I recently moved a new customer from another hosting service to FQ. I recreated their 3 email addresses so they can get email as before. Two of those email addresses were immediately bombarded with SPAM - 10-50 per day. I've been with FQ for some time now, with multiple accounts, multiple email addresses, took no particular precautions, and had no problems with SPAM on any of them - before now.

I assume that since these email addresses have been in play for several years, receiving email from all over the world, that their email addresses have been scooped up and circulated on spammer email lists. Curiously, the two most used addresses are getting hit repeatedly, while the third, which has been used very infrequently and only for incoming mail, remains SPAM free.

Having no prior experience with this, I enabled SA globally with the default score of 5.1 and selected tag-only so I could monitor the effect. Now most, but not all, of the SPAM arrives tagged, but wading through them and deleting manually is a pain. I was afraid to let SA simply delete them for fear of losing valid messages via false positives.

Any suggestions on how to resolve this? It presents a bad PR precedent, since the former hosting service seems to have filtered this stuff effectively.

Help... Jack

10-50 is nothing, by the way.

Use a filter or rule in your email program to move the incoming spam-scored messages into their own folder. Then when you look at that folder, sort it by subject! (Click on "subject".) Easy.

In Outlook they are called rules, and after you do one or two it is not so bizarre as the first time. It walks you through a couple of steps.

Outlook... isn't that from the Evil Empire? Having worked and lived in Silicon Valley for more years than the Redmond Rogues have been in business, plus having been involved in a number of lawsuits involving theft of intellectual property, I'm the most MS-phobic person you're likely to ever meet.

I'm a devoted Thunderbird fan and have used their filter protocols before, so diverting the tagged messages is not a problem. My post was because I was so surprised that this stuff appeared this time, when I've just not had this problem with other FQ email accounts. Thunderbird will help, but this customer makes frequent use of webmail while traveling -- what's to keep this from flooding his QuestMail access?

Would it make sense to use SA to divert it to another email account on the server and check it manually for false positives? Also, The Thunderbird spam filtering is adaptive and will probably start to nab the stuff that is getting by SA currently (about 1 in 10 is not being detected), but that doesn't keep it from showing up on QuestMail. I haven't looked at the SA score on the SPAM that gets through -- maybe I need to tweak it a bit. Any suggestions?

Jack

Whether you redirect mail to a new mailbox on the server on a new folder in Thunderbird, it's just a matter of convenience. I use dialup sometimes, so I don't want all the junk coming into the same box as the good stuff. Even on high speed, constantly downloading junk is a hassle.

I don't use Outlook or OE, but sometimes I have to learn it for my clients! :)

My approach is to have spam go into a separate folder that is then checked (every few days). I do make use of the SA white list as well for VIPs.

As with others, I have found the amount of spam not being caught by SA to have risen considerably the last few weeks (or perhaps the amount of spam has just grown). Whatever the cause, the amount of messages coming into my regular Inbox is a lot fuller than it used to be. So much so, that I will probably implement rulesets in the my desktop mail app to flag email from known addresses as a secondary filter mechanism for faster processing.

Thanks Hobbes -- I have mixed emotions about this happening to others as well... at least I'm not alone in the Wildernet.

Just checked the latest dose of spam and looked closer at the full headers. Of the ones that SA detected. They had scores from ~7 to 14, one was 19. Of the two that SA missed, one had a score of 4.7, below the default threshold - in spite of some rather ripe language in the text (guess what they were selling). I'm not too savvy when it comes to deciphering email headers, but it appears to have originated at:

from host68-77-dynamic.35-79-r.retail.telecomitalia.it (host68-77-dynamic.35-79-r.retail.telecomitalia.it [79.35.77.68]) by mx08.futurequest.net ([10.2

The other one that SA missed is a bit more disturbing... the SA report line is:

X-Spam-Status: No, score=0.0 required=5.1 tests=none autolearn=disabled version=3.1.9-gr0

That looks to me like SA is turned off completely! This message was sent to the primary address for this account, and a Bcc sent to the second address that is getting hit regularly -- they have both of the addresses in one SPAM message! This is the only message in this inbox that appears to have SA turned off. I have SA turned on globally for the account, and my understanding is that will apply it to all addresses for this account. Have the spammers found a way to hack SA and turn it off for their garbage? What am I missing?

