domain not scanned

Tue Nov 11 12:01:48 GMT 2008

2008/11/11 Martin Hepworth <maxsec at gmail.com>:
> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>>> 2008/11/10 Martin Hepworth <maxsec at gmail.com>:
>>>> 2008/11/10 Simon Jones <simonmjones at gmail.com>:
>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo.
>>>>>
>>>>> i have a domain that seems to be being excluded from the spam scan -
>>>>> virus scanning is OK though.  i've check
>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there.  the
>>>>> recipient and transport tables are good - what else could cause this?
>>>>> all other domains are being scanned and everything's working fine.
>>>>>
>>>>> cheers
>>>>>
>>>>> Si
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>
>>>> whitelisted in the SA config? Are you putting all SA scores etc in all
>>>> emails so can see what's going on?
>>>>
>>>> --
>>>> Martin Hepworth
>>>> Oxford, UK
>>>> --
>>>
>> Morning chaps,
>>
>> a bit more info - this was working OK and domain has been successfully
>> scanned for a number of months but it stopped scanning over the
>> weekend.  Its a distributed setup (3 servers + db) and it appears that
>> all servers are dropping the domain from the scan.  S/A scores are
>> zero on all scans, there's nothing whitelisted that I can see, I run
>> MailWatch and the messages for this domain are all classed as clean.
>> The only time i've seen this before is when the domain is listed in
>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed
>> in this case though.
>>
>> MailScanner --to @tbanda.co.uk or to MailScanner --to
>> user at tbanda.co.uk doesn't return anything at all on any of the nodes.
>> It seems to be affecting this domain globally but for no apparent
>> reason, all others are OK though.
>> Domains are stored in a mysql db as are transport maps and users,
>> postfix reads from the (seperate) db without any problems.
>>
>> I can't see anything in maillog of relevance and a spamassassin -D
>> --lint doesn't show any problems, anywhere else i can look?
>>
>> cheers,
>>
>> Si
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>
> Simon
>
> Ok so you're definitely getting MS headers in the emails that aren't
> scanned, and you're seeing a zero score in the headers (not just
> mailwatch)??
>
> I presume you have these set in MailScanner.conf so you can see what's
> happening?
>
> Always Include SpamAssassin Report = yes
> Spam Score Number Format = yes
> SpamScore Number Instead Of Stars = yes
>
> any timeouts in the logs for these emails?
>
> have you tried running a sample set in debug mode?
>
> --
> Martin Hepworth
> Oxford, UK
> --

Hi Martin,

just a zero score, here's an example from maillog;

 cat /var/log/maillog | grep 1B6906814F1.E8158
Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
1B6906814F1.E8158 to D27525C0302
Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message
1B6906814F1.E8158 to SQL
Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158:
Logged to MailWatch SQL

[root at server postfix]# cat /var/log/maillog | grep D27525C0302
Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
1B6906814F1.E8158 to D27525C0302
Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302:
from=<t.walsh at tbanda.co.uk>, size=2566, nrcpt=1 (queue active)
Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302:
to=<t.walsh at tbanda.co.uk>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25,
delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued)
Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed

you can see it gets passed from mailscanner to the postfix queue
manager before being sent which I guess is all normal.

Always include.. was set to "no" so I changed this to "yes", the
others look ok with the spam score number being %d

No time-outs that I can see, I haven't really done anything in debug
other than stop the service then restart in debug but everything
looked OK, the fact that this only appears to affect one domain (there
are about 300 on the system) is the strange part.  Could it be
something in SpamAssassin's cache?  I've checked user configured
black/white lists and that looks OK, 3 whitelist entries and 50 or so
blacklists, nothing abnormal though.  Where can I find the docs for
"running a sample set in debug mode?"

Simon