More details in the logs

Jim Holland mailscanner at MANGO.ZW
Mon Mar 1 13:24:58 GMT 2004 

Hi

On Mon, 1 Mar 2004, Patrik Bäckström wrote:

> We use MailScanner for several customers/domains (currently version
> 4.25-14) and we would like to gather statistics per customer on how
> many mails scanned (that i can get from postfix), how many rejected
> and why and so on.
>
> Currently, it only tells us that something has been blocked and why,
> but not from or, more importat, to who the mail was sent.

I think this is an important requirement.  Unlike with worms, it is not
possible to be 100% certain that a particular message is spam.  I would
like to use a very agressive spam blocklist - eg dnsbl.net.au.  However if
spam is quarantined without a notice to either sender or recipient it is
quite possible that genuine mail will be lost.  The use of the "notify"
option is not really an option, as I would not like to receive a separate
notification for each of the 150 spam messages per day that people
normally try to send me.  Before using MailScanner we could simply analyse
the sendmail maillog file for details of recipients whose mail had been
blocked.  Sadly, I now see that in a significant number of cases where
spam is blocked there is no longer a sendmail entry indicating who it was
going to be delivered to (see more details appended), and the MailScanner
Spam Actions entry does not indicate the recipient either.

What we are doing now is to run a nightly script that analyses the headers
of all quarantined spam for recipients, and also checks the maillog file
for recipients that might be listed there for the same quarantined
messages.  We then send a summary to our users that lists details of all
quarantined mail.  I think the concept of a daily archival notice is a
good compromise between sending no notices at all and sending a separate
notice for each message.

Another way of handling this issue would be to write the MailScanner
notification messages to a separate log file instead of delivering them to
the recipients.  That log file could then be analysed separately.  However
there is currently no option for sending the notifications anywhere other
than to the recipient.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

Logging of blocked spam

Normally the sendmail maillog file will have the following entries:

        sendmail from= line with details of sender
        sendmail to= line indicating recipient, stat=queued
        MailScanner RBL checks: details of why message is blocked
        MailScanner Message line, eg:
                Message i21D03F24046 from 213.120.110.92
                (manmeet at liquidstorms.com) to mango.zw is spam, spamhaus-XBL
        MailScanner Spam Actions . . . actions are store

For reasons I don't understand, the second (or more, if there are multiple
recipients) sendmail line is not always present, so there is no consistent
log info about the recipient(s).  If the MailScanner Message line could
include the details of the recipients in it then it would be possible to
meet the requirements of Patrik for statistics, and also use it for
purposes of user notifications.

A more advanced option might be for MailScanner to provide a proper daily
archival notification facility rather than the current per message
notification which is really unworkable given the huge volume of spam.

More information about the MailScanner mailing list