Quantcast

Wwird flagging of emails to Spam

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Wwird flagging of emails to Spam

Rops
Hi

I have been surfing around for a while to find out why a lot of mails are considered spam by my ISP, when these aren't.

Searching this forum didn't help :-(
I'd very happy, if someone could enlight me a little.

How much do you think is reasonable level to flag as spam?

Message 1.

From a decent mail header, there is following entry, but there is no source available to find out what means DOS_OE_TO_MX_IMAGE=3 ????


X-Virus-Scanned: amavisd-new at estpak.ee
X-Spam-Flag: YES
X-Spam-Score: 5.831
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.831 tagged_above=1 required=4.91
        tests=[BAYES_00=-1, DOS_OE_TO_MX_IMAGE=3,
        DYN_RDNS_AND_INLINE_IMAGE=0.001, DYN_RDNS_SHORT_HELO_HTML=0.499,
        DYN_RDNS_SHORT_HELO_IMAGE=0.001, EXTRA_MPART_TYPE=1,
        HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1,
        SHORT_HELO_AND_INLINE_IMAGE=0.781, TVD_FW_GRAPHIC_NAME_MID=0.543]

Message 2.

The message just has 4 rows of plain text.

What does mean RCVD_IN_XBL=3.033 ????

X-Virus-Scanned: amavisd-new at estpak.ee
X-Spam-Flag: YES
X-Spam-Score: 6.002
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.002 tagged_above=1 required=4.91
        tests=[BAYES_00=-1, DOS_OE_TO_MX=2.75, DYN_RDNS_SHORT_HELO_HTML=0.499,
        HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033,
        RDNS_DYNAMIC=0.1]


Message 3

Plain text, while score is very low, it still is flaged as spam.
What means the RCVD_IN_SORBS_DUL=2.046 ????

X-Virus-Scanned: amavisd-new at estpak.ee
X-Spam-Score: 1.047
X-Spam-Level: *
X-Spam-Status: No, score=1.047 tagged_above=1 required=4.91
        tests=[BAYES_00=-1, HTML_MESSAGE=0.001, RCVD_IN_SORBS_DUL=2.046]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

John Hardin
On Tue, 20 Jan 2009, Rops wrote:

> I have been surfing around for a while to find out why a lot of mails
> are considered spam by my ISP, when these aren't.
>
> How much do you think is reasonable level to flag as spam?

The default is 5, and all the base rules are scored with that threshold in
mind.

> BAYES_00=-1

...only -1 for BAYES_00? That's pretty weak. Don't they trust their bayes
training?

> What does mean RCVD_IN_XBL=3.033 ????

The sender's IP address was flagged as suspicious, for example associated
with a hijacked (spam zombie) computer.

> What means the RCVD_IN_SORBS_DUL=2.046 ????

The sender's IP address was flagged as a dialup or other dynamic-IP user.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Look at the people at the top of both efforts. Linus Torvalds is a
   university graduate with a CS degree. Bill Gates is a university
   dropout who bragged about dumpster-diving and using other peoples'
   garbage code as the basis for his code. Maybe that has something to
   do with the difference in quality/security between Linux and
   Windows.                           -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
  Tomorrow: John Moses Browning's 154th Birthday
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Karsten Bräckelmann-2
In reply to this post by Rops
On Tue, 2009-01-20 at 15:27 -0800, Rops wrote:

> Message 1.
> From a decent mail header, there is following entry, but there is no source
> available to find out what means DOS_OE_TO_MX_IMAGE=3 ????

The message has been generated by Outlook (or claims to be), has been
sent directly from the client (MUA), Outlook, to the receiving SMTP (MX)
and contains an image. The latter is just sugar coating -- your MUA
should not directly send to the receiving SMTP.

Assuming you *are* using Outlook to generate the messages, how did you
make it directly using the MX, instead of your ISPs SMTP? If both, the
>From and To addresses happen to live on the same server, then it is
badly configured -- talk to your ISP.


> Message 2.
> The message just has 4 rows of plain text.
> What does mean RCVD_IN_XBL=3.033 ????

The sending / transporting machine (probably your computer) right before
the receiving SMTP is listed in XBL, a blacklist that contains IPs of
exploited, malware infected end-user PCs.

Even while the listing still might be due to another user having it
shortly before, rather than your machine -- the underlying issue is
likely just the same as above. End-user machines are not supposed to
directly talk to the MX.