Jack

In the last few days I've noticed a significant increase in the amount of spam getting past SpamAssassin. Over a period of many months I've gradually lowered the score in .1 increments, and as of today I'm at 2.8. I've had to whitelist some addresses/domains I want to get through, while more of the spam gets through. And still, several hundred spam a day are caught by SpamAssassin.

Richard

My system shows SA's killrate falling from above 91% a couple of weeks ago to as low as 71% now. Hopefully this weekend's scheduled SA upgrade will help.

The other one that SA missed is a bit more disturbing... the SA report line is:

X-Spam-Status: No, score=0.0 required=5.1 tests=none autolearn=disabled version=3.1.9-gr0

That looks to me like SA is turned off completely!

Not at all. If it were turned off (disabled), then there would be no X-Spam-Status header at all, nor any of the other headers that are inserted at the time SA scans the email.

I'm supposing that it is the score of 0.0 that makes you say that it looks like SA is turned off? It's entirely possible for an email to score zero points.

This message was sent to the primary address for this account, and a Bcc sent to the second address that is getting hit regularly -- they have both of the addresses in one SPAM message! This is the only message in this inbox that appears to have SA turned off. I have SA turned on globally for the account, and my understanding is that will apply it to all addresses for this account.

It is very common for spammers to send to multiple email addresses on the same domain. We often get spam coming into the Service Desk at the exact same time that I'm getting a personal copy of the exact same spam on my own FutureQuest.net email address. I think Bob and Deb and everyone else is also getting their own copies at the exact same time.

Yes, if SA is enabled globally, it will apply to all email addresses on the domain.

Have the spammers found a way to hack SA and turn it off for their garbage? What am I missing?
I'm afraid that I don't understand this comment/question/concern? The spammers can't turn off the SA on our servers. Sometimes they may set up SA on their own test servers and run their messages through SA and see how it scores and try tweaking their emails to get lower scores. I don't think many spammers do this, but some probably do.

Thanks Sheila,

My concern is with messages going into this email address that are some which are most certainly spam (and indeed most the these get flagged as such by the default Thunderbird spam filter), and yet in the full header, the line:

X-Spam_Status: No, score=0.0 required=5.1 tests=none autolearn=disabled version=3.1.9-gr0

Which implies to me that SA did not test this message at all. Legitimate messages all display something like:

X-Spam=Status: No, score=1.9 required=5.1 tests=HTML_MESSAGE, HTML_TAG_EXIST_TBODY,NO_REAL_NAME,RCVD_NUMERIC_HELO autolearn=disabled version=3.1.9-gr0

Which appears to show not only that SA was run, but which tests were applied. Just what is the meaning of the "X-Spam-Status" line in the header?

Also, what is "autolearn" and why is it disabled? Is this another filter mechanism I need to enable separately? Is there documentation anywhere that explains the SA reports? (Without giving away too much information about how it works!)

Jack

As it's on a community server, autolearn is disabled. The 0.0 implies just that, none of the "spam" tests applied to the message, therefore it was deemed to have no "hint" of spam.

Those with a serious spam issue should consider an outside service. I used to hear good things about Postini, but am not sure since they're bought up by G*.

Just to elaborate a bit on what hobbes wrote...

All spam tests are run on every email that SA scans. The line you are quoting only shows the names of the spams for which the email triggered a "positive" result and therefore earned points for the listed tests. If no tests are listed in that header, then there were no tests for which the email tested positive.

The auto-learn feature is off for all email on FutureQuest's servers (not just community servers only). In order to use auto-learn, there must be a mechanism for sending feedback results to SA on the emails that have been scanned, as to whether they were spam or ham.

Thanks for that information Hobbes & Sheila -- it's curious that the spam that SA lets through is invariably (so far) caught by the Thunderbird filter. Thunderbird documentation states that it may take 100+ spam messages to train it so we should be there shortly. By diverting both SA flagged and Thunderbird filtered messages, I think we'll get 99% of them!

Thanks again... Jack

I am getting SPAM with the SA score as a negative number. I understand a white list entry will do this, but how did a spammer do it? Seems to have started in last few days, but I don't know for sure.

