MCP logging action question

Wed May 18 11:52:52 IST 2005

On 18 May 2005, at 11:44, Quentin Campbell wrote:

>> -----Original Message-----
>> From: MailScanner mailing list
>> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>> Sent: 18 May 2005 11:03
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: MCP logging action question
>>
>> On 18 May 2005, at 10:57, Quentin Campbell wrote:
>>
>>
>>> Am using MCP facility for first time to deal with "German" spam from
>>> Sober.Q worm.
>>>
>>> In MailScanner.conf have:
>>>
>>> MCP Checks = yes
>>>
>>> # Do the spam checks first, or the MCP checks first?
>>> # This cannot be the filename of a ruleset, only a fixed value.
>>> First Check = mcp
>>>
>>> # The rest of these options are clones of the equivalent spam
>>> options
>>> MCP Required SpamAssassin Score = 1
>>> MCP High SpamAssassin Score = 10
>>> MCP Error Score = 1
>>>
>>> MCP Header = X-%org-name%-MailScanner-MCPCheck:
>>> Non MCP Actions = deliver
>>> MCP Actions = deliver
>>>
>>
>> I suspect you mean "delete" and not "deliver".
>>
>
> I only want "delete" action if MCP score >= 10. Otherwise deliver. I
> thought that is what I have specified?

But what score have you attached to your MCP rule(s)?

>

>
>>
>>
>>> High Scoring MCP Actions = delete
>>> Bounce MCP As Attachment = no
>>>
>>> MCP Modify Subject = yes
>>> MCP Subject Text = {MCP?}
>>> High Scoring MCP Modify Subject = yes
>>> High Scoring MCP Subject Text = {MCP?!}
>>>
>>> Is Definitely MCP = no
>>> Is Definitely Not MCP = no
>>> Definite MCP Is High Scoring = no
>>> Always Include MCP Report = yes
>>> Detailed MCP Report = yes
>>> Include Scores In MCP Report = yes
>>> Log MCP = yes
>>>
>>> I am seeing as expected in the logs:
>>>
>>> May 18 10:43:24 cheviot8 MailScanner[1518]: Message j4I9gwgT004139
>>> from
>>> 128.240.233.53 (xxx at hotmail.com) to maildb.ncl.ac.uk is MCP, MCP-
>>> Checker
>>> (score=10, required 1, PROLO_GMCP24 10.00)
>>>
>>> BUT I am not seeing in the logs the expected
>>>
>>> ...MCP Actions: message j4I9gwgT004139 actions are delete
>>>
>>> although the message does not appear to be delivered according to
>>> the
>>> logs.
>>>
>>> I am running MS 4.41.3-1.
>>>
>>> NOTE: I am doing the Sober.Q filtering with MCP rather than normal
>>> spam
>>> filtering because we whitelist from spam tagging some domains from
>>> which
>>> the Sober.Q messages apparently originate.
>>>
>>>
>>>
>>> Quentin
>>> ---
>>> PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>>>                            University of Newcastle,
>>>                            Newcastle upon Tyne,
>>> FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>>>
>>>
>> ---------------------------------------------------------------------
>> -
>>
>>> --
>>> "Any opinion expressed above is mine. The University can get
>>>
>> its own."
>>
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!