> Message 3
> Plain text, while score is very low, it still is flaged as spam.
> What means the RCVD_IN_SORBS_DUL=2.046 ????

SORBS Dial Up List, another blacklist. Translates to "end-user machines
are not supposed to directly"... Wait, I said that already. :)

> X-Virus-Scanned: amavisd-new at estpak.ee
> X-Spam-Status: No, score=1.047 tagged_above=1 required=4.91
> tests=[BAYES_00=-1, HTML_MESSAGE=0.001, RCVD_IN_SORBS_DUL=2.046]

SA did not flag this one as spam. The SMTP rejected it for another
reason.


All in all, your problem is that your mail client (is it really
Outlook?) is sending mail directly to the MX. Instead, you should be
using your ISPs SMTP.

(See the first comment for a possible different reason.)

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Karsten Bräckelmann-2
On Wed, 2009-01-21 at 00:55 +0100, Karsten Bräckelmann wrote:
> On Tue, 2009-01-20 at 15:27 -0800, Rops wrote:

> > available to find out what means DOS_OE_TO_MX_IMAGE=3 ????
>
> The message has been generated by Outlook (or claims to be), has been
> sent directly from the client (MUA), Outlook, to the receiving SMTP (MX)
> and contains an image. The latter is just sugar coating -- your MUA
> should not directly send to the receiving SMTP.
>
> Assuming you *are* using Outlook to generate the messages, how did you
> make it directly using the MX, instead of your ISPs SMTP? If both, the
> From and To addresses happen to live on the same server, then it is
> badly configured -- talk to your ISP.

Oh, btw -- since you appear to be a regular user, you should be talking
to your ISP who blocks your mail anyway. They are your first contact in
case of any issues with their service. They are running SA, and they are
responsible for blocking your mail.

I do not mean to say it is bad to ask and understand the issue. That's
always a good idea. :)  I'm just saying, that this list is intended for
those operating SA -- rather than regular users, who ideally should
never even notice SA, other than a dramatic decrease in spam they
receive. ;)


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Karsten Bräckelmann-2
In reply to this post by Karsten Bräckelmann-2
On Tue, 2009-01-20 at 16:08 -0800, John Hardin wrote:
> On Wed, 21 Jan 2009, Karsten Brckelmann wrote:
>
> > All in all, your problem is that your mail client (is it really
> > Outlook?) is sending mail directly to the MX. Instead, you should be
> > using your ISPs SMTP.
>
> Were these indeed messages sent by the OP? I don't recall seeing that in
> his post (which I've deleted)...

That would be a really bad way of sending out backscatter, assuming
estpak.ee actually is his ISP (common amavis header in all samples)...

Indeed you're right -- Roberta(?) didn't mention to have sent them.
Though she claimed all of the samples not to be spam.

Only the original poster can answer this.  (wave, hint ;)


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Rops
In reply to this post by John Hardin

Hi

and thanks for a multitude of replies.
Isn't there any weblist with these abbreviations explanation with some simple samples?

What means Outlook shoudn't send directly to MX?
I guess that's how it always has worked here with Outlook, even when I don't know right now what is MX :-)
May it be the result of outgoing and incoming servers being the same?? (mail.neti.ee)

I keep all messages, including spam, and now when looking into messages, I'd say that mostly there are flaged as spam messages which really are not and very seldom any real spam. That seems rather weird to me.

I'd like to ask later from my ISP, but first I need to know what's wrong, as else most likely I'dnt get any reply.


The blacklisting is often a problem, as sometimes my messages have been rejected in USA, just because someone of my ISP 500.000 clients has sent spams. Is it ISP to blame and punish with blacklisting, if there may be some bots working?

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Rops
In reply to this post by Karsten Bräckelmann-2
All sample messages had been flagged as spam and sent with Outlook 2003.
espak.ee is one of isp servers, while Outlook sends and receives from mail.neti.ee server.

Karsten Bräckelmann-2 wrote
On Tue, 2009-01-20 at 16:08 -0800, John Hardin wrote:
> On Wed, 21 Jan 2009, Karsten Brckelmann wrote:
>
> > All in all, your problem is that your mail client (is it really
> > Outlook?) is sending mail directly to the MX. Instead, you should be
> > using your ISPs SMTP.
>
> Were these indeed messages sent by the OP? I don't recall seeing that in
> his post (which I've deleted)...

That would be a really bad way of sending out backscatter, assuming
estpak.ee actually is his ISP (common amavis header in all samples)...

