Prombem with rule actions

Julian Field MailScanner at ecs.soton.ac.uk
Mon Sep 3 19:52:43 IST 2007


I probably need to add more logging to the SpamAssassin Rule Actions code.

Gareth wrote:
> I have a custom rule action :-
> SpamAssassin Rule Actions = SpamScore>=20=>store,non-deliver
>
> I received 2 emails. One was identified as a virus by sanesecurity
> signatures and a spam score of around 17. You can see it being logged. The
> other message (E1D42AA0090.C4C0E) had a spam score of 34 but nothing got
> saved to the spam folder and there is nothing in the log saying it tried to
> save it.
>
> [root at mailscanner 20070903]# pwd
> /var/spool/MailScanner/quarantine/20070903
> [root at mailscanner 20070903]# ls -l
> total 1776
> drwxrwx--- 2 postfix apache 4096 Sep  3 01:36 00703AA0092.84CA8
> ...
> drwxrwx--- 2 postfix apache 4096 Sep  3 04:27 F392AAA0090.3C632
> drwxrwx--- 2 postfix apache 4096 Sep  3 19:19 spam
>
> Sep  3 19:26:29 mailscanner MailScanner[7702]: New Batch: Scanning 1
> messages, 1583 bytes
> Sep  3 19:26:36 mailscanner MailScanner[7723]: New Batch: Found 2 messages
> waiting
> Sep  3 19:26:36 mailscanner MailScanner[7723]: New Batch: Scanning 1
> messages, 10944 bytes
> Sep  3 19:26:43 mailscanner MailScanner[7702]: Spam Checks: Found 1 spam
> messages
> Sep  3 19:26:43 mailscanner MailScanner[7702]: Virus and Content Scanning:
> Starting
> Sep  3 19:26:48 mailscanner MailScanner[7723]: Spam Checks: Found 1 spam
> messages
> Sep  3 19:26:48 mailscanner MailScanner[7723]: Virus and Content Scanning:
> Starting
> Sep  3 19:26:48 mailscanner MailScanner[7723]: ClamAV Module::INFECTED::
> MSRBL-Images/0-0-wgr6:: ./7AB3CAA0092.0CAE9/
> Sep  3 19:26:48 mailscanner MailScanner[7723]: ClamAV Module::INFECTED::
> MSRBL-Images/0-0-wgr6:: ./7AB3CAA0092.0CAE9/GVauoBZVdM.gif
> Sep  3 19:26:48 mailscanner MailScanner[7723]: ClamAV Module::INFECTED::
> MSRBL-Images/0-0-wgr4:: ./7AB3CAA0092.0CAE9/rOiW6mkZar.gif
> Sep  3 19:26:48 mailscanner MailScanner[7702]: Logging message
> E1D42AA0090.C4C0E to SQL
> Sep  3 19:26:48 mailscanner MailScanner[7681]: E1D42AA0090.C4C0E: Logged to
> MailWatch SQL
> Sep  3 19:26:49 mailscanner MailScanner[7723]: Virus Scanning: ClamAV Module
> found 3 infections
> Sep  3 19:26:52 mailscanner MailScanner[7723]: Virus Scanning: Bitdefender
> found 3 infections
> Sep  3 19:26:52 mailscanner MailScanner[7723]: Infected message
> 7AB3CAA0092.0CAE9 came from 193.238.209.194
> Sep  3 19:26:52 mailscanner MailScanner[7723]: Virus Scanning: Found 3
> viruses
> Sep  3 19:26:52 mailscanner MailScanner[7723]: Saved entire message to
> /var/spool/MailScanner/quarantine/20070903/7AB3CAA0092.0CAE9
> Sep  3 19:26:52 mailscanner MailScanner[7723]: Saved infected
> "GVauoBZVdM.gif" to
> /var/spool/MailScanner/quarantine/20070903/7AB3CAA0092.0CAE9
> Sep  3 19:26:52 mailscanner MailScanner[7723]: Saved infected
> "rOiW6mkZar.gif" to
> /var/spool/MailScanner/quarantine/20070903/7AB3CAA0092.0CAE9
> Sep  3 19:26:52 mailscanner MailScanner[7723]: Logging message
> 7AB3CAA0092.0CAE9 to SQL
> Sep  3 19:26:52 mailscanner MailScanner[7681]: 7AB3CAA0092.0CAE9: Logged to
> MailWatch SQL
>
>   
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Julian
>> Field
>> Sent: 03 September 2007 19:14
>> To: MailScanner discussion
>> Subject: Re: Prombem with rule actions
>>
>>
>>
>>
>> Gareth wrote:
>>     
>>> In MailScanner.conf I have :-
>>> Quarantine Dir = /var/spool/MailScanner/quarantine
>>> Quarantine User = root
>>> Quarantine Group = apache
