Message rules don't work, but if message forwarded, it does???

Chris Barber cbarber at techquility.net
Wed Nov 19 17:08:37 GMT 2008 

2008/11/6 Chris Barber <cbarber at techquility.net>:
>>
>>
>> Glenn,
>>
>> Thanks for the reply. You had me scared for a second there, but no
> there
>> was no white listing going on. I verified the envelope addresses.
This
>> issue seems to happen randomly a least a couple times a day to some
>> users.
>>
>> Any other ideas?
>>
>> Thanks,
>> Chris
>>
>>Didn't mean to scare you, just point at one (semi-obvious:-)
> possibility....:-)
>>When it happens do you see anything ... curious .... in the logs?
>>Nothing about "Unscanned" messages or timeouts or suchlike?
>>Also... Tell a bit about versions etc, since this just might be a
>>known bug/issue...
>>
>>Cheers
>>--
>>-- Glenn
>>email: glenn < dot > steen < at > gmail < dot > com
>>work: glenn < dot > steen < at > ap1 < dot > se
>
>
> I don't see anything unusual in the logs. No timeouts and nothing
about
> unscanned that I can see. MailScanner processes the message normally
it
> seems.
>
> It gets an SA score, but the only rules that hit are:
> 0.10 BAYES_50 Bayesian spam probability is 40 to 60%
> 0.00 HTML_MESSAGE HTML included in message
> -0.00 SPF_PASS SPF: sender matches SPF record
>
> Then when the same message is forwarded to me from the user, (Through
> the same MailScanner server) the rule hits show:
> -0.74 BAYES_20 Bayesian spam probability is 5 to 20%
> 0.00 HTML_MESSAGE HTML included in message
> 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
>
> Notice that now the URL is beting detected, but why not before?
>
> Versions:
> Cent OS 5.2
> MailScanner 4.72.5
> Spamassassin 3.2.5
> Perl 5.8.8
> MIME::Tools 5.427
> HTML::Parser 3.56
>
> Let me know if there are versions of anything else you would like to
see
>
> Thanks!
> Chris
>
>Could perhaps be a "timing issue"....:-)
>Meaning the URI wasn't in the BL when MS first asked... but when the
>user resent it to you.... the BL had been updated. These things have a
>tendency to be really short-lived and ... bursty... so if there is any
>somewhat significant amount of time between the initial mail and the
>user forwarding it to you... say a few hours... that might explain it
>all.
>In which case... all is well ...:-)
>
>Cheers
>-- 
>-- Glenn
>email: glenn < dot > steen < at > gmail < dot > com
>work: glenn < dot > steen < at > ap1 < dot > se

I agree that this timing issue is probably the cause for some of these.
However there are many of these for one of my users almost every day. I
have her forwarding them to me right after she gets them and they are
blocked. 

Scott mentioned running MailScanner --lint, MailScanner --debug
--debug-sa
I did this and I don't see any errors. I can see the URI_OB_SURBL rule
(for example) run and successfully score the message. Is it possible
that this is timing out sometimes? I have not seen a timeout but I am
grasping at straws at this point to figure out why the URL in the
message seems to be ignored the first time, then 5 min later when the
message is forwarded back to me (Going through the same MailScanner
server), it gets caught?

Thanks,
Chris

More information about the MailScanner mailing list