Any ideas? What to do? Example below;

X-Spam-Checker-Version: SpamAssassin 3.2.4-gr0 (2008-01-01) by QuestScan
on Tue, 11 Mar 2008 18:51:53 -0400
X-Spam-Level:
X-Spam-Status: No, score=-87.0 required=5.9 tests=DRUGS_ERECTILE,

I am getting SPAM with the SA score as a negative number. I understand a white list entry will do this, but how did a spammer do it? Seems to have started in last few days, but I don't know for sure.

Any ideas? What to do? Example below;

X-Spam-Checker-Version: SpamAssassin 3.2.4-gr0 (2008-01-01) by QuestScan
on Tue, 11 Mar 2008 18:51:53 -0400
X-Spam-Level:
X-Spam-Status: No, score=-87.0 required=5.9 tests=DRUGS_ERECTILE,

Please provide the complete X-Spam-Status: header. (What you have pasted above for that header is cut-off.)

For the record, I'm still dealing with spam that makes it through SA, but on examining lots of message headers, the curious thing is that every one of them has an SA score of 0. I haven't found a single other message in the legitimate email that doesn't score at least 1.9 or something like that. Sort of bolsters Sheila's theory that they are sanitizing their messages to get through SA - and doing a superb job of it at that. I've seriously thought of implementing a filter that isolates messages with a perfect score!

Accessing the email from Thunderbird, its spam filters have caught several of the SA score=0 messages, especially the sex oriented ones, but the bogus business offers just sound too much like real mail until you read them.

Jack

Return-Path: <billie@epomail.com>
Delivered-To: xxxxxxxxx
X-Spam-Checker-Version: SpamAssassin 3.2.4-gr0 (2008-01-01) by QuestScan
on Tue, 11 Mar 2008 18:51:53 -0400
X-Spam-Level:
X-Spam-Status: No, score=-87.0 required=5.9 tests=DRUGS_ERECTILE,
FB_WORD1_END_DOLLAR,HTML_MESSAGE,HTML_OBFUSCATE_10_20,MIME_HTML_O NLY,
RCVD_IN_PBL,RCVD_IN_SORBS_DUL,UNPARSEABLE_RELAY,URIBL_JP_SURBL,UR IBL_SBL,
USER_IN_ALL_SPAM_TO autolearn=disabled version=3.2.4-gr0
Received: (fqmail 22837 invoked from network); 11 Mar 2008 22:51:53 -0000
Received: from mx04.futurequest.net (mx04.futurequest.net [69.5.6.175])
by pt05.futurequest.net ([69.5.6.191])
with FQDP via TCP; 11 Mar 2008 22:51:53 -0000
Received: (qmail 15337 invoked from network); 11 Mar 2008 22:51:53 -0000
Received: from mx04.futurequest.net (mx04.futurequest.net [10.2.1.175])
by mx04.futurequest.net ([69.5.6.175]); 11 Mar 2008 22:51:50 -0000
Received: from adsl196-178-130-206-196.adsl196-5.iam.net.ma (adsl196-178-130-206-196.adsl196-5.iam.net.ma [196.206.130.178])
by mx04.futurequest.net ([10.2.1.175])
with SMTP via TCP; 11 Mar 2008 22:51:50 -0000
Received: (from billie@epomail.com) by billie@epomail.com.ac.za
(4.11.6/2.11.0) id g826Fa336459 for billie@epomail.com; Wed, 12 Mar 2008 04:49:43 +0600
Message-Id: <aegis.vacuole@870390193bibb.com>
From: "Ruben Stapleton" <billie@epomail.com>
Date: Tue, 11 Mar 2008 16:47:43 -0600
To: x@xxxxx.com
Subject: incredible price$ for be$t drug$!
User-Agent: Mutt/1.2.5.1i
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-EsetId: AA99A92B5224EC3DF0D4

cutupguy: The address that the email is addressed TO is an address that is whitelisted in the "Whitelist TO" list on this mailbox. That's why it got a negative score.

P.S. I would suggest removing your email address from the post above so that the spambots do not crawl our forum and harvest your email address and send you even MORE spam. Ugg!

THANK YOU Sheila! I did as you suggested.

