"Is Definitely Spam" rule not working ?
Glenn Steen
glenn.steen at gmail.com
Tue Feb 5 08:40:28 GMT 2008
On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>
> Le 04-févr.-08 à 17:36, Scott Silva a écrit :
>
> > on 2/4/2008 4:01 AM Julian Field spake the following:
> >> Scott Silva wrote:
> >>> * PGP Signed by an unknown key
> >>> on 2/1/2008 3:56 AM Pascal Maes spake the following:
> >>>> Le 01-fÃ(c)vr.-08 Ã 12:38, Julian Field a Ã(c)crit :
> >>>>
> >>>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>> Hash: SHA1
> >>>>>
> >>>>>
> >>>>>
> >>>>> Pascal Maes wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>>
> >>>>>> In MailScanner.conf, we have
> >>>>>>
> >>>>>> # Spam Blacklist:
> >>>>>> # Make this point to a ruleset, and anything in that ruleset
> >>>>>> whose value
> >>>>>> # is "yes" will *always* be marked as spam.
> >>>>>> # This value can be over-ridden by the "Is Definitely Not Spam"
> >>>>>> setting.
> >>>>>> # This can also be the filename of a ruleset.
> >>>>>> Is Definitely Spam = %rules-dir%/spam_blacklist.rules #was no
> >>>>>>
> >>>>>>
> >>>>>> In spam_blacklist.rules, we have :
> >>>>>>
> >>>>>> From: 66.63.168. yes
> >>>>>>
> >>>>>> FromOrTo: default no
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> As this rule could be over-ridden, I check that
> >>>>>>
> >>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules
> >>>>>>
> >>>>>> the file spam_whitelist.rules doesn't contain anything about that
> >>>>>> domain or IP or the recipient
> >>>>>>
> >>>>>>
> >>>>>> Then, I wonder why the following mail was not tagged as SPAM
> >>>>>>
> >>>>>> Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
> >>>>>> by mmp.sipr-dc.ucl.ac.be (Sun Java(tm) System Messaging Server
> >>>>>> 6.3-4.01 (built
> >>>>>> Aug 3 2007; 32bit)) with ESMTP id
> >>>>>> <0JVI00FQIWFSZ240 at mmp.sipr-dc.ucl.ac.be>
> >>>>>> for <email_address> (ORCPT email_address); Thu,
> >>>>>> 31 Jan 2008 20:21:28 +0100 (CET)
> >>>>>> Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain
> >>>>>> [127.0.0.1])
> >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP id 4C027EFA3D for
> >>>>>> <email_address>; Thu, 31 Jan 2008 20:21:38 +0100 (CET)
> >>>>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
> >>>>>> by smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for
> >>>>>> <email_address>; Thu,
> >>>>>> 31 Jan 2008 20:21:38 +0100 (CET)
> >>>>>> Received: by rssl2.mytravfolks.com (qmail 412 by uid 77) id
> >>>>>> hk8fra01g741; Thu,
> >>>>>> 31 Jan 2008 14:19:07 -0500
> >>>>>> Date: Thu, 31 Jan 2008 14:18:49 -0500
> >>>>>> Date: Thu, 31 Jan 2008 14:18:48 -0500 (EST)
> >>>>>> From: Travel Offers <Travel-Offers at mytravfolks.com>
> >>>>>> X-SGSI-MailScanner: Found to be clean
> >>>>>> X-SGSI-SpamCheck: NotSpam, SpamAssassin (not cached,
> >>>>>> score=3.5,
> >>>>>> requis 5, BOTNET_BADDNS 3.00, BOTNET_SOHO 0.50)
> >>>>> Because it scored 3.5 where the required score is 5.
> >>>>>> X-SGSI-Spam-Score: sss
> >>>>>> X-SGSI-From: travel-offers at mytravfolks.com
> >>>>>> X-SGSI-Spam-Status: No
> >>>>>>
> >>>>>> --
> >>>>>> Pascal
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> Jules
> >>>>>
> >>>> yes but as we have the header
> >>>>
> >>>> Received: from rssl2.mytravfolks.com (unknown [66.63.168.38])
> >>>>
> >>>> which matches the rule in spam_blacklist.rules
> >>>>
> >>>> From: 66.63.168. yes
> >>>>
> >>>> The message should have been tagged Spam
> >>>>
> >>>>
> >>>> --
> >>>> Pascal
> >>>>
> >>>>
> >>>>
> >>> Do those rules check all received headers, or just the last one
> >>> received from?
> >>> Julian would know for sure.
> >> They just check the last one, the IP address of the SMTP client
> >> that sent the message to your server.
> >> Jules
> > Then there is the answer. As far as mailscanner is concerned, the
> > above message came from;
> > Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
> > which doesn't match your blacklist.
> > The only host that it would have matched on would have been
> > smtp4.sgsi.ucl.ac.be if that is in your control.
> >
> > Thanks Julian for the clarification!
> > MailScanner rocks!!!
> >
>
> I'm not sure.
> The message here above is the message which is in the mailbox but
> MailScanner is acting before:
>
> Mail --> SMTP4 (Postfix) -> MailScanner -> Postfix -> Mailboxes
> (1) (2) (3)
>
> In (1), you have Received: from rssl2.mytravfolks.com (unknown
> [66.63.168.38])
>
> In (2), Received: from smtp4.sgsi.ucl.ac.be (localhost.localdomain
> [127.0.0.1])
>
> In (3), Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4])
>
> The master.cf file for Postfix looks like
>
> smtp inet n - n - 500 smtpd
> -o smtpd_client_connection_count_limit=500
> -o smtpd_proxy_filter=127.0.0.1:10025
> -o receive_override_options=no_address_mappings
> #
> # For injecting mail back into postfix from ClamSMTP
> 127.0.0.1:10026 inet n - n - - smtpd
> -o content_filter=
> -o receive_override_options=no_unknown_recipient_checks
> -o smtpd_helo_restrictions=
> -o smtpd_client_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks_style=host
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
>
> Our SMTP box receives the message.
> The message goes through some "before-filters" and goes back to
> postfix with the option
>
> smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> to keep the headers of the previous MTA server.
> Then Postfix puts the message in the HOLD queue where MailScanner
> takes it and puts it back into the Postfix queue.
>
> I'm pretty sure that MailScanner should see the 66.63.168.38 IP
> address otherwise why is the "Is Definitely Not Spam" rule working :
>
> Feb 5 09:21:07 smtp-1 MailScanner[14880]: Message E8686E9102.A7655
> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be at spamassassin.apache.org
> ) is whitelisted
>
>
> Regards
Anything happening to the message _after_ MailScaner doesn't hjave any
impact on your problem... What happens before though... You have to
make sure that your SA trust_path is OK, and all should be well. Why
do you use the ClamSMTP thing at all?
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list