MCP - does not do what the box says. Is this a known bug? (MS 4.55.7-1)

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Tue Sep 5 10:15:06 IST 2006


I am trying to use MCP to do three different things:

1. delete message with a high MCP score >= 10
2. deliver messages with 1 <= MCP score < 10 to get MCP report in syslog

3. deliver messages with 0 < MCP score  < 1 to get MCP report in message
headers

Use 1 works as expected, deletes message and puts report in syslog.
Use 2 does NOT deliver the message but puts report in log. [** PROBLEM
**]
Use 3 works as expected with report in message headers and no report in
syslog.

Use 1 is self explanatory. Among the classes of messages it deletes are
those that are auto-generated by Outlook's Out of Office wizard in
response to a tagged spam message. All the information needed to
determine and score this class is contained in the Subject: line text of
the message being scanned by MailScanner.

Use 2 complements use 1. I want to deliver Out of Office messages that
are NOT the result of incoming tagged spam but I want to flag these in
syslog. This is so that I can gather stats on the number of OoO messages
we generate and deliver.

Use 3 is to help users whose personal mail filter rules only allows
checks on message headers. I use MCP centrally to determine, for
example, whether the message body contains cyrillic encodings or has
some words that upset particularly sensitive users. The handles of the
particular MCP rules triggered by this use appear in the message headers
and can be looked for in personal mail filter rules as the message is
delivered to recipient mailboxes.

I do not understand why messages with a MCP score = 1 are not delivered.
I am not getting a Sendmail "stat=Sent" record so it appears that
MailScanner is not rewriting the queue files in /var/spool/mqueue for
"MCP Action" is "deliver" messages. However in the case of low scoring
spam where "Spam Action" is also "deliver" then things work as expected.


I am running MailScanner 4.55.7-1 & SpamAssassin 3.1.3 with Sendmail
(8.13) on Red Hat Enterprise Linux AS release 4. The relevant settings
in MailScanner.conf are:

MCP Checks = yes

# Do the spam checks first, or the MCP checks first?
# This cannot be the filename of a ruleset, only a fixed value.
First Check = mcp

# The rest of these options are clones of the equivalent spam options
MCP Required SpamAssassin Score = 1
MCP High SpamAssassin Score = 10
MCP Error Score = 1

MCP Header = X-%org-name%-MailScanner-MCPCheck:
Non MCP Actions = deliver
MCP Actions = deliver
High Scoring MCP Actions = delete
Bounce MCP As Attachment = no

MCP Modify Subject = no
MCP Subject Text = {MCP?}
High Scoring MCP Modify Subject = yes
High Scoring MCP Subject Text = {MCP?!}

Is Definitely MCP = no
Is Definitely Not MCP = no
Definite MCP Is High Scoring = no
Always Include MCP Report = yes
Detailed MCP Report = yes
Include Scores In MCP Report = yes
Log MCP = yes

MCP Max SpamAssassin Timeouts = 20
MCP Max SpamAssassin Size = 100k
MCP SpamAssassin Timeout = 75

MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
MCP SpamAssassin User State Dir =
MCP SpamAssassin Local Rules Dir = %mcp-dir%
MCP SpamAssassin Default Rules Dir = %mcp-dir%
MCP SpamAssassin Install Prefix = %mcp-dir%
Recipient MCP Report = %report-dir%/recipient.mcp.report.txt
Sender MCP Report = %report-dir%/sender.mcp.report.txt

The syslog records for a typical message scored by MCP for use 1 are:

...
Sep  5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250:
from=<nncu at cpx.ncl.ac.uk>, size=1086, class=0, nrcpts=1,
msgid=<EBAC7D3C7B22BE458D41F7BDEC5DBFD21FFA85 at SANMAIL01.campus.ncl.ac.uk
>, proto=ESMTP, daemon=MTA, relay=stromberg.ncl.ac.uk [10.8.234.172]
Sep  5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250:
milter=milter-link, action=header, continue
Sep  5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250:
milter=milter-link, action=eoh, continue
Sep  5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250:
milter=milter-link, action=body, continue
Sep  5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter add:
header: Received-SPF: pass (cheviot4.ncl.ac.uk: 10.8.234.172 is
authenticated by a trusted mechanism)
Sep  5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter accept:
message
Sep  5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250:
to=<inquiry at learningemall.com>, delay=00:00:00, mailer=esmtp, pri=31086,
stat=queued
Sep  5 06:15:19 cheviot4 MailScanner[12258]: Message k855FG8A007250 from
10.8.234.172 (nncu at cpx.ncl.ac.uk) to learningemall.com is MCP,
MCP-Checker (score=1, required 1, MCP_OOO_2 1.00) 
Sep  5 06:15:19 cheviot4 MailScanner[12258]: MCP Actions: message
k855FG8A007250 actions are deliver 
Sep  5 06:15:21 cheviot4 sendmail[7309]: k855FG8A007250: done;
delay=00:00:05, ntries=1

For comparison, the records for delivered tagged spam are:

...
Sep  5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635:
from=<alyusuf_011 at iol.pt>, size=4098, class=0, nrcpts=1,
msgid=<f74fa78f7505.44fd0534 at iol.pt>, proto=ESMTP, daemon=MTA,
relay=mx1.dc.iol.pt [193.126.240.141]
Sep  5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635:
milter=milter-link, action=header, continue
Sep  5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635:
milter=milter-link, action=eoh, continue
Sep  5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635:
milter=milter-link, action=body, continue
Sep  5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: Milter add:
header: Received-SPF: none (cheviot4.ncl.ac.uk: domain of
alyusuf_011 at iol.pt does not designate permitted sender hosts)
Sep  5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: Milter accept:
message
Sep  5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635:
to=<M.Sussman at newcastle.ac.uk>, delay=00:00:00, mailer=esmtp, pri=34098,
stat=queued
Sep  5 04:03:59 cheviot4 MailScanner[12258]: Message k8533oEX003635 from
193.126.240.141 (alyusuf_011 at iol.pt) to newcastle.ac.uk is spam,
SpamAssassin (not cached, score=17.171, required 6, autolearn=disabled,
ADVANCE_FEE_1 0.00, ADVANCE_FEE_2 0.65, ADVANCE_FEE_3 1.76,
ADVANCE_FEE_4 3.04, DEAR_FRIEND 0.86, FROM_EXCESS_QP 0.00, MILLION_USD
1.61, MISSING_HEADERS 0.19, NA_DOLLARS 0.61, RCVD_IN_BL_SPAMCOP_NET
4.00, SARE_FRAUD_X3 1.67, SARE_FRAUD_X4 1.67, SARE_URGBIZ 0.72,
TO_CC_NONE 0.13, URG_BIZ 0.27) 
Sep  5 04:03:59 cheviot4 MailScanner[12258]: Spam Actions: message
k8533oEX003635 actions are attachment,deliver 
Sep  5 04:04:01 cheviot4 sendmail[3693]: k8533oEX003635: SMTP outgoing
connect on cheviot4.ncl.ac.uk
Sep  5 04:04:01 cheviot4 sendmail[3693]: k8533oEX003635:
to=<M.Sussman at newcastle.ac.uk>, delay=00:00:07, xdelay=00:00:00,
mailer=esmtp, pri=124098, relay=burnmoor.ncl.ac.uk. [128.240.233.53],
dsn=2.0.0, stat=Sent (EAA14539 Message accepted for delivery)
Sep  5 04:04:01 cheviot4 sendmail[3693]: k8533oEX003635: done;
delay=00:00:07, ntries=1

Have I got the MCP option values wrong in MailScanner.conf? Any advice
on how to fix this problem so that MCP can be exploited fully would be
gratefully received.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           Newcastle University,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------


More information about the MailScanner mailing list