Only a few incoming emails seem to be getting scanned.

Henry Hollenberg hgh at rcwm.com
Fri Sep 29 05:25:06 IST 2006 

Glenn Steen wrote:
> On 28/09/06, Henry Hollenberg <hgh at rcwm.com> wrote:
> 
>> Hey gang,
>>
>> Installed MailScanner/Spamassasin on a bastion MTA on my DMZ and have 
>> been poking around
>> looking at what's going on and the first thing I've noticed is that 
>> only a few emails
>> seem to be getting scanned.
>>
>> Of course all my test emails are being scanned and are passing.
>>
>> A few SPAM's are being scanned and are being appropriately scored.
>>
>> A bunch of SPAM shows no indication that it is being scanned at all.
>>
>> I have read the mailscanner install pdf and looked thru the FAQ.  I 
>> have gone
>> thru the /etc/MailScanner/MailScanner.conf several times turning on 
>> everything
>> I could find that might give some indication that the email/SPAM is 
>> being scanned:
>>
>> Add Envelope From Header = yes
>> Sign Messages Already Processed = yes
>> Sign Clean Messages = yes
>> Mark Unscanned Messages = yes
>> Scanned Modify Subject = end
>> Spam Modify Subject = yes
>> Spam Subject Text = {Spam?}
>> High Scoring Spam Modify Subject = yes
>> High Scoring Spam Subject Text = {HSpam?}
>> Spam Checks = yes
>> Use SpamAssassin = yes
>> Spam Actions = deliver
>> High Scoring Spam Actions = deliver
>> Non Spam Actions = deliver
>>
>> Any ideas why/how incoming email is bypassing mailscanner?
>>
>> PS: Here is an example of what's getting thru without scanning:
>>
>> Return-Path: <n.9891.2827336 at xenoglimp.com>
>> X-Original-To: speed at rcwm.com
>> Delivered-To: speed at rcwm.com
>> Received: from bastion.rcwm.com (bastion.rcwm.com [10.1.2.1])
>>      by mail.rcwm.com (Postfix) with ESMTP id 3C8E8BCB0
>>      for <speed at rcwm.com>; Wed, 27 Sep 2006 14:53:08 -0500 (CDT)
>> Received: from ip141.hocklente.com (ip141.hocklente.com 
>> [209.236.229.141])
>>      by bastion.rcwm.com (Postfix) with SMTP id 471BE161EAE
>>      for <speed at rcwm.com>; Wed, 27 Sep 2006 14:52:45 -0500 (CDT)
>> Date: Wed, 27 Sep 2006 14:51:03 -0500
>> From: "Frank Cosley" <admin at xenoglimp.com>
>> To: speed at rcwm.com
>> Subject: Trip to Hawaii can be yours
>> MIME-Version: 1.0
>> X-Mailer: qxc v8.3.2.1001.2827336
>> Reply-To: r.9891.2827336 at xenoglimp.com
>> Message-Id: <20060927063003.yfhdcwztev at xenoglimp.com>
>> Content-Type: multipart/alternative;
>>      boundary="=_aa6a71c68bf884fc9567370c1d67962c"
>>
>> This is a MIME encoded message.
>>
>> --=_aa6a71c68bf884fc9567370c1d67962c
>> Content-Type: text/plain; charset="iso-8859-1"
>> Content-Transfer-Encoding: 7bit
>>
>> No text version was provided
>>
>> --=_aa6a71c68bf884fc9567370c1d67962c
>> Content-Type: text/html; charset="iso-8859-1"
>> Content-Transfer-Encoding: quoted-printable
>>
>>
>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"
>>
>> ===> Bunch of SPAM advertisement deleted <=====
>>
>>
>> THanks hgh.
> 
> 
> On bastion.rcwm.com what log entries do you have regarding 471BE161EAE?
> Do you employ any header_checks that might remove vital headers, or
> make the mails "miss" the HOLD thing?
> 

Ok, I figured it out.  I was wrong, it's not some of the emails that
are getting skipped, they all are getting skipped.  The ones that were
getting marked as SPAM are all from work were they have MailScanner
installed and they are being forwarded from my email account their
to my home account.

But I am still under the impression that more RBL'ing is going on.

