MailScanner permits mail with score higher than allowed score

Oliver Kutscher ok at addix.net
Wed Dec 9 15:06:52 UTC 2015 

To give you an overview:

the company.net rule has been hit for 1381 time where 4 of them have the 
strange "required 3.5" value and / or score > required score problem. An 
example for an expected log:

Dec  9 15:52:52 mailscan1.mydomain.campus MailScanner[11325]: Message 
1a6g6g-0004SR-Bx from 10.0.0.3 (mail at somedomain.net) to company.net is 
not spam, SpamAssassin (score=1.1, required 8, KAM_LAZY_DOMAIN_SECURITY 
1.00, TVD_SPACE_RATIO 0.10)

The required score is ok in this case.

> Tabs? Are you using tabs in your rules?

Yes. Tabs are used. I think if the rules file is messed up the rules 
will never take effect.

> Any whitelists for say …  the server it came from?

If there are any whitelist entries present (ip, domain, full address) a 
"(whitelisted)" is passed to the log. 2 of the 4 strange mails were 
virus infected spam mails from an unknown ip (definitely not wl).

Mit freundlichen Grüßen,
i.A.
Oliver Kutscher

-- 

Postanschrift:

ADDIX Internet Services GmbH
Postfach 1225
D-24011 Kiel

Tel: +49 431 7755 140
Fax: +49 431 7755 105

ok at addix.net
www.addix.net

Am 09.12.2015 um 15:51 schrieb Jerry Benton:
> And I am still sitting here blinking …. trying to remember what would cause a “is not spam” marking when the score exceeds the threshold. (Besides whitelisting)
>
> Any whitelists for say …  the server it came from?
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <ok at addix.net> wrote:
>>
>> Hi,
>>
>> we are experiencing a lot of spam mails since some days and some of the mails are allowed and passed to the recepient. Let's have a look into a log entry I found in my logs:
>>
>> Dec  9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>>
>> This mail passes the mail system an reached the recepient. I'm curious about two things:
>>
>> Why was the mail ranked as "is not spam" (score > required score)?
>>
>> Why has the required score a value of 3.5? I set per domain scores within /etc/MailScanner/rules/spam.score.rules:
>>
>> To:             *@mycompany.com                      4
>> To:             *@mycompany.net                     8
>> FromOrTo:       default                         3.5
>>
>> To make it more complicated: Most time the required score for mycompany.net is shown as 8 which is the required score that I'm expecting.
>>
>> I would be very appreciated for any suggestions.
>>
>> ==============
>> Versions / OS
>> ==============
>> Running on
>> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>> This is CentOS Linux release 7.1.1503 (Core)
>> This is Perl version 5.016003 (5.16.3)
>>
>> This is MailScanner version 4.85.2
>> Module versions are:
>> 1.01    AnyDBM_File
>> 1.30    Archive::Zip
>> 0.29    bignum
>> 1.26    Carp
>> 2.061   Compress::Zlib
>> 1.119   Convert::BinHex
>> 0.18    Convert::TNEF
>> 2.145   Data::Dumper
>> 2.30    Date::Parse
>> 1.04    DirHandle
>> 1.11    Fcntl
>> 2.84    File::Basename
>> 2.23    File::Copy
>> 2.02    FileHandle
>> 2.09    File::Path
>> 0.2301  File::Temp
>> 0.92    Filesys::Df
>> 3.69    HTML::Entities
>> 3.71    HTML::Parser
>> 3.69    HTML::TokeParser
>> 1.25_06 IO
>> 1.16    IO::File
>> 1.15    IO::Pipe
>> 2.12    Mail::Header
>> 1.998   Math::BigInt
>> 0.2603  Math::BigRat
>> 3.13    MIME::Base64
>> 5.505   MIME::Decoder
>> 5.505   MIME::Decoder::UU
>> 5.505   MIME::Head
>> 5.505   MIME::Parser
>> 3.13    MIME::QuotedPrint
>> 5.505   MIME::Tools
>> 0.17    Net::CIDR
>> 1.26    Net::IP
>> 0.19    OLE::Storage_Lite
>> 1.04    Pod::Escapes
>> 3.28    Pod::Simple
>> 1.30    POSIX
>> 1.27    Scalar::Util
>> 2.010   Socket
>> 2.45    Storable
>> 1.5     Sys::Hostname::Long
>> 0.33    Sys::Syslog
>> 1.48    Test::Pod
>> 0.98    Test::Simple
>> 1.9725  Time::HiRes
>> 1.02    Time::localtime
>>
>> Optional module versions are:
>> 1.92    Archive::Tar
>> 0.29    bignum
>> 2.06    Business::ISBN
>> 20120719.001    Business::ISBN::Data
>> missing Data::Dump
>> 1.83    DB_File
>> 1.39    DBD::SQLite
>> 1.627   DBI
>> 1.17    Digest
>> 1.03    Digest::HMAC
>> 2.52    Digest::MD5
>> missing Digest::SHA1
>> 1.01    Encode::Detect
>> 0.17020 Error
>> missing ExtUtils::CBuilder
>> 3.18    ExtUtils::ParseXS
>> 2.4     Getopt::Long
>> missing Inline
>> missing IO::String
>> 1.10    IO::Zlib
>> 2.28    IP::Country
>> missing Mail::ClamAV
>> 3.004000        Mail::SpamAssassin
>> v2.008  Mail::SPF
>> missing Mail::SPF::Query
>> missing Module::Build
>> missing Net::CIDR::Lite
>> 0.72    Net::DNS
>> missing Net::DNS::Resolver::Programmable
>> missing Net::LDAP
>> 4.069  NetAddr::IP
>> missing Parse::RecDescent
>> missing SAVI
>> 3.28    Test::Harness
>> missing Test::Manifest
>> 2.02    Text::Balanced
>> 1.60    URI
>> 0.9907  version
>> missing YAML
>>
>>
>> Kind Regards,
>> i.A.
>> Oliver Kutscher
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>

More information about the MailScanner mailing list