Certain Spamassassin rules do not seem to be firing all of the time

Duncan, Brian M. brian.duncan at kattenlaw.com
Sat Jun 15 03:22:37 IST 2013 

Thanks, yes I noticed that, they all do seem to be the DNS rules.  I do have a caching DNS server but it is on the local network.  I will try and see if the behavior changes at all by running one locally on the box itself.

When you say "that youre not timing out the network checks in sa too quickly"  I have not changed anything in the defaults of Mailscanner or included any directives that would lower whatever time limits are set by default.

I took a look at the last example I put on pastebin, and it looks like it took 3 seconds to go from my Mailscanner box to my next gateway.

Received: from venus.kattenlaw.com ([10.18.3.33]) by us.kmz.com
 ([10.18.16.181]) with ESMTP (TREND IMSS SMTP Service 7.1) id 8e3c2381002025b2
 ; Fri, 14 Jun 2013 14:01:09 -0500
Received: from a.loselit.net (a.loselit.net [66.96.254.156])    by
 venus.kattenlaw.com (8.13.8/8.13.4) with ESMTP id r5EJ13oK014449       for
 <brian.duncan at kmzr.com>; Fri, 14 Jun 2013 14:01:06 -0500

I am assuming the 3 seconds going from my incoming mail server Venus, to the next hop in my environment includes the time it took for the Spammer to send me the message.

I also don't see anything in my maillogs related to Spam Assassin timing out for anything.. I recall many years ago when we used to run systems with much less CPU power (10+) seeing Spam Assassin time outs.

Which BTW, at the peak of activity today the lowest idle %idle was 91.00 and that is because I turned off caching of SpamAssassin in Mailscanner to see if that had any impact.

I also looked at the local caching DNS server that is on the same switch as this box, and it was peaking at like 30 Kilobytes per second on UDP 53 requests from anything that uses it locally according to iptraf.

It also seems to be these messages from the same Spammer, as I said before if I take any of these message bodies and send them in myself I seem to get the DNS Spam Assassin hits then.

Really odd one..

Thanks for your help



BRIAN M. DUNCAN
Data Security Administrator
Katten Muchin Rosenman LLP
525 W. Monroe Street / Chicago, IL 60661-3693
p / (312) 577-8045 f / (312) 577-4490
brian.duncan at kattenlaw.com / www.kattenlaw.com


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: Friday, June 14, 2013 4:16 PM
To: MailScanner discussion
Subject: Certain Spamassassin rules do not seem to be firing all of the time

Hmm most if the extra rules youre hitting are dns based
I'd check youre running a local caching dns server on the scanning box and that youre not timing out the network checks in sa too quickly

Martin

On Friday, 14 June 2013, Duncan, Brian M. wrote:
Here is one more that just came in to me and was not tagged as Spam:

http://pastebin.com/w8SJk660


Mailscanner/Spamassassin results:

X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.999, required 6.5,
                BAYES_60 3.00, RP_MATCHES_RCVD -0.00)


--test-mode results:

Content analysis details:   (10.5 hits, 6.5 required)
 6.6 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
-0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
 2.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 8.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
-7.5 AWL                    AWL: From: address is in the auto white-list

------ End of SpamAssassin results, Original message follows --------


===========================================================

CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue

Service, any tax advice contained herein is not intended or written to be used and cannot be used

by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.

===========================================================

CONFIDENTIALITY NOTICE:

This electronic mail message and any attached files contain information intended for the exclusive

use of the individual or entity to whom it is addressed and may contain information that is

proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you

are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or

distribution of this information may be subject to legal restriction or sanction.  Please notify

the sender, by electronic mail or telephone, of any unintended recipients and delete the original

message without making any copies.

===========================================================

NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has

elected to be governed by the Illinois Uniform Partnership Act (1997).

===========================================================



--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130615/75f6ec22/attachment.html

More information about the MailScanner mailing list