Here is the spamassassin lint output if that helps:

bastion:/etc/init.d# spamassassin -D --lint
debug: SpamAssassin version 3.0.3
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/sbin', keeping.
debug: PATH included '/bin', keeping.
debug: PATH included '/usr/sbin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/bin/X11', which doesn't exist, dropping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: Final PATH set to: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
debug: diag: module not installed: DBI ('require' failed)
debug: diag: module installed: DB_File, version 1.808
debug: diag: module installed: Digest::SHA1, version 2.10
debug: diag: module installed: IO::Socket::UNIX, version 1.21
debug: diag: module installed: MIME::Base64, version 3.04
debug: diag: module installed: Net::DNS, version 0.48
debug: diag: module not installed: Net::LDAP ('require' failed)
debug: diag: module installed: Razor2::Client::Agent, version 2.67
debug: diag: module installed: Storable, version 2.12
debug: diag: module installed: URI, version 1.35
debug: ignore: using a test message to lint rules
debug: using "/etc/spamassassin/init.pre" for site rules init.pre
debug: config: read file /etc/spamassassin/init.pre
debug: using "/usr/share/spamassassin" for default rules dir
debug: config: read file /usr/share/spamassassin/10_misc.cf
debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
debug: config: read file /usr/share/spamassassin/20_body_tests.cf
debug: config: read file /usr/share/spamassassin/20_compensate.cf
debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /usr/share/spamassassin/20_drugs.cf
debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /usr/share/spamassassin/20_head_tests.cf
debug: config: read file /usr/share/spamassassin/20_html_tests.cf
debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
debug: config: read file /usr/share/spamassassin/20_phrases.cf
debug: config: read file /usr/share/spamassassin/20_porn.cf
debug: config: read file /usr/share/spamassassin/20_ratware.cf
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/23_bayes.cf
debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
debug: config: read file /usr/share/spamassassin/25_hashcash.cf
debug: config: read file /usr/share/spamassassin/25_spf.cf
debug: config: read file /usr/share/spamassassin/25_uribl.cf
debug: config: read file /usr/share/spamassassin/30_text_de.cf
debug: config: read file /usr/share/spamassassin/30_text_fr.cf
debug: config: read file /usr/share/spamassassin/30_text_nl.cf
debug: config: read file /usr/share/spamassassin/30_text_pl.cf
debug: config: read file /usr/share/spamassassin/50_scores.cf
debug: config: read file /usr/share/spamassassin/60_whitelist.cf
debug: config: read file /usr/share/spamassassin/65_debian.cf
debug: using "/etc/spamassassin" for site rules dir
debug: config: read file /etc/spamassassin/local.cf
debug: using "/root/.spamassassin" for user state dir
debug: using "/root/.spamassassin/user_prefs" for user prefs file
debug: config: read file /root/.spamassassin/user_prefs
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857ecf8)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8eb9a7c)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8e94c60)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857ecf8) implements 'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8eb9a7c) implements 'parse_config'
debug: using "/root/.spamassassin" for user state dir
debug: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks
debug: Score set 1 chosen.
debug: ---- MIME PARSER START ----
debug: main message type: text/plain
debug: parsing normal part
debug: added part, type: text/plain
debug: ---- MIME PARSER END ----
debug: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted:
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857ecf8) implements 'parsed_metadata'
debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: trying (3) colorado.edu...
debug: looking up NS for 'colorado.edu'
debug: NS lookup of colorado.edu succeeded => Dns available (set dns_available to hardcode)
debug: is DNS available? 1
debug: decoding: no encoding detected
debug: URIDNSBL: domains to query:
debug: all '*From' addrs: ignore at compiling.spamassassin.taint.org
debug: Running tests for priority: 0
debug: running header regexp tests; score so far=0
debug: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8eb9a7c))
debug: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x8e94c60))
debug: SPF: message was delivered entirely via trusted relays, not required
debug: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8eb9a7c))
debug: all '*To' addrs:
debug: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8e94c60))
debug: SPF: message was delivered entirely via trusted relays, not required
debug: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x8e94c60))
debug: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8e94c60))
debug: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8e94c60))
debug: registering glue method for check_for_spf_helo_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8e94c60))
debug: running body-text per-line regexp tests; score so far=-2.623
