Help with large message / blacklists bypassed

Julian Field MailScanner at ecs.soton.ac.uk
Wed Aug 1 15:12:48 IST 2007 


Glenn Steen wrote:
> On 01/08/07, am.lists <am.lists at gmail.com> wrote:
>   
>> OK. I admit that I may be in panic mode and not thinking this thorugh
>> as completley as I would otherwise.
>>
>> Standard support disclosure; Linux + Postfix 2.2.2+ MailScanner 4.58.9
>> (<-- I know, slacker), ClamAV (0.90.3).
>>
>> One of my users is the recipient on an email message that is
>> apparently stuck in the sending MTA's outbound queue. For whatever
>> reason, their MTA has shipped me over 3000 copies of the identical
>> piece of mail.
>>
>> Problem on my side is that it's a 670KB message (has a lot of images
>> attached) and I seem to be ineffective at blocking it and this guy's
>> mailbox keeps getting clogged up. Not to mention how this guy feels
>> each time his Outlook client goes out and tries to fetch 10 copies of
>> a 670KB message. He's getting no work done, essentially.
>>
>> My process:
>>
>> (1) I didn't want to block everything from this particular sender --
>> it's not his fault, obviously, so I looked for a unique string within
>> the message and created a custom SA rule (50 points) to kick it into
>> definite spam. I'd really like to strangle the mail admin on the
>> otherside, but I can't quite reach him from here. :-)
>>
>> Result: Message too large (I hadn't noticed that detail before) so it
>> skips it with the spam report saying simply "too large"
>>     
> (A sort of ...) Solution: Up your Scan and SPamAssassin Size limits in
> MailScanner.conf ... Don't forget to restart/reload MS to take effect.
>
>   
>> (2) Blacklist by sender -- added to MailScanner/MailWatch via the
>> black/white page. The sender and recipient are fully stated.
>>
>> Result: No Effect. ??? I'm confounded by this. I thought blacks/whites
>> were still checked here.
>>
>> (3) Added the sender name to my spam.blacklists.rules file, relevant
>> lines below:
>>
>> # spam.blacklists.rules file
>> # edited at edited.org problem
>> From:   edited at edited.org                               yes
>> # Never set this to yes.
>> FromOrTo:       default                 no
>>
>> Result: Still no effect.  Messages, all 100 or so of them this
>> morning, are coming thorugh just fine.
>>
>>     
> And you did remember to restart MailScanner after those changes? That
> will affect the MW SQL B/W-list too, sort of;-).
>   
You could create a SpamAssassin rule that will spot this message, then set
SpamAssassin Rule Actions = YOUR_NEW_RULE=>delete

then 'service MailScanner reload'.

>   
>> Where to look / what to do next on this?
>>
>> Thanks,
>> Angelo
>>     
>
> Cheers
>   

Jules

-- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list