>>> Quarantine Permissions = 0660
>>>
>>> However all quarantine entries are stored in the format :-
>>> %quarantine-dir%/<<date>>/<<msgid>> and they are viruses and blocked
>>> attachments.
>>> I am assuming this is correct for the virus quaranteen?
>>>
>>>       
>> Yes, correct.
>>     
>>> If that is the case then MailScanner does not seem to be creating the
>>> additional 'spam' etc... subdirectories for some reason.
>>>
>>>       
>> It should always try to create them. Try creating them by hand and see
>> if it puts anything in them. Make sure you give them permissions which
>> are generous enough.
>>     
>>> Are you sure the format is not
>>>       
>> %quarantine-dir%/spam/<<date>>/<<msgid>> as
>>     
>>> if that was the case it could just be the issue that the spam
>>>       
>> directory does
>>     
>>> not exist.
>>>
>>>       
>> Yes, sure :-)
>>
>>     
>>>> -----Original Message-----
>>>> From: mailscanner-bounces at lists.mailscanner.info
>>>> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Steve
>>>> Freegard
>>>> Sent: 03 September 2007 18:48
>>>> To: MailScanner discussion
>>>> Subject: Re: Prombem with rule actions
>>>>
>>>>
>>>> Gareth wrote:
>>>>
>>>>         
>>>>> Understood but where are these quarantines?
>>>>>
>>>>> I have /var/spool/mailscanner/quaranteen which contains
>>>>>           
>> directories like
>>     
>>>>> 20070803 and within that directories named according to the
>>>>>
>>>>>           
>>>> mail ID with the
>>>>
>>>>         
>>>>> message and any attachments within it.
>>>>>
>>>>> Where do each of these store options actually try to save the files?
>>>>>
>>>>>
>>>>>           
>>>>>> #    store                   - store the message in the (spam)
>>>>>>
>>>>>>             
>>>> quarantine
>>>>
>>>>
>>>> %quarantine-dir%/<<date>>/spam/<<msgid>>
>>>>
>>>>
>>>>
>>>>         
>>>>>> #    store-nonmcp            - store the message in the
>>>>>>
>>>>>>             
>>>> non-MCP quarantine
>>>>
>>>> %quarantine-dir%/<<date>>/nonmcp/<<msgid>>
>>>>
>>>>
>>>>         
>>>>>> #    store-mcp               - store the message in the MCP
>>>>>>             
>> quarantine
>>     
>>>> %quarantine-dir%/<<date>>/mcp/<<msgid>>
>>>>
>>>>
>>>>         
>>>>>> #    store-nonspam           - store the message in the
>>>>>>
>>>>>>             
>>>> non-spam quarantine
>>>>
>>>> %quarantine-dir%/<<date>>/nonspam/<<msgid>>
>>>>
>>>>
>>>>         
>>>>>> #    store-spam              - store the message in the spam
>>>>>>             
>> quarantine
>>     
>>>> %quarantine-dir%/<<date>>/spam/<<msgid>>
>>>>
>>>>
>>>> If you are having trobule with MailWatch reading these then make sure
>>>> your permissions settings are correct (Quarantine Perms = 0660 and
>>>> Quarantine Group = <<web server group>>) and that you are storing
>>>> quarantined items in RFC822 format (e.g. Quarantine Messages As Queue
>>>> Files = No) as these are the most common causes of problems.
>>>>
>>>> Cheers,
>>>> Steve.
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>       
>> Jules
>>
>> --
>> Julian Field MEng CITP
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me at Jules at Jules.FM
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> For all your IT requirements visit www.transtec.co.uk
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> For all your IT requirements visit www.transtec.co.uk
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>>
>>     
>
>   

Jules

-- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list