Spam Identity

[ace]

Hello,

 

I received an email today from one of my email accounts assocaited with our

domain. (Hosted by TCH) It was marked by the spam protection that is turned on

in the Cpanel. The user sent the mail to me via sqmail interface. Any idea

why the spam software would tag email from our own domain...using sqmail.

 

Any help would be appreciated.

 

~Ace

 

[MikeJ]

Spamassassin (the spam protection enabled from cpanel) uses a scoring system to judge if an item is spam or not based on numerous rules, including known spam hosts, content, and format. It could be as simple as the wording of the email triggered Spamassassin to think it's spam (like if you use ALL CAPS, or say things like FREE CASH, you'll get some high scores).

 

The email you received, if it scored enough to be flagged as spam, should have a full analysis of why it scored high enough to be flagged included with the message. Take a look at that and you'll see what rules it triggered.

 

Edit: Actually, I just realized you may be asking why Spamassassin looked at it at all. If that's the case, it's because the email still goes through your mailserver to be processed, so SpamAssassin will still look at it, even if it's sent from your own accounts.

Edited February 13, 2004 by Big Gorilla

[ace]

Thanks for the help.

 

Here is what showed up in the spam message. Is any of it unusual? Remember this is from our own domain email on TCH.

 

Content analysis details: (5.6 points, 5.0 required)

 

pts rule name description

---- ---------------------- --------------------------------------------------

0.3 NO_REAL_NAME From: does not include a real name

0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS

[66.42.39.248 listed in dnsbl.sorbs.net]

2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address

[66.42.39.248 listed in dnsbl.sorbs.net]

0.8 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer

1.8 INVALID_MSGID Message-Id is not valid, according to RFC 2822

 

Regards

Ace.

[ThumpAZ]

Content analysis details: (5.6 points, 5.0 required)

 

pts rule name description

---- ---------------------- --------------------------------------------------

0.3 NO_REAL_NAME From: does not include a real name

0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS

[66.42.39.248 listed in dnsbl.sorbs.net]

2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address

[66.42.39.248 listed in dnsbl.sorbs.net]

0.8 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer

1.8 INVALID_MSGID Message-Id is not valid, according to RFC 2822

 

Regards

Ace.

Nothing about it is unusual.

I checked sorbs and it is only listed because of the type of IP address, which has become more and more pevalent in block lists over the last few years.

 

The one thing that the techs around here could look into is the message ID part... why would our servers not be forming proper message IDs?

-GG

[MikeJ]

2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address [66.42.39.248 listed in dnsbl.sorbs.net]

 

Ok... looking at your two biggest scores..... First, 2.5 for a dynamic address pool (66.42.39.248 is a netzero ip address). Because of the way SquirrelMail works, it records the address of the person connecting to the mail client, and SpamAssassin (SA) is picking that up. SA scores dynamic addresses higher because a lot of people spam from home computers (which primarily use dynamic ip addresses).

 

Looking at typical SquirrelMail headers, you would see something like this as one of the received lines:

 

>Received: from 1.2.3.4 ([1.2.3.4])
       (SquirrelMail authenticated user bubba)
       by **** with HTTP;
       Fri, 13 Feb 2004 02:04:34 -0500 (EST)

 

Where 1.2.3.4 is the ipaddress of the computer (or router) of where you are connecting to webmail from. Horde uses a similar method of creating it's headers, so of the 3 webmail choices, it looks like Neomail is the only one that doesn't record the address of the connecting system as part of the received lines in the headers (and therefore Neomail has less chance of potentially being labeled spam).

 

1.8 INVALID_MSGID          Message-Id is not valid, according to RFC 2822

 

The program that creates the email generates the message ID, so in this case SquirrelMail must have written a message ID that SA didn't like, although without seeing it, not sure why. The email I sent from Squirrelmail to myself didn't complain about the message ID.

 

If you have too many problems with your emails being dropped as spam, you may need to try using Neomail, or if it's only within your own accounts, configure spamassassin through your cpanel to require more hits (like maybe 6 instead of 5).

[charle97]

you could also whitelist your domain name in the spamassassin config. doing so, will give you a certain amount of padding before a message will hit the spam threshold. the default is 20 or something like that, so any whitelisted domain will receive -20 points and any spam rule hits will be counted against the -20.