domain not scanned

Simon Jones simonmjones at gmail.com
Tue Nov 11 12:53:54 GMT 2008 

2008/11/11 Julian Field <MailScanner at ecs.soton.ac.uk>:
>
>
> Simon Jones wrote:
>>
>> 2008/11/11 Martin Hepworth <maxsec at gmail.com>:
>>
>>>
>>> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>>>
>>>>
>>>> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>>>>
>>>>>
>>>>> 2008/11/10 Martin Hepworth <maxsec at gmail.com>:
>>>>>
>>>>>>
>>>>>> 2008/11/10 Simon Jones <simonmjones at gmail.com>:
>>>>>>
>>>>>>>
>>>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling
>>>>>>> at the mo.
>>>>>>>
>>>>>>> i have a domain that seems to be being excluded from the spam scan -
>>>>>>> virus scanning is OK though.  i've check
>>>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there.
>>>>>>>  the
>>>>>>> recipient and transport tables are good - what else could cause this?
>>>>>>> all other domains are being scanned and everything's working fine.
>>>>>>>
>>>>>>> cheers
>>>>>>>
>>>>>>> Si
>>>>>>> --
>>>>>>> MailScanner mailing list
>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>
>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>
>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> whitelisted in the SA config? Are you putting all SA scores etc in all
>>>>>> emails so can see what's going on?
>>>>>>
>>>>>> --
>>>>>> Martin Hepworth
>>>>>> Oxford, UK
>>>>>> --
>>>>>>
>>>>
>>>> Morning chaps,
>>>>
>>>> a bit more info - this was working OK and domain has been successfully
>>>> scanned for a number of months but it stopped scanning over the
>>>> weekend.  Its a distributed setup (3 servers + db) and it appears that
>>>> all servers are dropping the domain from the scan.  S/A scores are
>>>> zero on all scans, there's nothing whitelisted that I can see, I run
>>>> MailWatch and the messages for this domain are all classed as clean.
>>>> The only time i've seen this before is when the domain is listed in
>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed
>>>> in this case though.
>>>>
>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to
>>>> user at tbanda.co.uk doesn't return anything at all on any of the nodes.
>>>>
>
> That's because you're not asking it to work out anything.
> MailScanner --to user at tbanda.co.uk --value=scanmessages
> should print something. Try that for other MailScanner.conf options you want
> to check.
>
>>>> It seems to be affecting this domain globally but for no apparent
>>>> reason, all others are OK though.
>>>> Domains are stored in a mysql db as are transport maps and users,
>>>> postfix reads from the (seperate) db without any problems.
>>>>
>>>> I can't see anything in maillog of relevance and a spamassassin -D
>>>> --lint doesn't show any problems, anywhere else i can look?
>>>>
>>>> cheers,
>>>>
>>>> Si
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> Simon
>>>
>>> Ok so you're definitely getting MS headers in the emails that aren't
>>> scanned, and you're seeing a zero score in the headers (not just
>>> mailwatch)??
>>>
>>> I presume you have these set in MailScanner.conf so you can see what's
>>> happening?
>>>
>>> Always Include SpamAssassin Report = yes
>>> Spam Score Number Format = yes
>>> SpamScore Number Instead Of Stars = yes
>>>
>>> any timeouts in the logs for these emails?
>>>
>>> have you tried running a sample set in debug mode?
>>>
>>> --
>>> Martin Hepworth
>>> Oxford, UK
>>> --
>>>
>>
>> Hi Martin,
>>
>> just a zero score, here's an example from maillog;
>>
>>  cat /var/log/maillog | grep 1B6906814F1.E8158
>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
>> 1B6906814F1.E8158 to D27525C0302
>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message
>> 1B6906814F1.E8158 to SQL
>> Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158:
>> Logged to MailWatch SQL
>>
>> [root at server postfix]# cat /var/log/maillog | grep D27525C0302
>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
>> 1B6906814F1.E8158 to D27525C0302
>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302:
>> from=<t.walsh at tbanda.co.uk>, size=2566, nrcpt=1 (queue active)
>> Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302:
>> to=<t.walsh at tbanda.co.uk>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25,
>> delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued)
>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed
>>
>> you can see it gets passed from mailscanner to the postfix queue
>> manager before being sent which I guess is all normal.
>>
>> Always include.. was set to "no" so I changed this to "yes", the
>> others look ok with the spam score number being %d
>>
>> No time-outs that I can see, I haven't really done anything in debug
>> other than stop the service then restart in debug but everything
>> looked OK, the fact that this only appears to affect one domain (there
>> are about 300 on the system) is the strange part.  Could it be
>> something in SpamAssassin's cache?  I've checked user configured
>> black/white lists and that looks OK, 3 whitelist entries and 50 or so
>> blacklists, nothing abnormal though.  Where can I find the docs for
>> "running a sample set in debug mode?"
>>
>> Simon
>>
>
> Jules
>
> --
Aah, thanks Jules - this looks ok?

 MailScanner --to user at tbanda.co.uk --value=scanmessages
Looked up internal option name "scanmail"
With sender =
  recipient = s.bunker at tbanda.co.uk
Client IP =
Virus =
Result is "1"

0=No 1=Yes

More information about the MailScanner mailing list