domain not scanned

Martin Hepworth maxsec at gmail.com
Tue Nov 11 13:25:31 GMT 2008


2008/11/11 Simon Jones <simonmjones at gmail.com>:
> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>> 2008/11/11 Julian Field <MailScanner at ecs.soton.ac.uk>:
>>>
>>>
>>> Simon Jones wrote:
>>>>
>>>> 2008/11/11 Martin Hepworth <maxsec at gmail.com>:
>>>>
>>>>>
>>>>> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>>>>>
>>>>>>
>>>>>> 2008/11/11 Simon Jones <simonmjones at gmail.com>:
>>>>>>
>>>>>>>
>>>>>>> 2008/11/10 Martin Hepworth <maxsec at gmail.com>:
>>>>>>>
>>>>>>>>
>>>>>>>> 2008/11/10 Simon Jones <simonmjones at gmail.com>:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling
>>>>>>>>> at the mo.
>>>>>>>>>
>>>>>>>>> i have a domain that seems to be being excluded from the spam scan -
>>>>>>>>> virus scanning is OK though.  i've check
>>>>>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there.
>>>>>>>>>  the
>>>>>>>>> recipient and transport tables are good - what else could cause this?
>>>>>>>>> all other domains are being scanned and everything's working fine.
>>>>>>>>>
>>>>>>>>> cheers
>>>>>>>>>
>>>>>>>>> Si
>>>>>>>>> --
>>>>>>>>> MailScanner mailing list
>>>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>>>
>>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>>>
>>>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> whitelisted in the SA config? Are you putting all SA scores etc in all
>>>>>>>> emails so can see what's going on?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Martin Hepworth
>>>>>>>> Oxford, UK
>>>>>>>> --
>>>>>>>>
>>>>>>
>>>>>> Morning chaps,
>>>>>>
>>>>>> a bit more info - this was working OK and domain has been successfully
>>>>>> scanned for a number of months but it stopped scanning over the
>>>>>> weekend.  Its a distributed setup (3 servers + db) and it appears that
>>>>>> all servers are dropping the domain from the scan.  S/A scores are
>>>>>> zero on all scans, there's nothing whitelisted that I can see, I run
>>>>>> MailWatch and the messages for this domain are all classed as clean.
>>>>>> The only time i've seen this before is when the domain is listed in
>>>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed
>>>>>> in this case though.
>>>>>>
>>>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to
>>>>>> user at tbanda.co.uk doesn't return anything at all on any of the nodes.
>>>>>>
>>>
>>> That's because you're not asking it to work out anything.
>>> MailScanner --to user at tbanda.co.uk --value=scanmessages
>>> should print something. Try that for other MailScanner.conf options you want
>>> to check.
>>>
>>>>>> It seems to be affecting this domain globally but for no apparent
>>>>>> reason, all others are OK though.
>>>>>> Domains are stored in a mysql db as are transport maps and users,
>>>>>> postfix reads from the (seperate) db without any problems.
>>>>>>
>>>>>> I can't see anything in maillog of relevance and a spamassassin -D
>>>>>> --lint doesn't show any problems, anywhere else i can look?
>>>>>>
>>>>>> cheers,
>>>>>>
>>>>>> Si
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>>
>>>>> Simon
>>>>>
>>>>> Ok so you're definitely getting MS headers in the emails that aren't
>>>>> scanned, and you're seeing a zero score in the headers (not just
>>>>> mailwatch)??
>>>>>
>>>>> I presume you have these set in MailScanner.conf so you can see what's
>>>>> happening?
>>>>>
>>>>> Always Include SpamAssassin Report = yes
>>>>> Spam Score Number Format = yes
>>>>> SpamScore Number Instead Of Stars = yes
>>>>>
>>>>> any timeouts in the logs for these emails?
>>>>>
>>>>> have you tried running a sample set in debug mode?
>>>>>
>>>>> --
>>>>> Martin Hepworth
>>>>> Oxford, UK
>>>>> --
>>>>>
>>>>
>>>> Hi Martin,
>>>>
>>>> just a zero score, here's an example from maillog;
>>>>
