****here.biz: domain at web.de does not designate permitted sender hosts)
identity=mailfrom; client-ip=82.173.141.24;
envelope-from=<[email protected]>;
From: Seth Korn <[email protected]>
To: [email protected]
Reply-To: [email protected]
Subject: DEAREST ONE
Date: Sun, 13 May 2007 02:47:36 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="3ab50ff7-ea3f-45ea-9c32-dac66bec7b38"

 

[Stephen]

looks to me like that one was using(abusing) a cached DNS entry to get its information. Hopefully ALL such caches will be expired soon.

 

[nzkiwi]

Looks to me like you were right
I've not seen any more slip by DSPAM :dance: