Only a few incoming emails seem to be getting scanned.
Henry Hollenberg
hgh at rcwm.com
Fri Sep 29 04:30:39 IST 2006
Glenn Steen wrote:
> On 28/09/06, Henry Hollenberg <hgh at rcwm.com> wrote:
>
>> Hey gang,
>>
>> Installed MailScanner/Spamassasin on a bastion MTA on my DMZ and have
>> been poking around
>> looking at what's going on and the first thing I've noticed is that
>> only a few emails
>> seem to be getting scanned.
>>
>> Of course all my test emails are being scanned and are passing.
>>
>> A few SPAM's are being scanned and are being appropriately scored.
>>
>> A bunch of SPAM shows no indication that it is being scanned at all.
>>
>> I have read the mailscanner install pdf and looked thru the FAQ. I
>> have gone
>> thru the /etc/MailScanner/MailScanner.conf several times turning on
>> everything
>> I could find that might give some indication that the email/SPAM is
>> being scanned:
>>
>> Add Envelope From Header = yes
>> Sign Messages Already Processed = yes
>> Sign Clean Messages = yes
>> Mark Unscanned Messages = yes
>> Scanned Modify Subject = end
>> Spam Modify Subject = yes
>> Spam Subject Text = {Spam?}
>> High Scoring Spam Modify Subject = yes
>> High Scoring Spam Subject Text = {HSpam?}
>> Spam Checks = yes
>> Use SpamAssassin = yes
>> Spam Actions = deliver
>> High Scoring Spam Actions = deliver
>> Non Spam Actions = deliver
>>
>> Any ideas why/how incoming email is bypassing mailscanner?
>>
>> PS: Here is an example of what's getting thru without scanning:
>>
>> Return-Path: <n.9891.2827336 at xenoglimp.com>
>> X-Original-To: speed at rcwm.com
>> Delivered-To: speed at rcwm.com
>> Received: from bastion.rcwm.com (bastion.rcwm.com [10.1.2.1])
>> by mail.rcwm.com (Postfix) with ESMTP id 3C8E8BCB0
>> for <speed at rcwm.com>; Wed, 27 Sep 2006 14:53:08 -0500 (CDT)
>> Received: from ip141.hocklente.com (ip141.hocklente.com
>> [209.236.229.141])
>> by bastion.rcwm.com (Postfix) with SMTP id 471BE161EAE
>> for <speed at rcwm.com>; Wed, 27 Sep 2006 14:52:45 -0500 (CDT)
>> Date: Wed, 27 Sep 2006 14:51:03 -0500
>> From: "Frank Cosley" <admin at xenoglimp.com>
>> To: speed at rcwm.com
>> Subject: Trip to Hawaii can be yours
>> MIME-Version: 1.0
>> X-Mailer: qxc v8.3.2.1001.2827336
>> Reply-To: r.9891.2827336 at xenoglimp.com
>> Message-Id: <20060927063003.yfhdcwztev at xenoglimp.com>
>> Content-Type: multipart/alternative;
>> boundary="=_aa6a71c68bf884fc9567370c1d67962c"
>>
>> This is a MIME encoded message.
>>
>> --=_aa6a71c68bf884fc9567370c1d67962c
>> Content-Type: text/plain; charset="iso-8859-1"
>> Content-Transfer-Encoding: 7bit
>>
>> No text version was provided
>>
>> --=_aa6a71c68bf884fc9567370c1d67962c
>> Content-Type: text/html; charset="iso-8859-1"
>> Content-Transfer-Encoding: quoted-printable
>>
>>
>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"
>>
>> ===> Bunch of SPAM advertisement deleted <=====
>>
>>
>> THanks hgh.
>
>
> On bastion.rcwm.com what log entries do you have regarding 471BE161EAE?
> Do you employ any header_checks that might remove vital headers, or
> make the mails "miss" the HOLD thing?
>
Sep 27 14:52:42 bastion postfix/smtpd[29999]: connect from ip141.hocklente.com[209.236.229.141]
Sep 27 14:52:58 bastion postfix/smtpd[29999]: 471BE161EAE: client=ip141.hocklente.com[209.236.229.141]
Sep 27 14:53:06 bastion postfix/cleanup[30001]: 471BE161EAE: message-id=<20060927063003.yfhdcwztev at xenoglimp.com>
Sep 27 14:53:08 bastion postfix/qmgr[25191]: 471BE161EAE: from=<n.9891.2827336 at xenoglimp.com>, size=9763, nrcpt=1 (queue active)
Sep 27 14:53:08 bastion postfix/smtp[30002]: 471BE161EAE: to=<speed at rcwm.com>, relay=10.1.1.2[10.1.1.2], delay=23, status=sent (250 Ok: queued as 3C8E8BCB0)
Sep 27 14:53:08 bastion postfix/qmgr[25191]: 471BE161EAE: removed
Sep 27 14:53:10 bastion postfix/smtpd[29999]: disconnect from ip141.hocklente.com[209.236.229.141]
I didn't notice anything odd, postfix-wise, don't see any MailScanner/Spamassasin logging.
hgh.
--
Henry Hollenberg
hgh at rcwm.com
More information about the MailScanner
mailing list