Al

As mentioned earlier, I use Pegasus Mail (Pop3). They now have an integrated filter system called SPAMHALTER. Works a treat.

SA kills of a lot of spam, but still a lot comes through. When downloading all emails to PMail, everything gets checked by spamhalter as well. Leaves me with very little spam in my main "new mail" folder. All spam goes to the specially designed spamhalter folder; I rarely have false-positives. Mind, I need to quite regularly empty that folder, it gets full very quickly.

Spamhalter is also self-learning. If spam passes both SA and Spamhalter, you can tell spamhalter to sniff it again because you want it classified as spam. You need about 100 spam and 100 no-spam emails (a good cross-cut of the normal emails you receive) to start the learning process properly.

Problem is, now it is integrated into PMail as internal filter option (same way as SA in FQ).

Sheila, you once used PMail as well, think it is possible to get spamhalter as a stand-alone and then install it as a global custom filter in a domain or maybe even offer it as an FQ option?

I'm getting more frustrated with the amount of spam I'm receiving too. I've lowered the threshold score for SpamAssassin but like others have mentioned the ones that get through generally have a score of zero. My email client (Apple's Mail) has a junk filter that's been successfully isolating most of the rest for years but lately more Spam is showing up in my Inbox unmolested.

I'd prefer a server solution because I'm often using an iPhone that doesn't really have junk mail filtering (yet). Sorting and deleting scores of mixed mail can be tedious.

Sheila, you once used PMail as well, think it is possible to get spamhalter as a stand-alone and then install it as a global custom filter in a domain or maybe even offer it as an FQ option?

Yes, I did use Pmail quite a number of years ago. Nice program, and nice community. It was quite some time before Spamhalter was added to the featurelist.

I have no experience with that program, but I did a Google search, and I don't see any evidence of it being offered as a standalone program. The search results I found (only one page worth) for a Google search on
Spamhalter bayesian mail filter
almost all referred to its use with Pmail.

If we were going to offer a bayesian spam filter, there are other scripts that we would probably be more likely to use.

The real problem with a bayesian filter is that it requires some kind of feedback mechanism and a type of data storage for keeping track of the ham vs. spam characteristics of the emails received. For this to be really effective, it should be individualized per-mailbox, and not per-domain, or worse, server-wide or network-wide. This isn't a trivial thing to set up on the server, and in addition to implementing the entire feedback mechanism, there is the data-storage aspects as well. Our thoughts on this in the past, when we have discussed this internally, is that this is better suited to your personal e-mail client rather than setting it up on the server.

Now, if someone here manages to set up a bayesian filter on their own (installs it as a custom filter) and wants to share with others how they accomplished it so that interested others could do the same, that would be great. But we do not have this under consideration as a feature that FutureQuest is likely to offer with our hosting packages.

AS of the last two days each of our addresses have been getting 50 to 100 spam emails a day. The most disturbing part is many of these are bot generated emails from having our addresses scraped off our site. for example- from myname@mysite.com to myname@mysite.com. If I block the sender or the domain- we block interoffice comunications.

Any ideas. I have our spam assasin controls ratched down. Not sure what else I can do.

Most are for the usual, viagra, illegal software etc.

I have our spam assasin controls ratched down.I'm not sure I'm looking at the right account, but if I am, SpamAssassin is not showing as Enabled.

In looking, it does have some settings configured (which are NOT recommended), but they're not working as it is set to Disabled.

As far as the settings that are not recommended, specifically this would be the setting of "Bounce" as this will result in bouncing the spam email to innocent parties not having anything to do with sending the spam in the first place (see this thread (http://www.aota.net/forums/showthread.php?t=23269) for more info). Please change that to either Tag Only (only if not forwarding email off of the FutureQuest Network and not using autoresponders), Delete, or Redirect tagged email to a POP box under your account.

(I see you've made some changes since I started this and SpamAssassin is now showing as enabled. Please do change the Bounce option, as indicated above.)

Thank you- alot of this mess started as replies to our work group from crackberries were being bounced (BIS Server), I whitelisted the blackberry addresses, but it seems as though it undid my other settings.

I'll do your recommendations.

I'll do your recommendations.Thanks much. :)