In order to keep our mail flowing to AL members, I've signed up through
the AL postmaster service to receive TS reports. Basically, whenever
someone reports mail from our domains as spam, AL forwards it to me.
(They delete the addressee from the headers, although not completely so
sometimes.)
Anyhow, when it arrives, SA classifies it as spam. What's the reason for
the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I
overrode them by whitelisting the sender (scomp (AT) aol (DOT) net)?
pts rule name description
2.2 SARE_SPEC_CLIENT_TS2 known spammer address
1.0 NREAL_NAME From: does not include a real name
2.2 SARE_SPEC_CLIENT_TS high tech impulse spam sign
-0.0 SPF_PASS SPF: sender matches SPF record
-2.6 BAYES_00 BDY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BDY: HTML included in message
0.2 DNS_FRM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
1.7 DNS_FRM_RFC_PST RBL: Envelope sender in
postmaster.rfc-ignorant.org
1.6 FRGED_MSGID_AL Message-ID is forged, (aol.com)
-1.2 AWL AWL: From: address is in the auto white-list
The headers look like this:
Microsoft Mail Internet Headers Version 2.0
Received: from enoch.cciminstitute.com ([10.0.2.195]) by
eve.cciminstitute.com with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 1 Dec 2005 18:29:18 -0600
Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20])
by enoch.cciminstitute.com (8.13.1/8.13.1) with ESMTP id jB20TD75022197;
Thu, 1 Dec 2005 18:29:13 -0600
Received: from scmp-m23.mail.aol.com (scmp-m23.mail.aol.com
[172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id
RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400
Received: from imo-d21.mx.aol.com (imo-d21.mail.aol.com
[172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id
RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400
Received: from undisclosed (AT) undisclosed (DOT) com
by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677)
for <scomp (AT) aol (DOT) net>; Thu, 1 Dec 2005 19:28:45 -0500 (EST)
From: <scomp (AT) aol (DOT) net>
Message-ID: <2b7.128060a.30c0ef3d (AT) aol (DOT) com>
Date: Thu, 1 Dec 2005 19:28:45 EST
Subject: *SPAM* Client TS Notification
To: <undisclosed_recipients (AT) aol (DOT) com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=""
X-Mailer: 9.0 for scomp (AT) aol (DOT) net
X-AL-****RY-CDE: US
X-Spam-Flag: YES
X-AL-IP: 172.21.28.106
X-Loop: scomp
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
(enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600
(CST)
X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on
enoch.cciminstitute.com
X-Virus-Status: Clean
X-Spam-Status: Yes, score=5.2 required=4.0 tests=AWL,BAYES_00,
DNS_FRM_RFC_ABUSE,DNS_FRM_RFC_PST,FRGED_MSGID_AL,H TML_MESSAGE,
NREAL_NAME,SARE_SPEC_CLIENT_TS,SARE_SPEC_CLIENT_TS 2,SPF_PASS
autolearn=no version=3.1.0
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
enoch.cciminstitute.com
Return-Path: scomp (AT) aol (DOT) net
XArrivalTime: 02 Dec 2005 00:29:18.0390 (UTC)
FILETIME=[6E99C560:01C5F6D7]
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
X-Envelope-From: <scomp (AT) aol (DOT) net>
X-Envelope-To: <spamtrap (AT) cciminstitute (DOT) com>
Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20]) by
enoch.cciminstitute.com;
X-Envelope-To: <webmaster (AT) cciminstitute (DOT) com>
Received: from scmp-m23.mail.aol.com (scmp-m23.mail.aol.com
[172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id
RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400
Received: from imo-d21.mx.aol.com (imo-d21.mail.aol.com
[172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id
RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400
Received: from undisclosed (AT) undisclosed (DOT) com
