MailScanner permits mail with score higher than allowed score
Martin Hepworth
maxsec at gmail.com
Wed Dec 9 16:42:14 UTC 2015
Looks like you've set the 'is defintely not spam" for the address or domain
to me. Thsi will override what SA says about the email, indeed of the spam
is coming from your local 10.0 domain you may want to look deeper at what
addersses you whitelist..
--
Martin Hepworth, CISSP
Oxford, UK
On 9 December 2015 at 15:06, Oliver Kutscher <ok at addix.net> wrote:
> To give you an overview:
>
> the company.net rule has been hit for 1381 time where 4 of them have the
> strange "required 3.5" value and / or score > required score problem. An
> example for an expected log:
>
> Dec 9 15:52:52 mailscan1.mydomain.campus MailScanner[11325]: Message
> 1a6g6g-0004SR-Bx from 10.0.0.3 (mail at somedomain.net) to company.net is
> not spam, SpamAssassin (score=1.1, required 8, KAM_LAZY_DOMAIN_SECURITY
> 1.00, TVD_SPACE_RATIO 0.10)
>
> The required score is ok in this case.
>
> Tabs? Are you using tabs in your rules?
>>
>
> Yes. Tabs are used. I think if the rules file is messed up the rules will
> never take effect.
>
> Any whitelists for say … the server it came from?
>>
>
> If there are any whitelist entries present (ip, domain, full address) a
> "(whitelisted)" is passed to the log. 2 of the 4 strange mails were virus
> infected spam mails from an unknown ip (definitely not wl).
>
> Mit freundlichen Grüßen,
> i.A.
> Oliver Kutscher
>
> --
>
> Postanschrift:
>
> ADDIX Internet Services GmbH
> Postfach 1225
> D-24011 Kiel
>
> Tel: +49 431 7755 140
> Fax: +49 431 7755 105
>
> ok at addix.net
> www.addix.net
>
>
> Am 09.12.2015 um 15:51 schrieb Jerry Benton:
>
>> And I am still sitting here blinking …. trying to remember what would
>> cause a “is not spam” marking when the score exceeds the threshold.
>> (Besides whitelisting)
>>
>> Any whitelists for say … the server it came from?
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>> On Dec 9, 2015, at 9:26 AM, Oliver Kutscher <ok at addix.net> wrote:
>>>
>>> Hi,
>>>
>>> we are experiencing a lot of spam mails since some days and some of the
>>> mails are allowed and passed to the recepient. Let's have a look into a log
>>> entry I found in my logs:
>>>
>>> Dec 9 11:22:50 mailscan1.mydomain.campus MailScanner[30235]: Message
>>> 1a6btR-0008Ty-Mo from 10.0.0.2 (spammer at spam.com) to mydomain.net is
>>> not spam, SpamAssassin (score=7.768, required=3.5, HTML_MESSAGE 0.00,
>>> KAM_LAZY_DOMAIN_SECURITY 1.00, RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_SBL_CSS
>>> 3.33, RCVD_IN_XBL 0.38, URIBL_WS_SURBL 1.61)
>>>
>>> This mail passes the mail system an reached the recepient. I'm curious
>>> about two things:
>>>
>>> Why was the mail ranked as "is not spam" (score > required score)?
>>>
>>> Why has the required score a value of 3.5? I set per domain scores
>>> within /etc/MailScanner/rules/spam.score.rules:
>>>
>>> To: *@mycompany.com 4
>>> To: *@mycompany.net 8
>>> FromOrTo: default 3.5
>>>
>>> To make it more complicated: Most time the required score for
>>> mycompany.net is shown as 8 which is the required score that I'm
>>> expecting.
>>>
>>> I would be very appreciated for any suggestions.
>>>
>>> ==============
>>> Versions / OS
>>> ==============
>>> Running on
>>> Linux mailscan1.addix.campus 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep
>>> 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>> This is CentOS Linux release 7.1.1503 (Core)
>>> This is Perl version 5.016003 (5.16.3)
>>>
>>> This is MailScanner version 4.85.2
>>> Module versions are:
>>> 1.01 AnyDBM_File
>>> 1.30 Archive::Zip
>>> 0.29 bignum
>>> 1.26 Carp
>>> 2.061 Compress::Zlib
>>> 1.119 Convert::BinHex
>>> 0.18 Convert::TNEF
>>> 2.145 Data::Dumper
>>> 2.30 Date::Parse
>>> 1.04 DirHandle
>>> 1.11 Fcntl
>>> 2.84 File::Basename
>>> 2.23 File::Copy
>>> 2.02 FileHandle
>>> 2.09 File::Path
>>> 0.2301 File::Temp
>>> 0.92 Filesys::Df
>>> 3.69 HTML::Entities
>>> 3.71 HTML::Parser
>>> 3.69 HTML::TokeParser
>>> 1.25_06 IO
>>> 1.16 IO::File
>>> 1.15 IO::Pipe
>>> 2.12 Mail::Header
>>> 1.998 Math::BigInt
>>> 0.2603 Math::BigRat
>>> 3.13 MIME::Base64
>>> 5.505 MIME::Decoder
>>> 5.505 MIME::Decoder::UU
>>> 5.505 MIME::Head
>>> 5.505 MIME::Parser
>>> 3.13 MIME::QuotedPrint
>>> 5.505 MIME::Tools
>>> 0.17 Net::CIDR
>>> 1.26 Net::IP
>>> 0.19 OLE::Storage_Lite
>>> 1.04 Pod::Escapes
>>> 3.28 Pod::Simple
>>> 1.30 POSIX
>>> 1.27 Scalar::Util
>>> 2.010 Socket
>>> 2.45 Storable
>>> 1.5 Sys::Hostname::Long
>>> 0.33 Sys::Syslog
>>> 1.48 Test::Pod
>>> 0.98 Test::Simple
>>> 1.9725 Time::HiRes
>>> 1.02 Time::localtime
>>>
>>> Optional module versions are:
>>> 1.92 Archive::Tar
>>> 0.29 bignum
>>> 2.06 Business::ISBN
>>> 20120719.001 Business::ISBN::Data
>>> missing Data::Dump
>>> 1.83 DB_File
>>> 1.39 DBD::SQLite
>>> 1.627 DBI
>>> 1.17 Digest
>>> 1.03 Digest::HMAC
>>> 2.52 Digest::MD5
>>> missing Digest::SHA1
>>> 1.01 Encode::Detect
>>> 0.17020 Error
>>> missing ExtUtils::CBuilder
>>> 3.18 ExtUtils::ParseXS
>>> 2.4 Getopt::Long
>>> missing Inline
>>> missing IO::String
>>> 1.10 IO::Zlib
>>> 2.28 IP::Country
>>> missing Mail::ClamAV
>>> 3.004000 Mail::SpamAssassin
>>> v2.008 Mail::SPF
>>> missing Mail::SPF::Query
>>> missing Module::Build
>>> missing Net::CIDR::Lite
>>> 0.72 Net::DNS
>>> missing Net::DNS::Resolver::Programmable
>>> missing Net::LDAP
>>> 4.069 NetAddr::IP
>>> missing Parse::RecDescent
>>> missing SAVI
>>> 3.28 Test::Harness
>>> missing Test::Manifest
>>> 2.02 Text::Balanced
>>> 1.60 URI
>>> 0.9907 version
>>> missing YAML
>>>
>>>
>>> Kind Regards,
>>> i.A.
>>> Oliver Kutscher
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>
>>>
>>
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151209/1a8201aa/attachment.html>
More information about the MailScanner
mailing list