Spam Scoring

From: Bruce Jones (
Date: Thu Feb 12 2004 - 10:26:33 PST

What follows is a short discussion of virus and spam scanning and
lines in headers.

>From: Bill Barowy <>
>Subject: Is Eugene spamming us?
>Date: Wed, 11 Feb 2004 20:55:33 -0500
>I've acquired the strange habit of reading full email headers, and
>have found something new appearing in Eugene's posts: a Spam-Score
>heading , in particular one with a non-zero and increasing value.

Like many ISPs, UCSD scans incoming email for a predetermined set of
characteristics, and then "scores" the message based on how many of
those characteristics are found in the message. This allows people
to set up filtering in their mail client (Outlook, Eudora, PINE,
etc.), based on how much spam they're willing to endure while
ensuring that no useful mail gets deleted; you pick a spam score
(equal to or greater than "n" points and the message gets dumped).

The lines in the header that are added by UCSD's mail machine look
like this:

X-Spam-Level: Level
X-Spamscanner: (v1.4 Oct 30 2003 22:20:52, 0.0/5.0 2.60)
X-MailScanner: PASSED

Those are the lines from Bill's message, which was not flagged as
spam. If the mail is determined to be spam, the lines look like

X-Spam-Level: Level ***********
X-Spamscanner: (v1.4 Oct 30 2003 22:20:52, 11.8/5.0 2.60)
X-Spam-Flag: Spam YES

The number of asterixes in the "Level" above is the spam score, used
to determine filtering levels.

UCSD is also scanning for viruses, and that line looks like this:

X-MailScanner: PASSED

As you can imagine, managing scanning is a difficult task. The
spammers and the virus writers have the advantage here - scanning
is always, necessarily, one step behind the curve, as initiative
is on the side of the bad guys.

AFAIK, no legitimate email to xmca has been removed because it
contained spam. I'm not so sure about viruses.



This archive was generated by hypermail 2b29 : Mon Mar 01 2004 - 01:00:08 PST