"Is Definitely Spam" rule not working ?

Julian Field MailScanner at ecs.soton.ac.uk
Fri Feb 8 16:54:29 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Glenn Steen wrote:
> On 05/02/2008, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>   
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Glenn Steen wrote:
>>     
>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>>>
>>>       
>>>> Le 05-févr.-08 à 12:31, Glenn Steen a écrit :
>>>>
>>>>
>>>>         
>>>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>>>>>
>>>>>           
>>>>>> Le 05-févr.-08 à 09:45, Glenn Steen a écrit :
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> On 05/02/2008, Glenn Steen <glenn.steen at gmail.com> wrote:
>>>>>>>
>>>>>>>               
>>>>>>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>>>>>>>>
>>>>>>>>                 
>>>>>>> (snip)
>>>>>>>
>>>>>>>               
>>>>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner
>>>>>>>>> takes it and puts it back into the Postfix queue.
>>>>>>>>>
>>>>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP
>>>>>>>>> address otherwise why is the "Is Definitely Not Spam" rule
>>>>>>>>> working :
>>>>>>>>>
>>>>>>>>> Feb  5 09:21:07 smtp-1 MailScanner[14880]: Message
>>>>>>>>> E8686E9102.A7655
>>>>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be at spamassassin.apache.org
>>>>>>>>> ) is whitelisted
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>> Anything happening to the message _after_ MailScaner doesn't hjave
>>>>>>>> any
>>>>>>>> impact on your problem... What happens before though... You have to
>>>>>>>> make sure that your SA trust_path is OK, and all should be well.
>>>>>>>> Why
>>>>>>>> do you use the ClamSMTP thing at all?
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>>                 
>>>>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle
>>>>>>> this is
>>>>>>> the clamsmtp thing, which might just be the problem.
>>>>>>> Again, why do you use that? Theoretically MailScanner (through the
>>>>>>> batching, and using either clamavmodule or clamd) should be more
>>>>>>> efficient and less likely to be able to be DoS'd... That
>>>>>>> "not-really-part-of-SMTP-flow insulation" is ... golden.
>>>>>>>
>>>>>>> Cheers
>>>>>>> --
>>>>>>> -- Glenn
>>>>>>> email: glenn < dot > steen < at > gmail < dot > com
>>>>>>> work: glenn < dot > steen < at > ap1 < dot > se
>>>>>>>
>>>>>>>               
>>>>>> One advantage of using ClamSMTP is the reject of the worm at the
>>>>>> connection time.
>>>>>> As we receive a lot of mail per day, it's not negligible.
>>>>>>
>>>>>>             
>>>>> No, but then neither is the resource drain;-).
>>>>>
>>>>>
>>>>>           
>>>>>> As MailScanner is using McAffe, we have two different AV to check the
>>>>>> messages.
>>>>>>
>>>>>>             
>>>>> Prudent, but did you look at processing times etc for the "all MS"
>>>>> case?
>>>>> Sure, the real killer is likely SA, and the ClamSMTP thing will
>>>>> avoid that...
>>>>> I wonder if the clamav milter would be a "nicer" solution, avoiding
>>>>> your current problem...
>>>>>
>>>>> Cheers
>>>>> --
>>>>> -- Glenn
>>>>> email: glenn < dot > steen < at > gmail < dot > com
>>>>> work: glenn < dot > steen < at > ap1 < dot > se
>>>>> --
>>>>>
>>>>>           
>>>> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see
>>>> what happens.
>>>> All the clientip are 127.0.0.1 :-(
>>>>
>>>> Whitelisting is working because the check is done on the From address
>>>> and not on the client IP.
>>>> The blacklisting, in that case doesn't work because it's an IP address.
>>>>
>>>> So, we can't use before-filter with Postifx and MailScanner and hope
>>>> that the white or black listing will work with IP addresses even we
>>>> use the smtpd_authorized_xforward_hosts.
>>>>
>>>> Is that right ?
>>>>
>>>>         
>>> Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding"
>>> loopback when determining the ip... Perhaps a bit like SA does it
>>> (with the trust thing).
>>>
>>>       
>> I can't do that. MailScanner directly reads the IP address of the TCP/IP
>> connection source, it doesn't involve looking at the headers of the
>> message at all.
>>     
>>>> If yes, what's the use of smtpd_authorized_xforward_hosts (to be
>>>> posted on the postfix list also) ?
>>>>
>>>>         
>>> Good question. Perhaps one (Jules) could use that...:).
>>> BTW, wear your asbetos underwear when telling the pf-list your
>>> problem... they seriously dislike MS... still...:(.
>>>
>>>       
>> Don't expect to get anything useful from the Postfix list about MailScanner.
>>
>> Jules
>>
>>     
> Um, Jules... What about the clientip read from Received line in
> Postfix.pm (ReadQf, the third loop... If I counted things right...:-)?
> Isn't that what you use, and where one could possibly ... munge it? A
> bit like the BarricadeMX fixup, to get at the real sending server IP?
>   
Are you talking about this bit of code?
If it's 127.0.0.1 then I could choose to ignore it and pick up the next 
one. What's the IPv6 equivalent address that I'll see in the header?

      if (!$IPFound && $recdata =~ /^Received: 
.+\[(\d+\.\d+\.\d+\.\d+)\]/i) {
        $message->{clientip} = $1;
        $IPFound = 1;
      } elsif (!$IPFound && $recdata =~ /^Received: 
.+\[([\dabcdef.:]+)\]/i) {
        # It is an IPv6 address
        $message->{clientip} = $1;
        $IPFound = 1;
      } elsif (!$IPFound &&
               $recdata =~ /^Received: .+\(Postfix/i) {
        $message->{clientip} = '127.0.0.1';  #spoof local sender from 
localhost
        $IPFound = 1;
      }

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 1012)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFHrIlGEfZZRxQVtlQRAqXiAJ9Hwn7x7WVfAkB/7TWQVRXJr5Fm8ACgjpfO
/YYfdNJQNewkuRMVjJNrP7c=
=g/Ew
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list