[Mailman-Users] Mailman-Users Digest, Vol 154, Issue 30

Mark Sapiro mark at msapiro.net
Tue Dec 20 12:54:15 EST 2016 

On 12/20/2016 05:11 AM, Glen Page wrote:
> Here is the header info from a message that I got from our Dean. It got flagged as Spam somewhere along the way.
...
> {Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS CANCELLED FOR	TONIGHT
> To: claws at lists.thet.net students2017 at lists.thet.net 
> X-Thetnet-Mailscanner-Information: Please contact the ISP for more information
> Sender: admin-bounces at lists.thet.net
> List-Archive: <http://lists.thet.net/mailman/private/admin/>
> Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@thet-net.20150623.gappssmtp.com; spf=fail (google.com: domain of admin-bounces at lists.thet.net does not designate 104.219.98.14 as permitted sender) smtp.mailfrom=admin-bounces at lists.thet.net
> X-Received: by 10.55.20.95 with SMTP id e92mr9675564qkh.54.1481993433047; Sat, 17 Dec 2016 08:50:33 -0800 (PST)
> X-Received: by 10.13.204.67 with SMTP id o64mr6487069ywd.47.1481993249239; Sat, 17 Dec 2016 08:47:29 -0800 (PST)
> Return-Path: <admin-bounces at lists.thet.net>
> List-Help: <mailto:admin-request at lists.thet.net?subject=help>
> X-Original-To: admin at lists.thet.net
> X-Original-To: employees at lists.thet.net
> X-Original-To: claws at lists.thet.net
> X-Thetnet-Mailscanner-Spamscore: sssssss, sssssss, sssss, sssss
> X-Gm-Message-State: AKaTC03CGHzT3zezdGpZ3HNvRPiPVZelD2bKmhcA8Wn9WsDZT93E/DWWFFAFrbExpkGdZ0xWfYUPvqPLwJXAyg==
> List-Id: Interactive mailing list for TA Administrators <admin.lists.thet.net>
> X-Mailman-Version: 2.1.12
> X-Greylist: whitelisted by SQLgrey-1.7.6
> X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=XDw9OtI9GY0saYUhV9g6nVzCeS2/FHyuJUbb3YrEZtrQAg+GOI9B1chbVDYuIDm9Ip EpVs8ERwixZfcbO+hRhz21h6dmm1kRorFGHjVKUjt9fOONcqX0C3i0FPy+VHgxf4nPnT 5wzEquSIGU7I5YoUNFK7AR6pqPCRXqEaS4t9Aa0Q9njL2Y2XEh+dw1z1e3XreibJMMr6 kYmbFTM6YcxBprB6XJCHzVI4R51a9L2CmxJCHn8X+ULXsligpbAIr8vnMxT8QjAxejM6 A1kiQZG57hSs4B/8R8TQeX3jj2QpF1XULvdkLgxDlskybV2LdQP2tTpDf9aI0TnXO+bg ralw==
> X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM, SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (cached, score=7.315,  required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809,  required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)
> X-Thetnet-Mailscanner: Found to be clean, Found to be clean, Found to be clean, Found to be clean
> List-Post: <mailto:admin at lists.thet.net>
> Errors-To: admin-bounces at lists.thet.net
> Message-Id: <CACaqBRtUd-HAaOF54gcWrQQffha6q3gMQVbnEcrMnZvNGFikjg at mail.gmail.com>
> X-Spam-Status: Yes, Yes, Yes, Yes
> X-Thetnet-Mailscanner-From: admin-bounces at lists.thet.net
> Mime-Version: 1.0
> Precedence: list
> Received: by 10.80.136.105 with SMTP id c38csp743701edc; Sat, 17 Dec 2016 08:50:33 -0800 (PST)
> Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32 (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016 08:50:32 -0800 (PST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17 Dec 2016 11:49:56 -0500 (EST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17 Dec 2016 11:49:04 -0500 (EST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17 Dec 2016 11:48:05 -0500 (EST)
> Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 for <claws at lists.thet.net>; Sat, 17 Dec 2016 11:47:29 -0500 (EST)
> Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for <claws at lists.thet.net>; Sat, 17 Dec 2016 08:47:29 -0800 (PST)
> Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST)
> Content-Type: multipart/mixed; boundary="===============0140925220=="
> X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7
> Delivered-To: glen.page at thet.net.test-google-a.com
> Delivered-To: admin at lists.thet.net
> Delivered-To: employees at lists.thet.net
> Delivered-To: claws at lists.thet.net
> X-Beenthere: claws at lists.thet.net
> X-Beenthere: employees at lists.thet.net
> X-Beenthere: admin at lists.thet.net
> Received-Spf: fail (google.com: domain of admin-bounces at lists.thet.net does not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14;
> List-Unsubscribe: <http://lists.thet.net/mailman/options/admin>
> List-Unsubscribe: <mailto:admin-request at lists.thet.net?subject=unsubscribe>
> List-Subscribe: <http://lists.thet.net/mailman/listinfo/admin>, <mailto:admin-request at lists.thet.net?subject=subscribe>
> Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thet-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg==


This message was scanned by MailScanner on thet.net 4 times, once before
the Claws list, once between that and the Employees list, once between
that and the TA Admin list and once on the way out.

It appears from the

X-Thetnet-Mailscanner-Spamscore: sssssss, sssssss, sssss, sssss

header that after the first two times, the score decreased.

The header

X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM, SpamAssassin (cached,
score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70,
HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (cached,
score=7.315,  required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70,
HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not
cached, score=5.809,  required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL
2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50,
SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809,
required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00,
RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)

Reflects the SpamAssassin hits from each pass. The first report is

spam, SORBS-SPAM, SpamAssassin (cached, score=7.315, required 5,
BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00,
RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51,
SUSPICIOUS_RECIPS 2.51)

and the last is

spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90,
DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00,
SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)

The score dropped because after the initial passes, tags/prefixes got
added that caused SUBJ_ALL_CAPS to miss (it should have missed on the
second scan, but a cached result was used).

The big hits besides SUBJ_ALL_CAPS are DNS_FROM_AHBL_RHSBL,
SORTED_RECIPS and SUSPICIOUS_RECIPS

DNS_FROM_AHBL_RHSBL looks like a blacklist of some sort, but it is not
in my up to date spamassassin. The others are standard rules in
20_head_tests.cf described as

describe SORTED_RECIPS		Recipient list is sorted by address
describe SUSPICIOUS_RECIPS	Similar addresses in recipient list

Were it not for the DNS_FROM_AHBL_RHSBL hit, the score would have been <
5 all 4 times.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list