Message rules don't work, but if message forwarded, it does???

Chris Barber cbarber at
Wed Nov 19 17:08:37 GMT 2008

2008/11/6 Chris Barber <cbarber at>:
>> Glenn,
>> Thanks for the reply. You had me scared for a second there, but no
> there
>> was no white listing going on. I verified the envelope addresses.
>> issue seems to happen randomly a least a couple times a day to some
>> users.
>> Any other ideas?
>> Thanks,
>> Chris
>>Didn't mean to scare you, just point at one (semi-obvious:-)
> possibility....:-)
>>When it happens do you see anything ... curious .... in the logs?
>>Nothing about "Unscanned" messages or timeouts or suchlike?
>>Also... Tell a bit about versions etc, since this just might be a
>>known bug/issue...
>>-- Glenn
>>email: glenn < dot > steen < at > gmail < dot > com
>>work: glenn < dot > steen < at > ap1 < dot > se
> I don't see anything unusual in the logs. No timeouts and nothing
> unscanned that I can see. MailScanner processes the message normally
> seems.
> It gets an SA score, but the only rules that hit are:
> 0.10 BAYES_50 Bayesian spam probability is 40 to 60%
> 0.00 HTML_MESSAGE HTML included in message
> -0.00 SPF_PASS SPF: sender matches SPF record
> Then when the same message is forwarded to me from the user, (Through
> the same MailScanner server) the rule hits show:
> -0.74 BAYES_20 Bayesian spam probability is 5 to 20%
> 0.00 HTML_MESSAGE HTML included in message
> 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> Notice that now the URL is beting detected, but why not before?
> Versions:
> Cent OS 5.2
> MailScanner 4.72.5
> Spamassassin 3.2.5
> Perl 5.8.8
> MIME::Tools 5.427
> HTML::Parser 3.56
> Let me know if there are versions of anything else you would like to
> Thanks!
> Chris
>Could perhaps be a "timing issue"....:-)
>Meaning the URI wasn't in the BL when MS first asked... but when the
>user resent it to you.... the BL had been updated. These things have a
>tendency to be really short-lived and ... bursty... so if there is any
>somewhat significant amount of time between the initial mail and the
>user forwarding it to you... say a few hours... that might explain it
>In which case... all is well ...:-)
>-- Glenn
>email: glenn < dot > steen < at > gmail < dot > com
>work: glenn < dot > steen < at > ap1 < dot > se

I agree that this timing issue is probably the cause for some of these.
However there are many of these for one of my users almost every day. I
have her forwarding them to me right after she gets them and they are

Scott mentioned running MailScanner --lint, MailScanner --debug
I did this and I don't see any errors. I can see the URI_OB_SURBL rule
(for example) run and successfully score the message. Is it possible
that this is timing out sometimes? I have not seen a timeout but I am
grasping at straws at this point to figure out why the URL in the
message seems to be ignored the first time, then 5 min later when the
message is forwarded back to me (Going through the same MailScanner
server), it gets caught?


More information about the MailScanner mailing list