Spam Check rule file issues and checking order.

Julian Field MailScanner at ecs.soton.ac.uk
Fri Apr 1 17:27:50 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Ugh.

Have you seen the config option in the "Advanced" section of
MailScanner.conf the contains this:

# When trying to work out the value of configuration parameters which are
# using a ruleset, this controls the behaviour when a rule is checking the
# "To:" addresses.
# If this option is set to "yes", then the following happens when checking
# the ruleset:
#   a) 1 recipient. Same behaviour as normal.
#   b) Several recipients, but all in the same domain (domain.com for
example).
#      The rules are checked for one that matches the string "*@domain.com".
#   c) Several recipients, not all in the same domain.
#      The rules are checked for one that matches the string "*@*".
#
# If this option is set to "no", then some rules will use the result they
# get from the first matching rule for any of the recipients of a message,
# so the exact value cannot be predicted for messages with more than 1
# recipient.
#
# This value *cannot* be the filename of a ruleset.
Use Default Rules With Multiple Recipients = no


Bob Jones wrote:

> Okay, I'm back with more issues.  MailScanner 4.39.6, Solaris 9,
> Sendmail 8.12.11, SpamAssassin 3.0.2.  So, after the previous discussion
> about what determined when a ruleset would hit to kickoff spam checks,
> we're still having problem.
>
> In the previous thread Julian states:
>
> There is a workaround. Currently, when faced with a message with
> multiple headers, some of which want spam checks and some of which
> don't, it uses the answer for the first recipient. You can change this
> so that it uses any of the recipients by editing
> /usr/lib/MailScanner/MailScanner/ConfigDefs.pl. Look for the line
> starting "SpamChecks". If you look backwards (towards the start of the
> file) from there, you will see that it is in the [First,YesNo] section.
> Move that line into the [All,YesNo] section, then stop and restart
> MailScanner.
>
> We go on to discover that the order depends on the envelope headers, not
> the To: header.  So, with the SpamChecks line in ConfigDefs.pl in the
> [First,YesNo] section it still doesn't appear to work as described.
> Here is what is in our rule file for the Spam Check option:
>
> From:   168.24.85.              no
> From:   168.24.129.             no
> From:   127.0.0.1               no
> To:     ourdesk at usg.edu         no
> To:     abuse at usg.edu           no
> To:     /nic-(tech|billing|admin)@usg.edu/      no
> FromOrTo:       default         yes
>
> So, we telnet to port 25 on the mailserver and manually enter the mail
> from and rcpt to lines.  One time with ourdesk at usg.edu entered first,
> and one time with glenn.leavell at usg.edu entered first.  Here are the
> resulting q* files sendmail generated:
>
> ourdesk then glenn.leavell:
>
> V6
> T1112370112
> K0
> N0
> P60076
> Fs
> $_66-23-211-254.clients.speedfactory.net [66.23.211.254]
> $rSMTP
> $s1pof.org
> ${daemon_flags}
> ${if_addr}168.24.195.10
> Sglenn at leavell.com
> rRFC822; ourdesk at usg.edu
> RPFD:ourdesk at usg.edu
> rRFC822; glenn.leavell at usg.edu
> RPFD:glenn.leavell at usg.edu
> H?P?Return-Path: <<81>g>
> H??Received: from 1pof.org (66-23-211-254.clients.speedfactory.net
> [66.23.211.254])
>         by hermes.bor.usg.edu (8.12.11/8.12.11) with SMTP id
> j31FZrk4021592;
>         Fri, 1 Apr 2005 10:41:52 -0500 (EST)
> H?D?Date: Fri, 1 Apr 2005 10:41:52 -0500 (EST)
> H?F?From: glenn at leavell.com
> H?M?Message-Id: <200504011541.j31FZrk4021592 at hermes.bor.usg.edu>
> H??Subject: mailscanner down: our then glenn
>
>
> glenn.leavell then ourdesk:
>
> V6
> T1112369969
> K0
> N0
> P60076
> Fs
> $_66-23-211-254.clients.speedfactory.net [66.23.211.254]
> $rSMTP
> $s1pof.org
> ${daemon_flags}
> ${if_addr}168.24.195.10
> Sglenn at leavell.com
> rRFC822; glenn.leavell at usg.edu
> RPFD:glenn.leavell at usg.edu
> rRFC822; ourdesk at usg.edu
> RPFD:ourdesk at usg.edu
> H?P?Return-Path: <<81>g>
> H??Received: from 1pof.org (66-23-211-254.clients.speedfactory.net
> [66.23.211.254])
>         by hermes.bor.usg.edu (8.12.11/8.12.11) with SMTP id
> j31FZrk2021592;
>         Fri, 1 Apr 2005 10:39:29 -0500 (EST)
> H?D?Date: Fri, 1 Apr 2005 10:39:29 -0500 (EST)
> H?F?From: glenn at leavell.com
> H?M?Message-Id: <200504011539.j31FZrk2021592 at hermes.bor.usg.edu>
> H??Subject: mailscanner down: glenn then our
>
> So, if what I undestand Julian to have said to be true, the first
> message should not be scanned as the first match is with ourdesk which
> matches a rule to not scan and the second one should be scanned as the
> first match is with the default rule.  However, in both instances the
> message is not scanned.
>
> Now for an even weirder (in my mind at least) issue.  So, we move the
> SpamChecks line in ConfigDefs.pl to the [All,YesNo] section.  If we send
> a message originating from IP address 168.24.85.103 (which is in the
> rules file to not be scanned) to ourdesk at usg.edu (which is also in the
> rules file to not be scanned), the message is scanned.  If only one of
> those 2 criteria is used, the message is not scanned (correct result),
> but with both criteria the message *is* scanned.  Any idea what is going
> on with that?
>
> Let me know if you need/want some more details.
>
> Thanks,
> Bob
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list