Indeed you're right -- Roberta(?) didn't mention to have sent them.
Though she claimed all of the samples not to be spam.

Only the original poster can answer this.  (wave, hint ;)


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

John Hardin
In reply to this post by Rops
On Tue, 20 Jan 2009, Rops wrote:

> What means Outlook shoudn't send directly to MX?

It means that rather than having your Outlook mail client directly contact
the mail servers (MX hosts) at, say, Microsoft, you should instead send
your email via the mail servers at your ISP and have *them* relay the mail
to Microsoft for you.

Most legitimate desktop clients behave this way. Having some random
desktop sending email directly to somebody's mail server rather than
sending it via the desktop's ISP's mail server is how spam zombies behave
- they are trying to avoid any filtering, antiforgery or rate control
measures in place at the ISP's mail server - so such traffic is pretty
much rejected by everyone these days.

I won't go into someone running a mail server at home here.

> May it be the result of outgoing and incoming servers being the same??
> (mail.neti.ee)

No, it's generally the sign of a spambot. I don't know if any common
legitimate mail client these days can be configured to do domain MX
lookups for direct delivery in the first place.

> I keep all messages, including spam, and now when looking into messages,
> I'd say that mostly there are flaged as spam messages which really are
> not and very seldom any real spam. That seems rather weird to me.
>
> I'd like to ask later from my ISP, but first I need to know what's
> wrong, as else most likely I'dnt get any reply.

Well, the two things I noted - they've lowered the threshold at which a
message is considered spam, and don't put a big value on bayes saying
"it's not spam" - may be a factor.

> The blacklisting is often a problem, as sometimes my messages have been
> rejected in USA, just because someone of my ISP 500.000 clients has sent
> spams. Is it ISP to blame and punish with blacklisting, if there may be
> some bots working?

The ISP's mail servers shouldn't get blacklisted, just the IP addresses
that ISP assigns to their customers.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   When designing software, any time you think to yourself "a user
   would never be stupid enough to do *that*", you're wrong.
-----------------------------------------------------------------------
  Tomorrow: John Moses Browning's 154th Birthday
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Rops
In reply to this post by Rops
Hi

I add almost full header of these 3 message, if it helps to explain.
All samples had a subject Spam added and my OL was the receipent.

Return-Path: <........@xxxx.ee>
Received: from MXR-12.estpak.ee ([88.196.174.176])
         by mbox1-1 (Cyrus v2.3.13) with LMTPA;
         Tue, 20 Jan 2009 21:29:17 +0000
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
        by MXR-12.estpak.ee (Postfix) with ESMTP id 3836E4413
        for <.....@online.ee>; Tue, 20 Jan 2009 23:29:11 +0200 (EET)
X-Virus-Scanned: amavisd-new at estpak.ee
X-Spam-Flag: YES
X-Spam-Score: 5.831
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.831 tagged_above=1 required=4.91
        tests=[BAYES_00=-1, DOS_OE_TO_MX_IMAGE=3,
        DYN_RDNS_AND_INLINE_IMAGE=0.001, DYN_RDNS_SHORT_HELO_HTML=0.499,
        DYN_RDNS_SHORT_HELO_IMAGE=0.001, EXTRA_MPART_TYPE=1,
        HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1,
        SHORT_HELO_AND_INLINE_IMAGE=0.781, TVD_FW_GRAPHIC_NAME_MID=0.543]
Received: from MXR-12.estpak.ee ([127.0.0.1])
        by localhost (MXR-2.estpak.ee [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id pQ0yWqGnxFGZ for <......@online.ee>;
        Tue, 20 Jan 2009 23:29:06 +0200 (EET)
Received: from Relayhost2.neti.ee (relayhost2.neti.ee [88.196.174.142])
        by MXR-12.estpak.ee (Postfix) with ESMTP id E804D5D42
        for <......@online.ee>; Tue, 20 Jan 2009 23:29:06 +0200 (EET)
X-SMTP-Auth-NETI-Businesmail: no
Received: from ...mada30 (xx.175.190.90.dyn.estpak.ee [xx.190.175.78])
        by Relayhost2.neti.ee (Postfix) with SMTP id CE2621F9E65
        for <.....@online.ee>; Tue, 20 Jan 2009 23:29:07 +0200 (EET)
Message-ID: <115a01c97b46$1617de80$7901a8c0@mada30>
From: "........" <.......l@xxxxx.ee>
To: "RA" <......@online.ee>
Subject: ***SPAM*** =?iso-8859-1?Q?m=E4lupulgad?=
Date: Tue, 20 Jan 2009 23:28:50 +0200
Organization: Law Offices
MIME-Version: 1.0
Content-Type: multipart/related;
        boundary="----=_NextPart_000_1156_01C97B56.D9790240";
        type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.2962

