domain not scanned

Julian Field MailScanner at ecs.soton.ac.uk
Tue Nov 11 12:19:24 GMT 2008 


Simon Jones wrote:
> 2008/11/11 Martin Hepworth <maxsec at gmail.com>:
>   
>> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>>     
>>> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>>>       
>>>> 2008/11/10 Martin Hepworth <maxsec at gmail.com>:
>>>>         
>>>>> 2008/11/10 Simon Jones <simonmjones at gmail.com>:
>>>>>           
>>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo.
>>>>>>
>>>>>> i have a domain that seems to be being excluded from the spam scan -
>>>>>> virus scanning is OK though.  i've check
>>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there.  the
>>>>>> recipient and transport tables are good - what else could cause this?
>>>>>> all other domains are being scanned and everything's working fine.
>>>>>>
>>>>>> cheers
>>>>>>
>>>>>> Si
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>             
>>>>> whitelisted in the SA config? Are you putting all SA scores etc in all
>>>>> emails so can see what's going on?
>>>>>
>>>>> --
>>>>> Martin Hepworth
>>>>> Oxford, UK
>>>>> --
>>>>>           
>>> Morning chaps,
>>>
>>> a bit more info - this was working OK and domain has been successfully
>>> scanned for a number of months but it stopped scanning over the
>>> weekend.  Its a distributed setup (3 servers + db) and it appears that
>>> all servers are dropping the domain from the scan.  S/A scores are
>>> zero on all scans, there's nothing whitelisted that I can see, I run
>>> MailWatch and the messages for this domain are all classed as clean.
>>> The only time i've seen this before is when the domain is listed in
>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed
>>> in this case though.
>>>
>>> MailScanner --to @tbanda.co.uk or to MailScanner --to
>>> user at tbanda.co.uk doesn't return anything at all on any of the nodes.
>>> It seems to be affecting this domain globally but for no apparent
>>> reason, all others are OK though.
>>> Domains are stored in a mysql db as are transport maps and users,
>>> postfix reads from the (seperate) db without any problems.
>>>
>>> I can't see anything in maillog of relevance and a spamassassin -D
>>> --lint doesn't show any problems, anywhere else i can look?
>>>
>>> cheers,
>>>
>>> Si
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>       
>> Simon
>>
>> Ok so you're definitely getting MS headers in the emails that aren't
>> scanned, and you're seeing a zero score in the headers (not just
>> mailwatch)??
>>
>> I presume you have these set in MailScanner.conf so you can see what's
>> happening?
>>
>> Always Include SpamAssassin Report = yes
>> Spam Score Number Format = yes
>> SpamScore Number Instead Of Stars = yes
>>
>> any timeouts in the logs for these emails?
>>
>> have you tried running a sample set in debug mode?
>>
>> --
>> Martin Hepworth
>> Oxford, UK
>> --
>>     
>
> Hi Martin,
>
> just a zero score, here's an example from maillog;
>
>  cat /var/log/maillog | grep 1B6906814F1.E8158
> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
> 1B6906814F1.E8158 to D27525C0302
> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message
> 1B6906814F1.E8158 to SQL
> Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158:
> Logged to MailWatch SQL
>
> [root at server postfix]# cat /var/log/maillog | grep D27525C0302
> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
> 1B6906814F1.E8158 to D27525C0302
> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302:
> from=<t.walsh at tbanda.co.uk>, size=2566, nrcpt=1 (queue active)
> Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302:
> to=<t.walsh at tbanda.co.uk>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25,
> delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued)
> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed
>
> you can see it gets passed from mailscanner to the postfix queue
> manager before being sent which I guess is all normal.
>
> Always include.. was set to "no" so I changed this to "yes", the
> others look ok with the spam score number being %d
>
> No time-outs that I can see, I haven't really done anything in debug
> other than stop the service then restart in debug but everything
> looked OK, the fact that this only appears to affect one domain (there
> are about 300 on the system) is the strange part.  Could it be
> something in SpamAssassin's cache?  I've checked user configured
> black/white lists and that looks OK, 3 whitelist entries and 50 or so
> blacklists, nothing abnormal though.  Where can I find the docs for
> "running a sample set in debug mode?"
>   
V. simple. Running "MailScanner --debug" will run one batch of messages 
through then stop. See if it prints anything untoward. Check 
"MailScanner --lint" as well.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list