by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677)
for <scomp (AT) aol (DOT) net>; Thu, 1 Dec 2005 19:28:45 -0500 (EST)
From: <scomp (AT) aol (DOT) net>
Message-ID: <2b7.128060a.30c0ef3d (AT) aol (DOT) com>
Date: Thu, 1 Dec 2005 19:28:45 EST
Subject: Client TS Notification
To: <undisclosed_recipients (AT) aol (DOT) com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=""
X-Mailer: 9.0 for scomp (AT) aol (DOT) net
X-AL-****RY-CDE: US
X-AL-IP: 172.21.28.106
X-Loop: scomp
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
(enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600
(CST)
X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on
enoch.cciminstitute.com
X-Virus-Status: Clean
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <designees-bounces (AT) ccim (DOT) com>
Received: from rly-yc05.mail.aol.com (rly-yc05.mail.aol.com
[172.18.205.148]) by air-yc04.mail.aol.com (v107.13) with ESMTP id
MAILINYC44-1d9438f45e7368; Thu, 01 Dec 2005 13:50:30 -0500
Received: from ldap1.ccim.com (ldap1.ccim.com [198.104.132.226]) by
rly-yc05.mail.aol.com (v107.13) with ESMTP id
MAILRELAYINYC53-1d9438f45e7368; Thu, 01 Dec 2005 13:50:15 -0500
Received: from ldap1.ccim.com (localhost [127.0.0.1])
by ldap1.ccim.com (8.12.11/8.12.11) with ESMTP id jB1IN5rE003286
for <bairdflier (AT) aol (DOT) com>; Thu, 1 Dec 2005 13:49:13 -0500
Received: from enoch.cciminstitute.com (enoch.cciminstitute.com
[12.40.135.196])
by ldap1.ccim.com (8.12.11/8.12.11) with ESMTP id jB1FNIi014070
for <designees (AT) lists (DOT) ccim.com>; Thu, 1 Dec 2005 10:24:23 -0500
Received: from eve.cciminstitute.com (eve.cciminstitute.com [10.0.2.7])
by enoch.cciminstitute.com (8.13.1/8.13.1) with SMTP id jB1FJ9Z022174
for <designees (AT) ccim (DOT) com>; Thu, 1 Dec 2005 09:24:19 -0600
content-class: urn:content-classes:message
MIME-Version: 1.0
X-MLE: Produced By Microsoft Exchange V6.0.6603.0
Date: Thu, 1 Dec 2005 09:24:21 -0600
Message-ID: <@eve.cciminstitute.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RERC/CCIM ITQ -- Market Data Equals Power
Thread-Index:
From: "CCIM Member Communications"
<CCIMMemberCommunications (AT) cciminstitute (DOT) com>
To: <Undisclosed Recipients>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
(ldap1.ccim.com [127.0.0.1]); Thu, 01 Dec 2005 13:49:13 -0500 (EST)
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-2.0
(ldap1.ccim.com [198.104.132.226]);
Thu, 01 Dec 2005 10:24:23 -0500 (EST)
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-2.0
(enoch.cciminstitute.com [10.0.2.195]);
Thu, 01 Dec 2005 09:24:19 -0600 (CST)
X-Virus-Scanned: ClamAV version 0.87.1,
clamav-milter version 0.87 on ldap1.ccim.com
X-Virus-Scanned: ClamAV version 0.87.1,
clamav-milter version 0.87 on enoch.cciminstitute.com
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=4.0 tests=AWL,BAYES_00,HTML_MESSAGE
autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ldap1.ccim.com
X-Mailman-Approved-At: Thu, 01 Dec 2005 11:14:20 -0500
Subject: [Designees] RERC/CCIM ITQ -- Market Data Equals Power
X-BeenThere: designees (AT) ccim (DOT) com
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: Designees List <designees.ccim.com>
List-Unsubscribe: <>,
<mailto:designees-request (AT) ccim (DOT) com?subject=unsubscribe>
List-Archive: <>
List-Post: <mailto:designees (AT) ccim (DOT) com>
List-Help: <mailto:designees-request (AT) ccim (DOT) com?subject=help>
List-Subscribe: <>,
<mailto:designees-request (AT) ccim (DOT) com?subject=subscribe>
Content-Type: multipart/mixed; boundary="0292989648=="
Sender: designees-bounces (AT) ccim (DOT) com
Errors-To: designees-bounces (AT) ccim (DOT) com
X-AL-IP: 198.104.132.226
X-Mailer: Unknown (No Version)