--------------------------

Return-Path: <....@la.tln.edu.ee>
Received: from MXR-2.estpak.ee (relay2.neti.ee [88.196.174.133])
         by mbox2-1 (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
         Thu, 30 Oct 2008 19:08:14 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
        by MXR-2.estpak.ee (Postfix) with ESMTP id E55736146A2
        for <......@online.ee>; Thu, 30 Oct 2008 19:08:13 +0200 (EET)
X-Virus-Scanned: amavisd-new at estpak.ee
X-Spam-Flag: YES
X-Spam-Score: 6.002
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.002 tagged_above=1 required=4.91
        tests=[BAYES_00=-1, DOS_OE_TO_MX=2.75, DYN_RDNS_SHORT_HELO_HTML=0.499,
        HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033,
        RDNS_DYNAMIC=0.1]
Received: from MXR-2.estpak.ee ([127.0.0.1])
        by localhost (MXR-2.estpak.ee [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id mHS41u6Dm1OE for <.....@online.ee>;
        Thu, 30 Oct 2008 19:08:09 +0200 (EET)
X-SMTP-Auth-NETI-Businesmail: no
Received: from yourahean8fxsm (xxx-250-188-1-tln.edu.estpak.ee [195.250.188.1])
        by Relayhost3.neti.ee (Postfix) with SMTP id EED7FD4CC0
        for <.....@online.ee>; Thu, 30 Oct 2008 19:08:08 +0200 (EET)
Message-ID: <80B98CD35E274C6E99D374D9BDC6A809@yourahean8fxsm>
From: "Mari" <......@la.tln.edu.ee>
To: "RA" <.....@online.ee>
Subject: ***SPAM*** Lasteaed
Date: Thu, 30 Oct 2008 19:08:19 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_00B7_01C93AC2.DEDB4BF0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

------------------------

Return-Path: <andres@xxxx.eu>
Received: from MXR-3.estpak.ee (relay3.neti.ee [88.196.174.134])
         by mbox2-1 (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
         Tue, 23 Sep 2008 00:36:56 +0300
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
        by MXR-3.estpak.ee (Postfix) with ESMTP id 97E614A2192
        for <.....@online.ee>; Tue, 23 Sep 2008 00:36:54 +0300 (EEST)
X-Virus-Scanned: amavisd-new at estpak.ee
X-Spam-Score: 1.047
X-Spam-Level: *
X-Spam-Status: No, score=1.047 tagged_above=1 required=4.91
        tests=[BAYES_00=-1, HTML_MESSAGE=0.001, RCVD_IN_SORBS_DUL=2.046]
Received: from MXR-3.estpak.ee ([127.0.0.1])
        by localhost (MXR-3.estpak.ee [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id M6mUOo-prnMu for <.....@online.ee>;
        Tue, 23 Sep 2008 00:36:47 +0300 (EEST)
Received: from inte555 (xxx-35-171-67-dsl.trt.estpak.ee [213.35.171.67])
        by Relayhost1.neti.ee (Postfix) with SMTP id 53F0A1EAA5C
        for <.....@online.ee>; Tue, 23 Sep 2008 00:36:51 +0300 (EEST)
Message-ID: <00a901c91cfb$5154a2c0$0702a8c0@intel...>
From: "Andres" <andres@xxxxx.eu>
To: "RA" <.....@online.ee>
References: <20080922190750.5B575D3BB4@Relayhost3.neti.ee>
Subject: Re: ***SPAM***
Date: Tue, 23 Sep 2008 00:36:47 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_00A6_01C91D14.766AEC40"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Karsten Bräckelmann-2
In reply to this post by John Hardin
I pretty much get the impression, we're not talking about the same. That
is, mail server admins versus a general user.


On Tue, 2009-01-20 at 17:00 -0800, John Hardin wrote:
> On Tue, 20 Jan 2009, Rops wrote:

> > May it be the result of outgoing and incoming servers being the same??
> > (mail.neti.ee)

Sounds like you mean *your* outgoing and incoming mail servers are the
same. User POV.

