Quarantined email testing/troubleshooting

Nikolaos Pavlidis Nikolaos.Pavlidis at beds.ac.uk
Fri Feb 27 16:52:22 GMT 2009


Hello all,

Following up on the same issue, from what I tried so far the script that
Julian suggested works great! Many thanks for that! The bad thing is
that the problem persists for some weird reason focusing again on
delivery notifications. After using the script to turn the quarantined
email into the mbox format, I fed it to SA and I got:

# spamassassin -t -p /etc/mail/MailScanner/spam.assassin.prefs.conf
--mbox < spam.20100108

Content analysis details:   (-15.0 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 -15 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                            [score: 0.0000]


And yes I have not used sa-learn first! Why could that email be in
quarantine if SA clears it? I do realise that delivery notifications are
minor details but... the devil is in the detail!

Any help is much appreciated, thank you in advance.

Regards,

Nik

On Tue, 2009-01-27 at 11:44 +0000, Nikolaos Pavlidis wrote:
> Hello,
> 
> A million thanks once again Julian, I do apologise for the late reply
> though, things have been quite busy around here. 
> 
> Kind regards,
> 
> Nik
> 
> On Thu, 2009-01-22 at 16:50 +0000, Julian Field wrote:
> > You can't just use df and/or qf files as if they were RFC822
messages.
> 
> > They're not.
> > 	However, they *nearly* are, when used as a pair.
> > Many years ago (2002 is the date stamp on the file) I wrote a script

> > which would take an entire quarantine directory (or a string of 
> > director						y names) full of
> qf* and df* files, and generate an mbox file 
> > from them, which could then be simply fed to sa-learn with 1 command
> to 
> > learn the whole lot at one go by using the "--mbox" command-line
> option 
> > to sa-learn.
> > It's at
> > www.mailscanner.info/files/4/df2mbox
> > It's a fairly simple shell script, I'm sure you can hack it around
if 
> > you want to do something slightly different with it.
> > 
> > Usage example:
> > Say you have a quarantine directory 
> > /var/spool/MailScanner/quarantine/<date-here> and each of those 
> > <date-here> subdirectories contains a whole bunch of qf and df files
> in 
> > the same directory. You can just do
> >      cd /var/spool/MailSanner/quarantine
> >      df2mbox *
> > and it will go and get on with it, and give you a pile of mbox files
> as 
> > a result.
> > 
> > I posted this to this mailing list back in 2002 as well, but I doubt

> > anyone looks back that far. Don't worry, I'll let you off this time
> :-)
> > 
> > Hope that helps,
> > Jules.
> > 
> > On 22/1/09 16:30, Nikolaos Pavlidis wrote:
> > > Hello all,
> > >
> > > We seem to be facing a weird issue and we would appreciate any
> > > assistance with it.
> > > To start with, we are using a solaris + sendmail +
> MailScanner-4.73.4-2
> > > implementation. Bayes database has been trained with lots of spam
> and
> > > some ham that got quarantined since the service went live.
> > >
> > > We have set mailscanner to separate the mail messages into q and d
> queue
> > > files so we can put false possitives back in the queue in a more
> quick
> > > and efficient manner. Spamassassin seemed to be putting automated
> > > Delivery Notifications to quarantine so we trained it back then
(the
> > > single mail messages RFC822) to be ham.
> > >
> > > Now we have noticed that some Delivery notifications again get
> > > quarantined, only now we have the 2 part emails q and d files.
> > >
> > > When we do a test on them "spamassassin -t
> > > -p /etc/mail/MailScanner/spam.assassin.prefs.conf<  d (or q)file"
> > > they both come less than 5.0 points(sometimes even -).
> > >
> > > Should the tests be performed in another way? Is the "cat qfile
> dfile |
> > > spamassassin -t -p
/etc/mail/MailScanner/spam.assassin.prefs.conf"
> the
> > > appropriate way?
> > > When using sa-learn to teach SA which parameters should be used,
> should
> > > we > > > What else could be blocking/sending to quarantine these messages?
> > >
> > > I do apologise for the barrage of questions. Any help is much
> > > appreciated. Thank you in advance.
> > >
> > > Regards,
> > >
> > > Nik
> > >
> > >
> > >    
> > 
> > Jules
> > 
> > -- 
> > Julian Field MEng CITP CEng
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> > 
> > MailScanner customisation, or any advanced system administration
help?
> > Contact me at Jules at Jules.FM
> > 
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > PGP public key: http://www.jules.fm/julesfm.asc
> > 
> > 
> > -- 
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> > 
> -- 
> 
> Nikolaos Pavlidis BSc (Hons) MBCS NCLP
> System Administrator
> University Of Bedfordshire
> Park Square LU1 3JU
> Luton, Beds, UK
> Tel: +441582489277
> 
-- 

Nikolaos Pavlidis BSc (Hons) MBCS NCLP
System Administrator
University Of Bedfordshire
Park Square LU1 3JU
Luton, Beds, UK
Tel: +441582489277



More information about the MailScanner mailing list