2 Replies Latest reply on May 31, 2010 2:10 PM by bwemailsupport1

    Higher spam, TS scoring zero


      Receiving higher complaints of spam this week.   We updated some rules/configurations within Ironmail last week.


      I suspect that Trusted Source is being bypassed but I don't know why.   The examples that clients are submitting show TS: 0 for a score.






      1.   Anti-Spam has performed Scores added as a X header by Enterprise Spam Profiler for message 6894121 based on the following rule:


          * param :

                o key : ESP<37>=

                o value : [SHA:<0> , UHA:<10> , ISC:<0> , BAYES:<-1> , SenderID:<0> , DKIM:<0> , TS:<0> , SIG:<> , DSC:<19> (ehlo_number_test:<19>) , TRU_embedded_image_spam: <1>, TRU_html_image_spam: <0>, TRU_misc_spam: <0>, TRU_adult_spam: <0>, TRU_spam1: <0>, URL Real-Time Signatures: <0>, TRU_lotto_spam: <0>, TRU_freehosting: <0>, TRU_urllinks: <0>, TRU_phish_spam: <0>, TRU_spam2: <0>, TRU_legal_spam: <5>, TRU_marketing_spam: <3>, TRU_profanity_spam: <0>, TRU_ru_spamsubj: <0>, TRU_stock_spam: <0>, TRU_money_spam: <0>, TRU_scam_spam: <0>, TRU_playsites: <0>, TRU_medical_spam: <0>, TRU_watch_spam: <0>]

          * header : X-esp



      2.    Anti-Spam has performed New header added by Anti-Spam (Enterprise Spam Profiler) for message 6894121 based on the following rule:


          * param :

          * header : X-<spam-25-50>


        • 1. Re: Higher spam, TS scoring zero

          Can we see the smtpproxy log for the message?  You should be able to find it at the command line with the following:

          show events [date]|grep <messageid>

          Remember that the date field is one day past when the event happened.  Guessing that the message noted in your post came in on the same day as the post, this would be

          show events 20100528 | grep 689412


          This will return some lines that are in the format starting



          We want to take the connection ID, which should be a 14 digit number, and search for that, thereby getting the smtpproxy data.

          show events [date] | grep connectionid


          With this data, we can take a look and see what whitelists were hit, and why TrustedSource scored the way that it did.

          • 2. Re: Higher spam, TS scoring zero

            IronMail 6.7.2 Hotfix 2 has a default behavior of using port 443 (https) for checking TrustedSource reputations.


            The IronMail was not allowed to use port 443, only port 53 (DNS) like the old behavior.


            As a workaround, Support enabled TrustedSource to use port 53 again -- until the firewall rule is adjusted to allow outgoing port 443.