"Is Definitely Spam" rule not working ?

Glenn Steen glenn.steen at gmail.com
Fri Feb 8 18:51:09 GMT 2008 

On 08/02/2008, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Glenn Steen wrote:
> > On 05/02/2008, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >>
> >> Glenn Steen wrote:
> >>
> >>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >>>
> >>>
> >>>> Le 05-févr.-08 à 12:31, Glenn Steen a écrit :
> >>>>
> >>>>
> >>>>
> >>>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >>>>>
> >>>>>
> >>>>>> Le 05-févr.-08 à 09:45, Glenn Steen a écrit :
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On 05/02/2008, Glenn Steen <glenn.steen at gmail.com> wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>> On 05/02/2008, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>> (snip)
> >>>>>>>
> >>>>>>>
> >>>>>>>>> Then Postfix puts the message in the HOLD queue where MailScanner
> >>>>>>>>> takes it and puts it back into the Postfix queue.
> >>>>>>>>>
> >>>>>>>>> I'm pretty sure that MailScanner should see the 66.63.168.38 IP
> >>>>>>>>> address otherwise why is the "Is Definitely Not Spam" rule
> >>>>>>>>> working :
> >>>>>>>>>
> >>>>>>>>> Feb  5 09:21:07 smtp-1 MailScanner[14880]: Message
> >>>>>>>>> E8686E9102.A7655
> >>>>>>>>> from 127.0.0.1 (users-return-66855-pascal.maes=elec.ucl.ac.be at spamassassin.apache.org
> >>>>>>>>> ) is whitelisted
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Regards
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> Anything happening to the message _after_ MailScaner doesn't hjave
> >>>>>>>> any
> >>>>>>>> impact on your problem... What happens before though... You have to
> >>>>>>>> make sure that your SA trust_path is OK, and all should be well.
> >>>>>>>> Why
> >>>>>>>> do you use the ClamSMTP thing at all?
> >>>>>>>>
> >>>>>>>> Cheers
> >>>>>>>>
> >>>>>>>>
> >>>>>>> Oh, sorry, not an sa issue... Still, yhe last client to handle
> >>>>>>> this is
> >>>>>>> the clamsmtp thing, which might just be the problem.
> >>>>>>> Again, why do you use that? Theoretically MailScanner (through the
> >>>>>>> batching, and using either clamavmodule or clamd) should be more
> >>>>>>> efficient and less likely to be able to be DoS'd... That
> >>>>>>> "not-really-part-of-SMTP-flow insulation" is ... golden.
> >>>>>>>
> >>>>>>> Cheers
> >>>>>>> --
> >>>>>>> -- Glenn
> >>>>>>> email: glenn < dot > steen < at > gmail < dot > com
> >>>>>>> work: glenn < dot > steen < at > ap1 < dot > se
> >>>>>>>
> >>>>>>>
> >>>>>> One advantage of using ClamSMTP is the reject of the worm at the
> >>>>>> connection time.
> >>>>>> As we receive a lot of mail per day, it's not negligible.
> >>>>>>
> >>>>>>
> >>>>> No, but then neither is the resource drain;-).
> >>>>>
> >>>>>
> >>>>>
> >>>>>> As MailScanner is using McAffe, we have two different AV to check the
> >>>>>> messages.
> >>>>>>
> >>>>>>
> >>>>> Prudent, but did you look at processing times etc for the "all MS"
> >>>>> case?
> >>>>> Sure, the real killer is likely SA, and the ClamSMTP thing will
> >>>>> avoid that...
> >>>>> I wonder if the clamav milter would be a "nicer" solution, avoiding
> >>>>> your current problem...
> >>>>>
> >>>>> Cheers
> >>>>> --
> >>>>> -- Glenn
> >>>>> email: glenn < dot > steen < at > gmail < dot > com
> >>>>> work: glenn < dot > steen < at > ap1 < dot > se
> >>>>> --
> >>>>>
> >>>>>
> >>>> OK, I have included some MailScanner::Log::InfoLog in Config.pm to see
> >>>> what happens.
> >>>> All the clientip are 127.0.0.1 :-(
> >>>>
> >>>> Whitelisting is working because the check is done on the From address
> >>>> and not on the client IP.
> >>>> The blacklisting, in that case doesn't work because it's an IP address.
> >>>>
> >>>> So, we can't use before-filter with Postifx and MailScanner and hope
> >>>> that the white or black listing will work with IP addresses even we
> >>>> use the smtpd_authorized_xforward_hosts.
> >>>>
> >>>> Is that right ?
> >>>>
> >>>>
> >>> Yes, AFAICS. Unless we ask Jules nicely to facilitate "disregarding"
> >>> loopback when determining the ip... Perhaps a bit like SA does it
> >>> (with the trust thing).
> >>>
> >>>
> >> I can't do that. MailScanner directly reads the IP address of the TCP/IP
> >> connection source, it doesn't involve looking at the headers of the
> >> message at all.
> >>
> >>>> If yes, what's the use of smtpd_authorized_xforward_hosts (to be
> >>>> posted on the postfix list also) ?
> >>>>
> >>>>
> >>> Good question. Perhaps one (Jules) could use that...:).
> >>> BTW, wear your asbetos underwear when telling the pf-list your
> >>> problem... they seriously dislike MS... still...:(.
> >>>
> >>>
> >> Don't expect to get anything useful from the Postfix list about MailScanner.
> >>
> >> Jules
> >>
> >>
> > Um, Jules... What about the clientip read from Received line in
> > Postfix.pm (ReadQf, the third loop... If I counted things right...:-)?
> > Isn't that what you use, and where one could possibly ... munge it? A
> > bit like the BarricadeMX fixup, to get at the real sending server IP?
> >
> Are you talking about this bit of code?
> If it's 127.0.0.1 then I could choose to ignore it and pick up the next
> one. What's the IPv6 equivalent address that I'll see in the header?
>
>       if (!$IPFound && $recdata =~ /^Received:
> .+\[(\d+\.\d+\.\d+\.\d+)\]/i) {
>         $message->{clientip} = $1;
>         $IPFound = 1;
>       } elsif (!$IPFound && $recdata =~ /^Received:
> .+\[([\dabcdef.:]+)\]/i) {
>         # It is an IPv6 address
>         $message->{clientip} = $1;
>         $IPFound = 1;
>       } elsif (!$IPFound &&
>                $recdata =~ /^Received: .+\(Postfix/i) {
>         $message->{clientip} = '127.0.0.1';  #spoof local sender from
> localhost
>         $IPFound = 1;
>       }

Yep, that it is.... IPv6 would be something like :::FFF.... wouldn't
it:-). Sorry, I'm slightly tipsy (Champagne, no less!) after a hellish
week. Head not screwed on rightly:-)

I'd think this'd best be a settable thing (remove or not), since we
can' do the same type of blanket assumptions as you can with
BarricadeMX (that it is a "SMTP pre.filer" adding the line... or can
we?)...

> Jules
>

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list