Quarantined email testing/troubleshooting

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jan 22 16:50:22 GMT 2009

You can't just use df and/or qf files as if they were RFC822 messages. 
They're not.
However, they *nearly* are, when used as a pair.
Many years ago (2002 is the date stamp on the file) I wrote a script 
which would take an entire quarantine directory (or a string of 
directory names) full of qf* and df* files, and generate an mbox file 
from them, which could then be simply fed to sa-learn with 1 command to 
learn the whole lot at one go by using the "--mbox" command-line option 
to sa-learn.
It's at
It's a fairly simple shell script, I'm sure you can hack it around if 
you want to do something slightly different with it.

Usage example:
Say you have a quarantine directory 
/var/spool/MailScanner/quarantine/<date-here> and each of those 
<date-here> subdirectories contains a whole bunch of qf and df files in 
the same directory. You can just do
     cd /var/spool/MailSanner/quarantine
     df2mbox *
and it will go and get on with it, and give you a pile of mbox files as 
a result.

I posted this to this mailing list back in 2002 as well, but I doubt 
anyone looks back that far. Don't worry, I'll let you off this time :-)

Hope that helps,

On 22/1/09 16:30, Nikolaos Pavlidis wrote:
> Hello all,
> We seem to be facing a weird issue and we would appreciate any
> assistance with it.
> To start with, we are using a solaris + sendmail + MailScanner-4.73.4-2
> implementation. Bayes database has been trained with lots of spam and
> some ham that got quarantined since the service went live.
> We have set mailscanner to separate the mail messages into q and d queue
> files so we can put false possitives back in the queue in a more quick
> and efficient manner. Spamassassin seemed to be putting automated
> Delivery Notifications to quarantine so we trained it back then (the
> single mail messages RFC822) to be ham.
> Now we have noticed that some Delivery notifications again get
> quarantined, only now we have the 2 part emails q and d files.
> When we do a test on them "spamassassin -t
> -p /etc/mail/MailScanner/spam.assassin.prefs.conf<  d (or q)file"
> they both come less than 5.0 points(sometimes even -).
> Should the tests be performed in another way? Is the "cat qfile dfile |
> spamassassin -t -p /etc/mail/MailScanner/spam.assassin.prefs.conf" the
> appropriate way?
> When using sa-learn to teach SA which parameters should be used, should
> we feed the d file only?
> What else could be blocking/sending to quarantine these messages?
> I do apologise for the barrage of questions. Any help is much
> appreciated. Thank you in advance.
> Regards,
> Nik


Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list