Steven Stern wrote on Thu, 01 Dec 2005 20:57:45 -0600:

In order to keep our mail flowing to AL members, I've signed up through
the AL postmaster service to receive TS reports. Basically, whenever
someone reports mail from our domains as spam, AL forwards it to me.

Be careful about that. That's what they say. Actually, it seems they have
their own filters additionally and send you everything they *think* is
spam. I've been getting a lot of TS reports which weren't spam and where I
was able to ask the recipient and they said "No, I didn't hit the button".

Kai

* Kai Schaetzl <maillists (AT) conactive (DOT) com>:

In order to keep our mail flowing to AL members, I've signed up through
the AL postmaster service to receive TS reports. Basically, whenever
someone reports mail from our domains as spam, AL forwards it to me.

Be careful about that. That's what they say. Actually, it seems they have
their own filters additionally and send you everything they *think* is
spam. I've been getting a lot of TS reports which weren't spam and where I
was able to ask the recipient and they said "No, I didn't hit the button".

Yeah, I also get lots of crap that DEFINITELY not spam and that nobody
in his/her sane mind would declare as spam. But then nobody
in his/her sane mind would use AL, either.

Fri, 2 Dec 2005, Ralf Hildebrandt wrote:

* Kai Schaetzl <maillists (AT) conactive (DOT) com>:

In order to keep our mail flowing to AL members, I've signed up through
the AL postmaster service to receive TS reports. Basically, whenever
someone reports mail from our domains as spam, AL forwards it to me.
>>
>Be careful about that. That's what they say. Actually, it seems they have
>their own filters additionally and send you everything they *think* is
>spam. I've been getting a lot of TS reports which weren't spam and where I
>was able to ask the recipient and they said "No, I didn't hit the button".
>
Yeah, I also get lots of crap that DEFINITELY not spam and that nobody
in his/her sane mind would declare as spam. But then nobody
in his/her sane mind would use AL, either.

Yeah, I'm fairly certain after speaking with someone who routinely deals
directly with AL's "postmaster" folks that these are all button pushes.

Never underestimate the stupidity of the average computer user. AL does
not help matters by putting the "report as spam" button next to the
"delete" button in their mail client.

Charles

Robert Menschel wrote:
Hello Steven,

Thursday, December 1, 2005, 6:57:45 PM, you wrote:

SSIn order to keep our mail flowing to AL members, I've signed up through
SSthe AL postmaster service to receive TS reports. Basically, whenever
SSsomeone reports mail from our domains as spam, AL forwards it to me.

SSAnyhow, when it arrives, SA classifies it as spam. What's the reason for
SSthe SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I
SSoverrode them by whitelisting the sender (scomp (AT) aol (DOT) net)?

The reason is that people on our systems here that have not subscribed
to this service are receiving spam with exactly these characteristics.
I believe that some spammer (or ratware) is mimicking the AL
service's characteristics in order to get their spam through people's
whitelists.

When I put these rules together, I wasn't aware of AL's service and
its email characteristics, and nobody else in any of the several SARE
mass-checks had any hits at all, so there was no indication through
that means that this was a Bad Rule (tm).

1) If you subscribe to this service, or any domain you process mail
for does, zero the score on these rules.

2) As soon as I get back from vacation, I'll zero the scores on those
rules in the production files, and see if I can figure out how to
identify the spammer as opposed to the service.

3) Yes, whitelist scomp (AT) aol (DOT) com, but do so through an unforgeable
means, such as SPF or RCVD. Do not use a simple whitelist from, since
that's what the spammer is hoping you will do.

Bob Menschel

Thanks. I'm using the whitelist_from_spf successfully.