Page 1 of 1

half of spam message flagged as ham

Posted: Wed Jan 15, 2014 9:06 am
by rdewild
We were getting hammered with spam this morning. When I review the log file for MagicSpam I found that half of the messages that are all similiar in nature from the same sender at a dozen different domains are flagged as SPAM the other half as HAM.

I can not seem to add "Nitroxin@*" as a blacklist sender as wild cards are not allowed. But the domain is constantly changing.
Any thoughts?

2014-01-14 06:21:36 magicspam-mailenable[1528]: HAM: mua=0,ip=[192.3.206.13:.],helo=<wkeo13.prospriti.com>,from=<Nitroxin@prospriti.com>,rcpt=
2014-01-14 06:21:36 magicspam-mailenable[1528]: HAM: mua=0,ip=[192.3.206.13:.],helo=<wkeo13.prospriti.com>,from=<Nitroxin@prospriti.com>,rcpt=
2014-01-14 06:21:36 magicspam-mailenable[1528]: HAM: mua=0,ip=[192.3.206.13:.],helo=<wkeo13.prospriti.com>,from=<Nitroxin@prospriti.com>,rcpt=
2014-01-14 06:21:37 magicspam-mailenable[1528]: HAM: mua=0,ip=[192.3.206.13:.],helo=<wkeo13.prospriti.com>,from=<Nitroxin@prospriti.com>,rcpt=
2014-01-14 06:21:45 magicspam-mailenable[1528]: HAM: mua=0,ip=[192.3.206.13:.],helo=<wkeo13.prospriti.com>,from=<Nitroxin@prospriti.com>,rcpt=

2014-01-14 06:24:55 magicspam-mailenable[2176]: SPAM[check_dynamic_reverse_dns]: mua=0,ip=[64.120.241.66:64-120-241-66.static.hostnoc.net],helo=<dsu66.servicfor.com>,from=<Nitroxin@servicfor.com>,rcpt=
2014-01-14 06:24:56 magicspam-mailenable[2176]: SPAM[check_dynamic_reverse_dns]: mua=0,ip=[64.120.241.66:64-120-241-66.static.hostnoc.net],helo=<dsu66.servicfor.com>,from=<Nitroxin@servicfor.com>,rcpt=
2014-01-14 06:52:10 magicspam-mailenable[3824]: SPAM[check_dynamic_reverse_dns]: mua=0,ip=[64.120.241.66:64-120-241-66.static.hostnoc.net],helo=<dsu66.servicfor.com>,from=<Nitroxin@servicfor.com>,rcpt=
2014-01-14 06:52:11 magicspam-mailenable[3824]: SPAM[check_dynamic_reverse_dns]: mua=0,ip=[64.120.241.66:64-120-241-66.static.hostnoc.net],helo=<dsu66.servicfor.com>,from=<Nitroxin@servicfor.com>,rcpt=
2014-01-14 06:52:11 magicspam-mailenable[3824]: SPAM[check_dynamic_reverse_dns]: mua=0,ip=[64.120.241.66:64-120-241-66.static.hostnoc.net],helo=<dsu66.servicfor.com>,from=<Nitroxin@servicfor.com>,rcpt=
2014-01-14 06:54:12 magicspam-mailenable[4452]: SPAM[check_dynamic_reverse_dns]: mua=0,ip=[174.139.85.123:174.139.85.123.static.customer.krypt.com],helo=<mona123.cvarieties.com>,from=<AIG_Direct_Inc@cvarieties.com>,rcpt=
2014-01-14 06:54:43 magicspam-mailenable[1940]: SPAM[valid_helo_domain]: mua=0,ip=[176.9.50.48:mixoteka.com],helo=<Debian-60-squeeze-64-LAMP>,from=<www-data@mixoteka.com>,rcpt=

Re: half of spam message flagged as ham

Posted: Wed Jan 15, 2014 11:45 am
by magicspam
Hello,

Thank you for your post!

It looks that the messages that were not blocked, as shown in your log, were sent from an IP address that was not caught by the same anti-spam rule "check_dynamic_reverse_dns" due to its PTR record.

We noticed however that the IP address "192.3.206.13" is listed on two block lists: PSBL and MIPSPACE.

You might want to enable one or two of these IP Reputation Lists via your MagicSpam dashboard.


Please let us know if you have any further questions!



-- MagicSpam Support Team --

Re: half of spam message flagged as ham

Posted: Wed Jan 15, 2014 12:18 pm
by rdewild
Thank you.
The PSBL list was enabled, but the MIPSPACE was not.
I enabled it so we'll see if this makes a difference.

Thanks