Help with large message / blacklists bypassed

Mike Kercher mkercher at nfsmith.com
Wed Aug 1 14:50:27 IST 2007 

 

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
am.lists
Sent: Wednesday, August 01, 2007 8:21 AM
To: MailScanner discussion
Subject: Help with large message / blacklists bypassed

OK. I admit that I may be in panic mode and not thinking this thorugh as
completley as I would otherwise.

Standard support disclosure; Linux + Postfix 2.2.2+ MailScanner 4.58.9
(<-- I know, slacker), ClamAV (0.90.3).

One of my users is the recipient on an email message that is apparently
stuck in the sending MTA's outbound queue. For whatever reason, their
MTA has shipped me over 3000 copies of the identical piece of mail.

Problem on my side is that it's a 670KB message (has a lot of images
attached) and I seem to be ineffective at blocking it and this guy's
mailbox keeps getting clogged up. Not to mention how this guy feels each
time his Outlook client goes out and tries to fetch 10 copies of a 670KB
message. He's getting no work done, essentially.

My process:

(1) I didn't want to block everything from this particular sender --
it's not his fault, obviously, so I looked for a unique string within
the message and created a custom SA rule (50 points) to kick it into
definite spam. I'd really like to strangle the mail admin on the
otherside, but I can't quite reach him from here. :-)

Result: Message too large (I hadn't noticed that detail before) so it
skips it with the spam report saying simply "too large"

(2) Blacklist by sender -- added to MailScanner/MailWatch via the
black/white page. The sender and recipient are fully stated.

Result: No Effect. ??? I'm confounded by this. I thought blacks/whites
were still checked here.

(3) Added the sender name to my spam.blacklists.rules file, relevant
lines below:

# spam.blacklists.rules file
# edited at edited.org problem
From:	edited at edited.org				yes
# Never set this to yes.
FromOrTo:	default			no

Result: Still no effect.  Messages, all 100 or so of them this morning,
are coming thorugh just fine.


Where to look / what to do next on this?

Thanks,
Angelo
--

I've had this happen a few times over the past several years.  You will
probably notice that the SMTP ID of the offending email is the same...it
just gets processed over and over again.  I usually just go into the
queue and delete the df/qf pair and it takes off again.  It happens so
rarely that I don't worry about fixing it.

Mike

More information about the MailScanner mailing list