debug: running uri tests; score so far=-2.623
debug: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857ecf8))
debug: Razor2 is available
debug: entering helper-app run mode
  Razor-Log: Computed razorhome from env: /root/.razor
  Razor-Log: No razorhome found, using all defaults
  Razor-Log: read_file: 1 items read from /etc/razor/razor-agent.conf
Sep 28 22:46:21.021741 check[2007]: [ 2] [bootup] Logging initiated LogDebugLevel=9 to stdout
Sep 28 22:46:21.022616 check[2007]: [ 5] computed razorhome=, conf=/etc/razor/razor-agent.conf, ident=identity
Sep 28 22:46:21.023241 check[2007]: [ 8] Client supported_engines: 4 8
Sep 28 22:46:21.024218 check[2007]: [ 8]  prep_mail done: mail 1 headers=93, mime0=1376
Sep 28 22:46:21.024874 check[2007]: [ 7] Can't read file servers.discovery.lst, looking relatve to
Sep 28 22:46:21.025291 check[2007]: [ 5] Can't read file /servers.discovery.lst: No such file or directory
Sep 28 22:46:21.025665 check[2007]: [ 7] Can't read file servers.nomination.lst, looking relatve to
Sep 28 22:46:21.026016 check[2007]: [ 5] Can't read file /servers.nomination.lst: No such file or directory
Sep 28 22:46:21.026361 check[2007]: [ 7] Can't read file servers.catalogue.lst, looking relatve to
Sep 28 22:46:21.026703 check[2007]: [ 5] Can't read file /servers.catalogue.lst: No such file or directory
Sep 28 22:46:21.027258 check[2007]: [ 5] no listfile: servers.catalogue.lst
Sep 28 22:46:21.027648 check[2007]: [ 6] no discovery listfile: servers.discovery.lst
Sep 28 22:46:21.027964 check[2007]: [ 5] Finding Discovery Servers via DNS in the razor2.cloudmark.com zone
Sep 28 22:46:21.065214 check[2007]: [ 6] Found 1 Discovery Servers via DNS in the razor2.cloudmark.com zone
Sep 28 22:46:21.065896 check[2007]: [ 8] Checking with Razor Discovery Server 66.151.150.12
Sep 28 22:46:21.066295 check[2007]: [ 6] No port specified, using 2703
Sep 28 22:46:21.066583 check[2007]: [ 5] Connecting to 66.151.150.12 ...
debug: razor2 check timed out after 10 secs.
debug: leaving helper-app run mode
debug: Razor2 results: spam? 0  highest cf score: 0
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857ecf8) implements 'check_tick'
debug: running raw-body-text per-line regexp tests; score so far=-2.623
debug: running full-text regexp tests; score so far=-2.623
debug: Razor2 is available
debug: Current PATH is: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
debug: executable for pyzor was found at /usr/bin/pyzor
debug: Pyzor is available: /usr/bin/pyzor
debug: entering helper-app run mode
debug: setuid: helper proc 2008: ruid=0 euid=0
debug: Pyzor: got response: 66.250.40.33:24441  TimeoutError:
debug: leaving helper-app run mode
debug: Pyzor: couldn't grok response "66.250.40.33:24441        TimeoutError: "
debug: DCCifd is not available: no r/w dccifd socket found.
debug: executable for dccproc was found at /usr/bin/dccproc
debug: DCC is available: /usr/bin/dccproc
debug: entering helper-app run mode
debug: setuid: helper proc 2009: ruid=0 euid=0
debug: DCC: got response: socket(UDP): Address family not supported by protocol
debug: leaving helper-app run mode
debug: DCC -> check failed: no X-DCC returned (did you create a map file?): socket(UDP): Address family not supported by protocol
debug: Running tests for priority: 500
debug: RBL: success for 1 of 1 queries
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857ecf8) implements 'check_post_dnsbl'
debug: running meta tests; score so far=-2.623
debug: running header regexp tests; score so far=-1.053
debug: running body-text per-line regexp tests; score so far=-1.053
debug: running uri tests; score so far=-1.053
debug: running raw-body-text per-line regexp tests; score so far=-1.053
debug: running full-text regexp tests; score so far=-1.053
debug: Running tests for priority: 1000
debug: running meta tests; score so far=-1.053
debug: running header regexp tests; score so far=-1.053
debug: using "/root/.spamassassin" for user state dir
debug: lock: 2007 created /root/.spamassassin/auto-whitelist.lock.bastion.rcwm.com.2007
debug: lock: 2007 trying to get lock on /root/.spamassassin/auto-whitelist with 0 retries
debug: lock: 2007 link to /root/.spamassassin/auto-whitelist.lock: link ok
debug: Tie-ing to DB file R/W in /root/.spamassassin/auto-whitelist
debug: auto-whitelist (db-based): ignore at compiling.spamassassin.taint.org|ip=none scores 0/0
debug: AWL active, pre-score: -1.053, autolearn score: -1.053, mean: undef, IP: undef
debug: DB addr list: untie-ing and unlocking.
debug: DB addr list: file locked, breaking lock.
debug: unlock: 2007 unlink /root/.spamassassin/auto-whitelist.lock
debug: Post AWL score: -1.053
debug: running body-text per-line regexp tests; score so far=-1.053
debug: running uri tests; score so far=-1.053
debug: running raw-body-text per-line regexp tests; score so far=-1.053
debug: running full-text regexp tests; score so far=-1.053
debug: is spam? score=-1.053 required=5
debug: tests=ALL_TRUSTED,MISSING_DATE,MISSING_SUBJECT,NO_REAL_NAME
debug: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__SANE_MSGID,__UNUSABLE_MSGID


hgh.
-- 
Henry Hollenberg
hgh at rcwm.com

More information about the MailScanner mailing list