Main Content

SpamAssassin Research & Battle

I’ve been doing a lot of spam research lately and trying to figure out why certain email messages were being tagged as [Spam] in the subject line and others weren’t. Now, this isn’t your typical spam, it’s legit emails and ones that shouldn’t be marked. All the obvious items were checked into and no issues were found. No pills were sold, no unsuspecting targets, but the issue remained.

My main issue was with SpamAssassin. I know that it was tagging the subject of a lot of emails with [Spam] and I wanted to know why. They only thing I could really come up with was that those that were marked had FORGED_RCVD_HELO in the header source. But what does that mean?

After a lot of research, I realized that there is nothing on the internet to tell a guy what that means. Unless you are a server geek and are the one running SpamAssassin, then maybe there is something out there.

Then it hit me, the emails that were tagged as [Spam] by SpamAssassin were coming to an email account that was forwarded to another. SpamAssassin was noticing that the person the email was coming to was not actually who it was sent to. So, it thought it was spam. Thus FORGED_RCVD_HELO means that who the message was sent to is not who received it.

Example: An email was sent to [email protected] but that account was setup to forward to [email protected]. If is running SpamAssassin, then it’d determine that the email was spam because it wasn’t set to [email protected], but it was arriving in that inbox.

That was just one piece of my puzzle. To make it even more fun, Norton and McAfee can also tag emails as [Spam] based on it’s own filters. However, that’s a different issue all together.

So, how do you avoid your legit emails showing up in your inbox from being tagged as spam? Good question. First be sure that you are sending good, clean emails and avoiding any obvious mistakes. Then, make sure that the email address that was sent to is the one receiving the email. Only the email receiver can know this. You may also need to look into your computers anti spam/virus software and ensure it’s not doing any of the marking either.

If you haven’t figured it out by now, it’s a bit complex and hard to explain. It’s also different for everyone. However, if your researching the issue, I hope my post helped you out a little.

Leave a Reply