untagged messages

hermit921 hermit921 at YAHOO.COM
Thu Feb 5 19:49:12 GMT 2004 

At 08:11 AM 2/5/2004, Leland J. Steinke wrote:
>hermit921 wrote:
>>I am still trying to figure out why some messages don't get tagged by
>>MailScanner 4-23, postfix 2.  Every email should get tagged with at least
>>one MailScanner header, but some don't.
>>
>>I came up with an idea.  Is this feasible:
>>Spammer sets up his client to use our mail server as his smtp
>>gateway.  Should work for any message addressed to a user in our domain,
>>but he can't send mail outside.  So spammer addresses a message to
>>usera at mydomain, with CC or BCC to userb, userc, userd, etc.  Now I get
>>fuzzy....
>>
>>One message appears here, postfix dumps it in the hold queue.  Postfix
>>splits it up at the same time, so only the original message gets the
>>MailScanner headers.  Since I can't track the original, I can't verify the
>>presence of headers.
>>
>>Am I way off?
>
>As I recall, the cleanup daemon is what puts the arriving message into the
>hold queue, but it is downstream where the qmgr daemon that actually splits
>the message up for different destinations via the trivial-rewrite daemon.
>See http://www.postfix.org/big-picture.html.
>
>I saw one of these untagged messages this morning.  I was able to track it
>through our logs where it did, in fact, get a SA score of 9.7, but there
>were no MS headers in the message at all.  This was in the headers that did
>make it through:
>
>Message-ID: <X[20
>
>We are researching to see if this would make postfix, MailScanner, or
>SpamAssassin choke.  Other than the Message-ID, we saw nothing structurally
>pathological with this message.  Did your untagged message have a similar
>header?
>
>
>Leland

Here is an example with headers and body, with a few changes to protect my
names and IP addresses.

>Received: from mail3.me.com (mail3.me.com [a.b.c.d])
>         by mail.me.com (AIX4.3/8.9.3/8.9.3) with ESMTP id BAA97118
>         for <user at me.com>; Wed, 4 Feb 2004 01:37:42 -0800
>Received: from 66.148.68.10 (server10.enter7.com [66.148.68.10])
>         by mail3.me.com (Postfix) with SMTP id 7AC0B124003
>         for <bin at me.com>; Wed,  4 Feb 2004 01:37:35 -0800 (PST)
>Date: Wed, 04 Feb 2004 04:37:38 -0500
>From: "Norris <nvjzrbinj"@enter7.com
>Message-Id: <20040204093735.7AC0B124003 at mail3.me.com>
>To: undisclosed-recipients:;
>X-UIDL: >-9"!NO+!!Gmf"!$TC!!
>
>
>nurtoplpn at enter7.com


hermit921

More information about the MailScanner mailing list