"Is Definitely Spam" rule not working ?

Pascal Maes pascal.maes at elec.ucl.ac.be
Tue Feb 5 08:28:29 GMT 2008 

Le 04-févr.-08 à 17:36, Scott Silva a écrit :

> on 2/4/2008 4:01 AM Julian Field spake the following:
>> Scott Silva wrote:
>>> * PGP Signed by an unknown key
>>> on 2/1/2008 3:56 AM Pascal Maes spake the following:
>>>> Le 01-févr.-08 à 12:38, Julian Field a écrit :
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>>
>>>>>
>>>>> Pascal Maes wrote:
>>>>>> Hello,
>>>>>>
>>>>>>
>>>>>> In MailScanner.conf, we have
>>>>>>
>>>>>> # Spam Blacklist:
>>>>>> # Make this point to a ruleset, and anything in that ruleset  
>>>>>> whose value
>>>>>> # is "yes" will *always* be marked as spam.
>>>>>> # This value can be over-ridden by the "Is Definitely Not Spam"  
>>>>>> setting.
>>>>>> # This can also be the filename of a ruleset.
>>>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no
>>>>>>
>>>>>>
>>>>>> In spam_blacklist.rules, we have :
>>>>>>
>>>>>> From:           66.63.168.                              yes
>>>>>>
>>>>>> FromOrTo:       default                                 no
>>>>>>
>>>>>>
>>>>>>
>>>>>> As this rule could be over-ridden, I check that
>>>>>>
>>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules
>>>>>>
>>>>>> the file spam_whitelist.rules doesn't contain anything about that
>>>>>> domain or IP or the recipient
>>>>>>
>>>>>>
>>>>>> Then, I wonder why the following mail was not tagged as SPAM
>>>>>>
>>>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
>>>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server
>>>>>> 6.3-4.01 (built
>>>>>> Aug  3 2007; 32bit)) with ESMTP id
>>>>>> <0JVI00FQIWFSZ240 at mmp.sipr-dc.ucl.ac.be>
>>>>>> for <email_address> (ORCPT email_address); Thu,
>>>>>> 31 Jan 2008 20:21:28 +0100 (CET)
>>>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain  
>>>>>> [127.0.0.1])
>>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D    for
>>>>>> <email_address>; Thu, 31 Jan 2008 20:21:38 +0100 (CET)
>>>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
>>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP    for  
>>>>>> <email_address>; Thu,
>>>>>> 31 Jan 2008 20:21:38 +0100 (CET)
>>>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id
>>>>>> hk8fra01g741; Thu,
>>>>>> 31 Jan 2008 14:19:07 -0500
>>>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500
>>>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST)
>>>>>> From: Travel Offers <Travel-Offers at mytravfolks.com>
>>>>>> X-SGSI-MailScanner: Found to be clean
>>>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached,     
>>>>>> score=3.5,
>>>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50)
>>>>> Because it scored 3.5 where the required score is 5.
>>>>>> X-SGSI-Spam-Score: sss
>>>>>> X-SGSI-From: travel-offers at mytravfolks.com
>>>>>> X-SGSI-Spam-Status: No
>>>>>>
>>>>>> -- 
>>>>>> Pascal
>>>>>>
>>>>>>
>>>>>>
>>>>> Jules
>>>>>
>>>> yes but as we have the header
>>>>
>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
>>>>
>>>> which matches the rule in spam_blacklist.rules
>>>>
>>>> From:           66.63.168.                              yes
>>>>
>>>> The message should have been tagged Spam
>>>>
>>>>
>>>> -- 
>>>> Pascal
>>>>
>>>>
>>>>
>>> Do those rules check all received headers, or just the last one  
>>> received from?
>>> Julian would know for sure.
>> They just check the last one, the IP address of the SMTP client  
>> that sent the message to your server.
>> Jules
> Then there is the answer. As far as mailscanner is concerned, the  
> above message came from;
> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
> which doesn't match your blacklist.
> The only host that it would have matched on would have been  
> smtp4.sgsi.ucl.ac.be if that is in your control.
>
> Thanks Julian for the clarification!
> MailScanner rocks!!!
>

I'm not sure.
The message here above is the message which is in the mailbox but  
MailScanner is acting before:

Mail --> SMTP4 (Postfix) -> MailScanner -> Postfix -> Mailboxes
             (1)                              (2)         (3)

In (1), you have Received: from rssl2.mytravfolks.com (unknown  
[66.63.168.38])

In (2), Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain  
[127.0.0.1])

In (3), Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])

The master.cf file for Postfix looks like

smtp      inet  n       -       n       -       500       smtpd
   -o smtpd_client_connection_count_limit=500
   -o smtpd_proxy_filter=127.0.0.1:10025
   -o receive_override_options=no_address_mappings
#
# For injecting mail back into postfix from ClamSMTP
127.0.0.1:10026 inet	n	-	n	-	-	smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks_style=host
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8


Our SMTP box receives the message.
The message goes through some "before-filters" and goes back to  
postfix with the option

smtpd_authorized_xforward_hosts=127.0.0.0/8

to keep the headers of the previous MTA server.
Then Postfix puts the message in the HOLD queue where MailScanner  
takes it and puts it back into the Postfix queue.

I'm pretty sure that MailScanner should see the 66.63.168.38 IP  
address otherwise why is the "Is Definitely Not Spam" rule working :

Feb  5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655  
from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be at spamassassin.apache.org 
) is whitelisted


Regards
--
Pascal

More information about the MailScanner mailing list