>>>>  cat /var/log/maillog | grep 1B6906814F1.E8158
>>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
>>>> 1B6906814F1.E8158 to D27525C0302
>>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message
>>>> 1B6906814F1.E8158 to SQL
>>>> Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158:
>>>> Logged to MailWatch SQL
>>>>
>>>> [root at server postfix]# cat /var/log/maillog | grep D27525C0302
>>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue:
>>>> 1B6906814F1.E8158 to D27525C0302
>>>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302:
>>>> from=<t.walsh at tbanda.co.uk>, size=2566, nrcpt=1 (queue active)
>>>> Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302:
>>>> to=<t.walsh at tbanda.co.uk>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25,
>>>> delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued)
>>>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed
>>>>
>>>> you can see it gets passed from mailscanner to the postfix queue
>>>> manager before being sent which I guess is all normal.
>>>>
>>>> Always include.. was set to "no" so I changed this to "yes", the
>>>> others look ok with the spam score number being %d
>>>>
>>>> No time-outs that I can see, I haven't really done anything in debug
>>>> other than stop the service then restart in debug but everything
>>>> looked OK, the fact that this only appears to affect one domain (there
>>>> are about 300 on the system) is the strange part.  Could it be
>>>> something in SpamAssassin's cache?  I've checked user configured
>>>> black/white lists and that looks OK, 3 whitelist entries and 50 or so
>>>> blacklists, nothing abnormal though.  Where can I find the docs for
>>>> "running a sample set in debug mode?"
>>>>
>>>> Simon
>>>>
>>>
>>> Jules
>>>
>>> --
>> Aah, thanks Jules - this looks ok?
>>
>>  MailScanner --to user at tbanda.co.uk --value=scanmessages
>> Looked up internal option name "scanmail"
>> With sender =
>>  recipient = s.bunker at tbanda.co.uk
>> Client IP =
>> Virus =
>> Result is "1"
>>
>> 0=No 1=Yes
>>
>
> and here's the debug output...
>
> MailScanner --Debug
> In Debugging mode, not forking...
> Trying to setlogsock(unix)
> SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp
> bayes: locker: safe_lock: cannot create lockfile
> /etc/MailScanner/bayes/bayes.mutex: Permission denied
>
> Building a message batch to scan...
> Have a batch of 3 messages.
> max message size is '40k'
> bayes: locker: safe_lock: cannot create lockfile
> /etc/MailScanner/bayes/bayes.mutex: Permission denied
>
> bayes: locker: safe_lock: cannot create lockfile
> /etc/MailScanner/bayes/bayes.mutex: Permission denied
>
> max message size is '40k'
> bayes: locker: safe_lock: cannot create lockfile
> /etc/MailScanner/bayes/bayes.mutex: Permission denied
>
> bayes: locker: safe_lock: cannot create lockfile
> /etc/MailScanner/bayes/bayes.mutex: Permission denied
>
> max message size is '40k'
> bayes: locker: safe_lock: cannot create lockfile
> /etc/MailScanner/bayes/bayes.mutex: Permission denied
>
> bayes: locker: safe_lock: cannot create lockfile
> /etc/MailScanner/bayes/bayes.mutex: Permission denied
>
> Stopping now as you are debugging me.
> commit ineffective with AutoCommit enabled at
> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
> <CLIENT> line 118.
> Commmit ineffective while AutoCommit is on at
> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
> <CLIENT> line 118.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

Simon

you need to run the debug as the postfix user really so it doesn't
give you problems with permissions.

a full debug "mailScanner --debug --debug-sa" might be useful.

Obviously make sure there's email in the queue relating to the domain
in question ;-)

-- 
Martin Hepworth
Oxford, UK


More information about the MailScanner mailing list