Message rules don't work, but if message forwarded, it does???

Scott Silva ssilva at sgvwater.com
Thu Nov 20 19:29:23 GMT 2008


on 11-19-2008 5:20 PM Chris Barber spake the following:
> <snip>
>> I agree that this timing issue is probably the cause for some of these.
>> However there are many of these for one of my users almost every day. 
>> I have her forwarding them to me right after she gets them and they 
>> are blocked.
>>
>> Scott mentioned running MailScanner --lint, MailScanner --debug 
>> --debug-sa I did this and I don't see any errors. I can see the 
>> URI_OB_SURBL rule (for example) run and successfully score the 
>> message. Is it possible that this is timing out sometimes? I have not 
>> seen a timeout but I am grasping at straws at this point to figure out 
>> why the URL in the message seems to be ignored the first time, then 5 
>> min later when the message is forwarded back to me (Going through the 
>> same MailScanner server), it gets caught?
>>
>> Thanks,
>> Chris
>>
>> Is the server natted? Does it have a real public IP address or is it port forwarded from another server?
>>
>> Can you follow the chain of the headers back on both a missed message and after it has been forwarded to you?
>>
>> I am still leaning toward this being some sort of trust path issue in spamassassin, although it could be a net timeout. The lookup might time out >just before the result comes back, and on the resend the lookup is in the local cache and hits. Have you tried setting your spammassassin timeouts >longer?
>>
>> Do you have any full examples of a missed message, and one that hits right afterwards? Either full queue files or complete RFC 822 (2822) messages.
> 
> Thanks for the reply.
> 
> Yes this server is natted behind a Cisco ASA. Port 25 is forwarded to the MailScanner machine. Out of curiosity, where are you headed with this question?
> 
> I followed the headers and it looks correct. I can see the message travel to my MailScanner server and then on to the customers mail server. On the forwarded message, I see it go from the customers mail server directly to my MailScanner server and then on to my internal mail server. Is this what you mean by follow the chain?
> 
> I actually have increased my Spamassassin timeout to 120 seconds. Is there some other type of timeout I should/could be watching for?
> 
> I've attached the message queue files and named them accordingly. Let me know if this is not the format you requested.
> 
> Thanks again for the assistance!
> Chris
> 
The HTML encoding seems different between messages. This might be why it gets
caught the second time around.
Also, the message you mark as missed has a RFC private IP address in it
(Received: from [192.168.1.56] (unknown [192.168.1.56]))
, but the one you marked as forwarded doesn't. Could they be mixed up?
Never mind. They are mixed up because the one marked missed has a Fwd:
prepended to the subject.
The missed message is encoded with "quoted-printable" in the html section, but
Thunderbird looks to be re-encoding it on the forward. Maybe you have a
problem with your mime-tools module on the server.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081120/4cb2a471/signature-0001.bin


More information about the MailScanner mailing list