Mail from Outside our Domain not Stored

Lamar Milligan lmilligan at co.walton.ga.us
Thu Jun 13 13:40:32 UTC 2019


I forgot to include headers from an external email that should be stored but 
was not.  Here is a sample:



[root at mail log]# grep x5DDUaQ2002792 maillog

Jun 13 09:30:39 mail sendmail[2792]: x5DDUaQ2002792: 
from=<bowman at myxpal.agency>, size=9664, class=0, nrcpts=1, 
msgid=<dax6N5S39289cyj.ojf90A71YAB8nys at Myxpal.agency> , proto=ESMTP, 
daemon=MTA, relay=69-94-156-238.nca.lanset.com [69.94.156.238] (may be 
forged)

Jun 13 09:30:39 mail opendkim[2320]: x5DDUaQ2002792: [69.94.156.238] 
[69.94.156.238] not internal

Jun 13 09:30:39 mail opendkim[2320]: x5DDUaQ2002792: not authenticated

Jun 13 09:30:40 mail opendkim[2320]: x5DDUaQ2002792: bad signature data

Jun 13 09:30:40 mail sendmail[2792]: x5DDUaQ2002792: Milter insert (1): 
header: Authentication-Results:  mail.co.walton.ga.us;\n\tdkim=fail 
reason="signature verification failed" (1024-bit key) header.d=myxpal.agency 
header.i=@myxpal.agency header.b="h7s2jlp+"

Jun 13 09:30:40 mail sendmail[2792]: x5DDUaQ2002792: Milter insert (1): 
header: DKIM-Filter:  OpenDKIM Filter v2.11.0 mail.co.walton.ga.us 
x5DDUaQ2002792

Jun 13 09:30:44 mail MailScanner[27531]: RBL checks: x5DDUaQ2002792 found in 
SPAMHAUS

Jun 13 09:30:49 mail MailScanner[27531]: Message x5DDUaQ2002792 from 
69.94.156.238 (bowman at myxpal.agency) to co.walton.ga.us is spam, SPAMHAUS, 
SpamAssassin (not cached, score=7.159, required 5, BAYES_00 -1.90, 
DKIM_INVALID 0.10, DKIM_SIGNED 0.10, HTML_IMAGE_RATIO_02 0.44, HTML_MESSAGE 
0.00, PYZOR_CHECK 1.39, RCVD_IN_SBL_CSS 3.33, RDNS_DYNAMIC 
0.98, SPF_HELO_NONE 0.00, SPF_NONE 0.00, T_HTML_TAG_BALANCE_CENTER 0.01, 
URIBL_CSS 0.10, URIBL_CSS_A 0.10, URIBL_DBL_SPAM 2.50)

Jun 13 09:30:49 mail MailScanner[27531]: Non-delivery of spam: message 
x5DDUaQ2002792 from bowman at myxpal.agency to bryan.shelton at co.walton.ga.us 
with subject <dynamic>  to- Help- Pay--Your- Final- Expenses-

Jun 13 09:30:49 mail MailScanner[27531]: Spam Actions: message 
x5DDUaQ2002792 actions are store,header

Jun 13 09:30:50 mail MailScanner[27531]: MailWatch: Logging message 
x5DDUaQ2002792 to SQL

Jun 13 09:30:50 mail MailScanner[30470]: MailWatch: x5DDUaQ2002792: Logged 
to MailWatch SQL



Thanks for your help,



Lamar



From: MailScanner 
<mailscanner-bounces+lmilligan=co.walton.ga.us at lists.mailscanner.info> On 
Behalf Of Lamar Milligan via MailScanner
Sent: Thursday, June 13, 2019 9:16 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: Lamar Milligan <lmilligan at co.walton.ga.us>
Subject: RE: Mail from Outside our Domain not Stored



Here are maillog extracts from our sendmail server for messages to and from 
my Gmail account.  I did hide my Gmail address in the logs.



[root at mail log]# grep address  maillog|grep Jun\ 13

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: to=<address at gmail.com 
<mailto:address at gmail.com> >, delay=00:00:00, mailer=esmtp, pri=35430, 
stat=queued

Jun 13 08:51:37 mail MailScanner[20868]: Delivery of nonspam: message 
x5DCpZVS029638 from lmilligan at co.walton.ga.us 
<mailto:lmilligan at co.walton.ga.us>  to address at gmail.com 
<mailto:address at gmail.com>  with subject Test Message

Jun 13 08:52:37 mail sendmail[29653]: x5DCpZVS029638: to=< address at gmail.com 
<mailto:address at gmail.com> >, delay=00:01:02, xdelay=00:01:00, mailer=esmtp, 
pri=125430, relay=gmail-smtp-in.l.google.com. [64.233.185.27], dsn=2.0.0, 
stat=Sent (OK  1560430357 a64si1019447yba.91 - gsmtp)

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: from=< 
address at gmail.com <mailto:address at gmail.com> >, size=4489, class=0, 
nrcpts=1, 
msgid=<CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com 
<mailto:CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com> 
 >, proto=ESMTP, daemon=MTA, relay=mail-qk1-f180.google.com [209.85.222.180]

Jun 13 08:53:26 mail MailScanner[27531]: Message x5DCrN44029857 from 
209.85.222.180 (address at gmail.com <mailto:address at gmail.com> ) to 
co.walton.ga.us is not spam, SpamAssassin (not cached, score=-1.998, 
required 5, autolearn=not spam, BAYES_00 -1.90, DKIM_SIGNED 0.10, 
DKIM_VALID -0.10, DKIM_VALID_AU -0.10, FREEMAIL_FROM 0.00, HTML_MESSAGE 
0.00, SPF_HELO_NONE 0.00, SPF_PASS -0.00)

Jun 13 08:53:26 mail MailScanner[27531]: Delivery of nonspam: message 
x5DCrN44029857 from address at gmail.com <mailto:address at gmail.com>  to 
lmilligan at co.walton.ga.us <mailto:lmilligan at co.walton.ga.us>  with subject 
Re: Test Message



[root at mail log]# grep x5DCpZVS029638 maillog

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: 
from=<lmilligan at co.walton.ga.us <mailto:lmilligan at co.walton.ga.us> >, 
size=5430, class=0, nrcpts=1, 
msgid=<000001d521e6$bb9dbfd0$32d93f70$@co.walton.ga.us 
<mailto:000001d521e6$bb9dbfd0$32d93f70$@co.walton.ga.us> >, bodytype=7BIT, 
proto=ESMTP, daemon=MTA, relay=zimbra1 [192.168.32.47]

Jun 13 08:51:35 mail opendkim[2320]: x5DCpZVS029638: DKIM-Signature field 
added (s=FEA62E10-BFE6-11E7-BA2D-46CD2CC478D5, d=co.walton.ga.us)

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: Milter insert (1): 
header: DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/simple; 
d=co.walton.ga.us;\n\ts=FEA62E10-BFE6-11E7-BA2D-46CD2CC478D5; 
t=1560430295;\n\tbh=CSJ2rlhIjlClMMaj7t9SswqeupTOa7unO4OXOq2PwNc=;\n\th=Reply-To:From:To:Subject:Date:From;\n\tb=uvX8sa9j4g3GZc9r94bLrYNJj4FqJoin1EItnitkB+cPWrAKf147nfTTNGOofBTK8\n\t 
rEPD90/OGACQwNG5VaQh433tMaB7sPSlhrfAMQsmj9hLHPZ1iUk0NDQNXn1293KqMS\n\t 
naHcHSbwzQIqG7O6TrjtPaPKXWHgZ1KnJ2zpY5QQ=

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: Milter insert (1): 
header: DKIM-Filter:  OpenDKIM Filter v2.11.0 mail.co.walton.ga.us 
x5DCpZVS029638

Jun 13 08:51:35 mail sendmail[29638]: x5DCpZVS029638: to=< address at gmail.com 
<mailto:address at gmail.com> >, delay=00:00:00, mailer=esmtp, pri=35430, 
stat=queued

Jun 13 08:51:37 mail MailScanner[20868]: Message x5DCpZVS029638 from 
192.168.32.47 (lmilligan at co.walton.ga.us 
<mailto:lmilligan at co.walton.ga.us> ) to gmail.com is not spam, SpamAssassin 
(not cached, score=-2.699, required 5, ALL_TRUSTED -1.00, BAYES_00 -1.90, 
DKIM_INVALID 0.10, DKIM_SIGNED 0.10, HTML_MESSAGE 0.00)

Jun 13 08:51:37 mail MailScanner[20868]: Delivery of nonspam: message 
x5DCpZVS029638 from lmilligan at co.walton.ga.us 
<mailto:lmilligan at co.walton.ga.us>  to address at gmail.com 
<mailto:address at gmail.com>  with subject Test Message

Jun 13 08:51:37 mail MailScanner[20868]: MailWatch: Logging message 
x5DCpZVS029638 to SQL

Jun 13 08:51:37 mail MailScanner[29472]: MailWatch: x5DCpZVS029638: Logged 
to MailWatch SQL

Jun 13 08:52:37 mail sendmail[29653]: x5DCpZVS029638: to=< address at gmail.com 
<mailto:address at gmail.com> >, delay=00:01:02, xdelay=00:01:00, mailer=esmtp, 
pri=125430, relay=gmail-smtp-in.l.google.com. [64.233.185.27], dsn=2.0.0, 
stat=Sent (OK  1560430357 a64si1019447yba.91 - gsmtp)



 [root at mail log]# grep x5DCrN44029857 maillog

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: from=< 
address at gmail.com <mailto:address at gmail.com> >, size=4489, class=0, 
nrcpts=1, 
msgid=<CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com 
<mailto:CAEqc0zk7k5Q9FiM6VUk-P8oKBhpgWOqcCBQd3-U-HepE=5Enew at mail.gmail.com> 
 >, proto=ESMTP, daemon=MTA, relay=mail-qk1-f180.google.com [209.85.222.180]

Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: 
mail-qk1-f180.google.com [209.85.222.180] not internal

Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: not authenticated

Jun 13 08:53:23 mail opendkim[2320]: x5DCrN44029857: DKIM verification 
successful

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: Milter insert (1): 
header: Authentication-Results:  mail.co.walton.ga.us;\n\tdkim=pass 
(2048-bit key) header.d=gmail.com header.i=@gmail.com 
<mailto:header.i=@gmail.com>  header.b="QvRSmgcU"

Jun 13 08:53:23 mail sendmail[29857]: x5DCrN44029857: Milter insert (1): 
header: DKIM-Filter:  OpenDKIM Filter v2.11.0 mail.co.walton.ga.us 
x5DCrN44029857

Jun 13 08:53:26 mail MailScanner[27531]: Message x5DCrN44029857 from 
209.85.222.180 (address at gmail.com <mailto:address at gmail.com> ) to 
co.walton.ga.us is not spam, SpamAssassin (not cached, score=-1.998, 
required 5, autolearn=not spam, BAYES_00 -1.90, DKIM_SIGNED 0.10, 
DKIM_VALID -0.10, DKIM_VALID_AU -0.10, FREEMAIL_FROM 0.00, HTML_MESSAGE 
0.00, SPF_HELO_NONE 0.00, SPF_PASS -0.00)

Jun 13 08:53:26 mail MailScanner[27531]: Delivery of nonspam: message 
x5DCrN44029857 from address at gmail.com <mailto:address at gmail.com>  to 
lmilligan at co.walton.ga.us <mailto:lmilligan at co.walton.ga.us>  with subject 
Re: Test Message

Jun 13 08:53:26 mail MailScanner[27531]: MailWatch: Logging message 
x5DCrN44029857 to SQL

Jun 13 08:53:26 mail MailScanner[29472]: MailWatch: x5DCrN44029857: Logged 
to MailWatch SQL

Jun 13 08:53:26 mail sendmail[29883]: x5DCrN44029857: 
to=lmilligan at zimbra1.co.walton.ga.us 
<mailto:to=lmilligan at zimbra1.co.walton.ga.us> , delay=00:00:03, 
xdelay=00:00:00, mailer=esmtp, pri=124489, relay=zimbra1.co.walton.ga.us. 
[192.168.32.47], dsn=2.0.0, stat=Sent (Ok: queued as 7A9B2E17EE)



I hope there is something in here that explains this behavior, but I cannot 
see it.  Thanks so much for looking at this, it has bugged me for months!



Lamar



From: MailScanner 
<mailscanner-bounces+lmilligan=co.walton.ga.us at lists.mailscanner.info 
<mailto:mailscanner-bounces+lmilligan=co.walton.ga.us at lists.mailscanner.info> 
 > On Behalf Of Shawn Iverson via MailScanner
Sent: Wednesday, June 12, 2019 7:34 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info 
<mailto:mailscanner at lists.mailscanner.info> >
Cc: Shawn Iverson <iversons at rushville.k12.in.us 
<mailto:iversons at rushville.k12.in.us> >
Subject: Re: Mail from Outside our Domain not Stored



Hehe, missed that line, so the line is being read, this is very bizzare...



In any case, maillogs are going to be the next logical step.



On Wed, Jun 12, 2019 at 5:09 PM Antony Stone 
<Antony.Stone at mailscanner.open.source.it 
<mailto:Antony.Stone at mailscanner.open.source.it> > wrote:

On Wednesday 12 June 2019 at 22:32:28, Shawn Iverson via MailScanner wrote:

> I do see a subtle clue...
>
> 1)  The "X-Spam-Status: No" is actually not present.

Erm, yes it is?

X-Spam-Status: No, score=3.451 required=6 
tests=[ALL_TRUSTED=-1,BAYES_50=0.8,
        DKIM_SIGNED=0.1, DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.25,
        LOCAL_COUNTRY=2.2, LOCAL_NOTFROM_TTLD=2.2, MAILING_LIST_MULTI=-1,
        SPF_HELO_NONE=0.001] autolearn=no autolearn_force=no

> "X-Spam-Flag: NO" is actually coming from amavisd-new on the next hop (the
> Zimbra mail server itself, I think) and hence why it is so far up in the
> Received chain.

Indeed - that's different.

> 2) Becuase X-Spam-Status is not there, the Non Spam Actions appears to 
> have
> been ignored for some reason.

I'm not so sure (but then again I'm not at all sure about this one).

> At this point, we are going to need a maillog of an inbound message that
> fails to get quarantined, along with a maillog of an outbound message that
> is being quarantined for further clues.

Sounds good to me.


Antony.

-- 
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

                                                   Please reply to the list;
                                                         please *don't* CC 
me.


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info 
<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner



-- 

Shawn Iverson, CETL

Director of Technology

Rush County Schools

765-932-3901 option 7

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/c66f9ca5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 440 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/c66f9ca5/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190613/c66f9ca5/attachment-0001.jpg>


More information about the MailScanner mailing list