What I have pointed out in my previous post are the sending SMTP server
("outgoing" in your Outlook) and the receiving SMTP server aka MX. The
latter is not part of your Outlook config. It is wherever the mail will
end up waiting for the recipient to read it.


On a related note, as I asked in another way before -- where do you send
the email to? Not asking for the full recipients address, but if the
recipients domain is living at the same ISP. Any chance you are sending
either to your own domain, or a domain hosted by the very same ISP?


Also, when you say you are using your ISPs SMTP, and the ISP is
rejecting the messages -- are these the *same*?

There are two different kinds of ISP possible in this context. The
company that provides the Internet line for you. And a hoster where your
domain lives. Both would be valid "ISPs SMTP"...

I guess we need *much* more details about the mail being rejected as
spam. That means full headers, email addresses anonymized.


> > I'd like to ask later from my ISP, but first I need to know what's
> > wrong, as else most likely I'dnt get any reply.

IMHO you should consider asking them now...

*They* are rejecting *your* email, right? Are you sure it is your
"outgoing mail server" that rejects them?


> > The blacklisting is often a problem, as sometimes my messages have been
> > rejected in USA, just because someone of my ISP 500.000 clients has sent
> > spams. Is it ISP to blame and punish with blacklisting, if there may be
> > some bots working?
>
> The ISP's mail servers shouldn't get blacklisted, just the IP addresses
> that ISP assigns to their customers.

It seems that whatever the ISP is -- the triggering IPs are the dial-up
ones. Strange though, that there are 3 different samples of basically
the same issue, if so...


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

hamann.w
In reply to this post by Rops
Hi Roberta,

I think the problem lies in just this snippet:

>> X-SMTP-Auth-NETI-Businesmail: no
>> Received: from ...mada30 (xx.175.190.90.dyn.estpak.ee [xx.190.175.78])
>> by Relayhost2.neti.ee (Postfix) with SMTP id CE2621F9E65
>> for <.....@online.ee>; Tue, 20 Jan 2009 23:29:07 +0200 (EET)

This reads like a dynamic client originates a message to some (presumably open)
relayhost. In reality I would assume that the sender acts as a civilised one and authenticates
with that "relayhost", which is its outgoing mail server.
Now, an authenticated mail should probably NOT say
x-smtp-auth: no
but the received line SHOULD SAY something like
... by ... with authenticated SMTP
... by ... with ESMTPA
There are a few formats that SA accepts as auth indicators.

So the problem lies with neti.ee - if they are acting as an official outgoing mail server, they
should change their config

Regards
Wolfgang Hamann


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Kai Schaetzl
In reply to this post by Rops
Rops wrote on Tue, 20 Jan 2009 17:04:37 -0800 (PST):

> Subject: Re: ***SPAM***

This was *not* tagged as spam. This is a reply to your reply to a spam-
tagged message where you didn't remove the tag. Or a reply to your message
that got tagged on the *other* side (and without removal of the tag).

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wwird flagging of emails to Spam

Matus UHLAR - fantomas
In reply to this post by hamann.w
> I think the problem lies in just this snippet:
>
> >> X-SMTP-Auth-NETI-Businesmail: no
> >> Received: from ...mada30 (xx.175.190.90.dyn.estpak.ee [xx.190.175.78])
> >> by Relayhost2.neti.ee (Postfix) with SMTP id CE2621F9E65
> >> for <.....@online.ee>; Tue, 20 Jan 2009 23:29:07 +0200 (EET)

On 21.01.09 05:01, [hidden email] wrote:

> This reads like a dynamic client originates a message to some (presumably open)
> relayhost. In reality I would assume that the sender acts as a civilised one and authenticates
> with that "relayhost", which is its outgoing mail server.
> Now, an authenticated mail should probably NOT say
> x-smtp-auth: no
> but the received line SHOULD SAY something like
> ... by ... with authenticated SMTP
> ... by ... with ESMTPA
> There are a few formats that SA accepts as auth indicators.
>
> So the problem lies with neti.ee - if they are acting as an official outgoing mail server, they
> should change their config

And that is also why those messages have *_TO_MX* scores. They were
apparently sent from dynamic IP to mailserver without authentication, or the
authentication info is not mentioned in headers.

If the ISP's MTA will properly tag mail received using authentication, and
SA will use that info, mail will not match *_TO_MX* so it (probably) won't
be marked as spam.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Loading...