"Is Definitely Spam" rule not working ?

Julian Field MailScanner at ecs.soton.ac.uk
Tue Feb 5 18:01:36 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Glenn Steen wrote:
> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>   
>> Le 05-févr.-08 à 12:31, Glenn Steen a écrit :
>>
>>     
>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>>>       
>>>> Le 05-févr.-08 à 09:45, Glenn Steen a écrit :
>>>>
>>>>         
>>>>> On 05/02/2008, Glenn Steen <glenn.steen at gmail.com> wrote:
>>>>>           
>>>>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>>>>>>             
>>>>> (snip)
>>>>>           
>>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner
>>>>>>> takes it and puts it back into the Postfix queue.
>>>>>>>
>>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP
>>>>>>> address otherwise why is the "Is Definitely Not Spam" rule
>>>>>>> working :
>>>>>>>
>>>>>>> Feb  5 09:21:07 smtp-1 MailScanner[14880]: Message
>>>>>>> E8686E9102.A7655
>>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be at spamassassin.apache.org
>>>>>>> ) is whitelisted
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>>               
>>>>>> Anything happening to the message _after_ MailScaner doesn't hjave
>>>>>> any
>>>>>> impact on your problem... What happens before though... You have to
>>>>>> make sure that your SA trust_path is OK, and all should be well.
>>>>>> Why
>>>>>> do you use the ClamSMTP thing at all?
>>>>>>
>>>>>> Cheers
>>>>>>             
>>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle
>>>>> this is
>>>>> the clamsmtp thing, which might just be the problem.
>>>>> Again, why do you use that? Theoretically MailScanner (through the
>>>>> batching, and using either clamavmodule or clamd) should be more
>>>>> efficient and less likely to be able to be DoS'd... That
>>>>> "not-really-part-of-SMTP-flow insulation" is ... golden.
>>>>>
>>>>> Cheers
>>>>> --
>>>>> -- Glenn
>>>>> email: glenn < dot > steen < at > gmail < dot > com
>>>>> work: glenn < dot > steen < at > ap1 < dot > se
>>>>>           
>>>> One advantage of using ClamSMTP is the reject of the worm at the
>>>> connection time.
>>>> As we receive a lot of mail per day, it's not negligible.
>>>>         
>>> No, but then neither is the resource drain;-).
>>>
>>>       
>>>> As MailScanner is using McAffe, we have two different AV to check the
>>>> messages.
>>>>         
>>> Prudent, but did you look at processing times etc for the "all MS"
>>> case?
>>> Sure, the real killer is likely SA, and the ClamSMTP thing will
>>> avoid that...
>>> I wonder if the clamav milter would be a "nicer" solution, avoiding
>>> your current problem...
>>>
>>> Cheers
>>> --
>>> -- Glenn
>>> email: glenn < dot > steen < at > gmail < dot > com
>>> work: glenn < dot > steen < at > ap1 < dot > se
>>> --
>>>       
>> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see
>> what happens.
>> All the clientip are 127.0.0.1 :-(
>>
>> Whitelisting is working because the check is done on the From address
>> and not on the client IP.
>> The blacklisting, in that case doesn't work because it's an IP address.
>>
>> So, we can't use before-filter with Postifx and MailScanner and hope
>> that the white or black listing will work with IP addresses even we
>> use the smtpd_authorized_xforward_hosts.
>>
>> Is that right ?
>>     
>
> Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding"
> loopback when determining the ip... Perhaps a bit like SA does it
> (with the trust thing).
>   
I can't do that. MailScanner directly reads the IP address of the TCP/IP 
connection source, it doesn't involve looking at the headers of the 
message at all.
>   
>> If yes, what's the use of smtpd_authorized_xforward_hosts (to be
>> posted on the postfix list also) ?
>>     
> Good question. Perhaps one (Jules) could use that...:).
> BTW, wear your asbetos underwear when telling the pf-list your
> problem... they seriously dislike MS... still...:(.
>   
Don't expect to get anything useful from the Postfix list about MailScanner.

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 1012)
Comment: Use Thunderbird's Enigmail add-on to verify this message
Charset: ISO-8859-1

wj8DBQFHqKSBEfZZRxQVtlQRAtIBAKDAH66JUoxeiDrlsor/EyyXDTiRxQCgiYMT
tPDr+UYiud5jntzIQsY1x9k=
=wnfG
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list