Scan Messages = %rules-dir%/scan.messages.rules

Steve Campbell campbell at cnpapers.com
Thu May 23 13:37:36 IST 2013 

That was going to be my suggestion also. Are there any other emails 
besides the student mail list that would originate from that IP? You 
might need a compound rule (using the "and" component) to define the 
rule a little better if you use IP based lines in the configuration file.

steve
On 5/23/2013 5:20 AM, Martin Hepworth wrote:
> I'd suggest the scan.messages.rules be amended to cope with the 
> ip-address of the MailMan server. otherwise anyone faking the from 
> address is going to sail straight passed your email scanning.
>
> -- 
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 22 May 2013 22:42, Robert Lopez <rlopezcnm at gmail.com 
> <mailto:rlopezcnm at gmail.com>> wrote:
>
>     On Wed, May 22, 2013 at 12:28 PM, Steve Campbell
>     <campbell at cnpapers.com <mailto:campbell at cnpapers.com>> wrote:
>     > Perhaps you should send us the "Scan Messages" line from your
>     > MailScanner.conf file and what you have in your file that is
>     pointed to
>     > in by line above.
>     >
>     > Have you restarted or reloaded MS since you changed the file?
>     >
>     > Depending on what you have in that line and file, you probably
>     shouldn't
>     > be seeing those lines in your mail log.
>     >
>     > steve campbell
>
>     The situation I am trying to understand is email being scanned by
>     SpamAssassin when I thought
>     I had all the systems configured to not scan the email at all.
>
>     Email generated by an office where the persons use Outlook to compose
>     email goes to an Exchange server and it is then relayed to an email
>     gateway. These email are from CNM_Official_Info at cnm.edu
>     <mailto:CNM_Official_Info at cnm.edu> to
>     students at cnm.edu <mailto:students at cnm.edu>. The email gateway
>     relays the email to a Mailman ($
>     postmap -q students /etc/postfix/virtualaliases -> students at listserv)
>     server.
>
>     Mailman then sends the message to all the students who are members of
>     the students list.  So each student has a copy generated that is from
>     students-bounces at cnm.edu <mailto:students-bounces at cnm.edu> to
>     <individual-student>@cnm.edu <http://cnm.edu> which is sent
>     back to the email gateways.
>
>     A Postfix rewrite via a virtualaliases map sends each email from
>     students-bounces at cnm.edu <mailto:students-bounces at cnm.edu> to
>     <individual-student>@...gmail.com <http://gmail.com>.
>
>     MailScanner.conf and conf.d/CNM-MailScanner.conf (newest gateway)
>     all have "Scan Messages = %rules-dir%/scan.messages.rules".
>     I had put both 'From' in scan.messages.rules:
>
>     From: students-bounces at cnm.edu <mailto:students-bounces at cnm.edu>  no
>     From: cnm_official_info at cnm.edu <mailto:cnm_official_info at cnm.edu>
>     no    #This is not a case match to original
>
>     This directive and data file have been working for years.
>     However yesterday I noticed the email in this case (students list)
>     do get a SpamAssassin score and my thinking is this should not be
>     happening.
>
>     Each email has a line such as this example:
>
>     May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B
>     from 198.133.182.29 () to cnm.edu <http://cnm.edu> is not spam,
>     SpamAssassin (not
>     cached, score=-1.699, required 6, autolearn=disabled, CNM_EXCUSE 0.30,
>     CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00)
>
>     There has been no recent change to any of these files. MailScanner
>     is always
>     restarted or reloaded when ever any configuration file is
>     modified. In fact,
>     the scripts to modify any component and copy them to the gateways
>     do the
>     force-reload and test ($?) to see the return status.
>
>     --
>     Robert Lopez
>     Unix Systems Administrator
>     Central New Mexico Community College (CNM)
>     525 Buena Vista SE
>     Albuquerque, New Mexico 87106
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>     Before posting, read http://wiki.mailscanner.info/posting
>
>     Support MailScanner development - buy the book off the website!
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130523/2dcd00d4/attachment.html

More information about the MailScanner mailing list