MCP logging action question
Quentin Campbell
Q.G.Campbell at NEWCASTLE.AC.UK
Wed May 18 13:56:26 IST 2005
>-----Original Message-----
>From: MailScanner mailing list
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 18 May 2005 11:53
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: MCP logging action question
>
>On 18 May 2005, at 11:44, Quentin Campbell wrote:
>
>>> -----Original Message-----
>>> From: MailScanner mailing list
>>> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>> Sent: 18 May 2005 11:03
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: Re: MCP logging action question
>>>
>>> On 18 May 2005, at 10:57, Quentin Campbell wrote:
>>>
>>>
>>>> Am using MCP facility for first time to deal with "German"
>spam from
>>>> Sober.Q worm.
>>>>
>>>> In MailScanner.conf have:
>>>>
>>>> MCP Checks = yes
>>>>
>>>> # Do the spam checks first, or the MCP checks first?
>>>> # This cannot be the filename of a ruleset, only a fixed value.
>>>> First Check = mcp
>>>>
>>>> # The rest of these options are clones of the equivalent spam
>>>> options
>>>> MCP Required SpamAssassin Score = 1
>>>> MCP High SpamAssassin Score = 10
>>>> MCP Error Score = 1
>>>>
>>>> MCP Header = X-%org-name%-MailScanner-MCPCheck:
>>>> Non MCP Actions = deliver
>>>> MCP Actions = deliver
>>>>
>>>
>>> I suspect you mean "delete" and not "deliver".
>>>
>>
>> I only want "delete" action if MCP score >= 10. Otherwise deliver. I
>> thought that is what I have specified?
>
>But what score have you attached to your MCP rule(s)?
The score is 10 on each rules. This was shown in the log extract I
provided below. This shows that the "Message ... is MCP ..." with a
score of 10.
>
>>
>
>>
>>>
>>>
>>>> High Scoring MCP Actions = delete
>>>> Bounce MCP As Attachment = no
>>>>
>>>> MCP Modify Subject = yes
>>>> MCP Subject Text = {MCP?}
>>>> High Scoring MCP Modify Subject = yes
>>>> High Scoring MCP Subject Text = {MCP?!}
>>>>
>>>> Is Definitely MCP = no
>>>> Is Definitely Not MCP = no
>>>> Definite MCP Is High Scoring = no
>>>> Always Include MCP Report = yes
>>>> Detailed MCP Report = yes
>>>> Include Scores In MCP Report = yes
>>>> Log MCP = yes
>>>>
>>>> I am seeing as expected in the logs:
>>>>
>>>> May 18 10:43:24 cheviot8 MailScanner[1518]: Message j4I9gwgT004139
>>>> from
>>>> 128.240.233.53 (xxx at hotmail.com) to maildb.ncl.ac.uk is MCP, MCP-
>>>> Checker
>>>> (score=10, required 1, PROLO_GMCP24 10.00)
>>>>
>>>> BUT I am not seeing in the logs the expected
>>>>
>>>> ...MCP Actions: message j4I9gwgT004139 actions are delete
>>>>
>>>> although the message does not appear to be delivered according to
>>>> the
>>>> logs.
>>>>
>>>> I am running MS 4.41.3-1.
>>>>
>>>> NOTE: I am doing the Sober.Q filtering with MCP rather than normal
>>>> spam
>>>> filtering because we whitelist from spam tagging some domains from
>>>> which
>>>> the Sober.Q messages apparently originate.
>>>>
>>>>
>>>>
>>>> Quentin
>>>> ---
>>>> PHONE: +44 191 222 8209 Information Systems and Services (ISS),
>>>> University of Newcastle,
>>>> Newcastle upon Tyne,
>>>> FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
>>>>
>>>>
>>>
>---------------------------------------------------------------------
>>> -
>>>
>>>> --
>>>> "Any opinion expressed above is mine. The University can get
>>>>
>>> its own."
>>>
>>>>
>>>> ------------------------ MailScanner list ------------------------
>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>> 'leave mailscanner' in the body of the email.
>>>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>>
>>> --
>>> Julian Field
>>> www.MailScanner.info
>>> Buy the MailScanner book at www.MailScanner.info/store
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list