Certain Spamassassin rules do not seem to be firing all of the time

Martin Hepworth maxsec at gmail.com
Thu Jun 20 20:01:22 IST 2013 

I find awl not very good when used in multiuser configs.. May be better in
a user soecific env but never works very well for me using a standard ms
setup

On Thursday, 20 June 2013, Duncan, Brian M. wrote:

>  I already do that in a sense.. I don’t have it call out, but I export
> all my SMTP aliases from AD and add them to the access file on my sendmail
> servers and reject all other mail to my domain, so the rest is discarded to
> non existent users, and it saves with dealing with all the NDR’s****
>
> ** **
>
> Well it looks like I bought myself some time.  Even though I have NOT
> figured out what is going on here, since I disabled auto white listing the
> other day, it looks like the majority of these Spam messages that were
> making it through before because they were NOT hitting on these different
> URIBLS are getting tagged from Bayes hits now.  And since the AWL is not
> factoring into it, 98% of them are getting labeled as Spam.****
>
> ** **
>
> I am probably just going to rebuild my primary mail server and re-install
> Mailscanner and Spamassassin in a few weeks and see if this problem goes
> away. ****
>
> ** **
>
> I still think there is something unique with these particular Spam
> emails.  These messages I am talking about, I have NEVER seen URIBL_BLACK
> ever fire on.  (But does fire on it when I manually scan with
> spamassassin–test-mode)****
>
> ** **
>
> Yesterday I had plenty of other emails where it does fire on that rule:***
> *
>
> ** **
>
> [root at venus log]# cat maillog.1 | grep -i "URIBL_BLACK" | wc -l****
>
> 2971****
>
> ** **
>
> ** **
>
> BRIAN M. DUNCAN
> Data Security Administrator
> Katten Muchin Rosenman LLP
> 525 W. Monroe Street / Chicago, IL 60661-3693
> p / (312) 577-8045 f / (312) 577-4490
> brian.duncan at kattenlaw.com <javascript:_e({}, 'cvml',
> 'brian.duncan at kattenlaw.com');> / www.kattenlaw.com
>   ****
>
> ** **
>
> *From:* mailscanner-bounces at lists.mailscanner.info <javascript:_e({},
> 'cvml', 'mailscanner-bounces at lists.mailscanner.info');> [mailto:
> mailscanner-bounces at lists.mailscanner.info <javascript:_e({}, 'cvml',
> 'mailscanner-bounces at lists.mailscanner.info');>] *On Behalf Of *Martin
> Hepworth
> *Sent:* Wednesday, June 19, 2013 5:30 AM
> *To:* MailScanner discussion
> *Subject:* Re: Certain Spamassassin rules do not seem to be firing all of
> the time****
>
> ** **
>
> maybe you can use sendmail to call-out for valid recipients first, I find
> this drops HUGE amounts of traffic dead before it gets anywhere near
> MailScanner, easily 50% and maybe higher
>
>
> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:reject_non_existent_users
> ****
>
>
> ****
>
> --
> Martin Hepworth, CISSP
> Oxford, UK****
>
> ** **
>
> On 18 June 2013 19:40, Duncan, Brian M. <brian.duncan at kattenlaw.com>
> wrote:****
>
> Yeah I know it’s very weird and I can’t track it down.   ****
>
>  ****
>
> Yesterday, I tried removing the  NET:DNS perl module (.65 is what
> MailScanner (and I believe SpamAssassin use by default) and compiling 0.72
> in the hopes that it had something to do with that.  Nope, still happening
> today.  Fortunately it only seems to be letting a few Spam in overall.
>    It just happens when there is a black listed domain that is used in a
> URL that is sent by a non-blacklisted gateway where I get caught by this
> issue.****
>
>  ****
>
> I am using Sendmail. Yes there is a .spamassassin directory in root, where
> the bayes db’s are located and autowhitelist db’s (I have autowhite list
> disabled for the moment)  The user_prefs file has no directives set in it,
> they are all #’ed out.****
>
>  ****
>
> I don’t specify a run as user in my MailScanner.conf, and according to ps
> all the MailScanner processes are running as root, and my spamassassin
> –test-mode I have run as root.****
>
>  ****
>
> I turned on skip_rbl_checks 1 yesterday, since I detect RBL’ed hosts using
> MailScanner I figured it was kind of pointless to do it again with
> SpamAssassin..  ****
>
>  ****
>
> I also tried tweaking rbl_timeout to 60 seconds instead of 30, what is was
> before.  Because I did find someone else reporting a similar issue to
> mine.. back in 2007 someone was reporting this same behavior that rules
> were not hitting when using Amavis with Spamassassin, but then when you ran
> them through Spamassassin they worked, and I believe it was the same types
> of rules I am not hitting on through MailScanner.  And the issue wound up
> being Net:DNS.****
>
>  ****
>
>
> http://www.gossamer-threads.com/lists/spamassassin/users/102307?do=post_view_threaded#102307
> ****
>
>  ****
>
> If I can’t figure this out, I might attempt a fresh install of Cent OS 6.4
> and fresh install of Ma
>


-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130620/167f9203/attachment.html

More information about the MailScanner mailing list