You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by David Flanigan <da...@flanigan.net> on 2006/06/08 16:45:19 UTC

SA Checking user unknown e-mail?

Hello oh gurus of Spamassassin: 

I have a, hopefully, quick question with regards to my implementation of Spamassassin. 

In a nutshell it appears that Spamassassin is taking the time and energy to check user-
unknown e-mail. 

I am running Spamassassin 3.1.1

Attached is my sendmail log showing a piece of e-mail (which is spam) coming in to an 
unknown user account: 

Jun  8 10:13:56 ns1 sendmail[20493]: k58EDuQQ020493: <ka...@flanigan.net>... User unknown
Jun  8 10:13:56 ns1 sendmail[20493]: k58EDuQQ020493: from=<dy...@netzero.com>, 
size=15866, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=ns2.flanigan.net 
[67.36.126.141]
Jun  8 10:13:57 ns1 sendmail[20493]: k58EDuQS020493: from=<>, size=19201, class=0, 
nrcpts=1, msgid=<20...@ns2.flanigan.net>, proto=ESMTP, 
daemon=MTA, relay=ns2.flanigan.net [67.36.126.141]

Then the following from my spamd log:

Jun  8 10:13:57 ns1 spamd[13477]: spamd: connection from ns1.flanigan.net [127.0.0.1] 
at port 43625 
Jun  8 10:13:57 ns1 spamd[13477]: spamd: processing message 
<20...@ns2.flanigan.net> for root:505 
Jun  8 10:14:00 ns1 spamd[13477]: spamd: identified spam (24.3/5.0) for root:505 in 
2.3 seconds, 19499 bytes. 
Jun  8 10:14:00 ns1 spamd[13477]: spamd: result: Y 24 - 
ALL_TRUSTED,AWL,BAYES_99,HTML_90_100,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IM
G_1,MIME_HTML_MOSTLY,SARE_GIF_ATTACH,SARE_GIF_STOX,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_
OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL 
scantime=2.3,size=19499,user=root,uid=505,required_score=5.0,rhost=ns1.flanigan.net,rad
dr=127.0.0.1,rport=43625,mid=<20...@ns2.flanigan.net>,bayes=0.999
657933165012,autolearn=no

Notice the same msgid <20...@ns2.flanigan.ne> from both sendmail 
and spamd. 

My question is why dose sendmail not just reject the message and leave it be? Why 
process a message we have no intention of delivering to anyone? Or am I reading this 
wrong?

My link between sendmail and spamd is though /etc/procmailrc which reads simply:

:0fw
| /usr/bin/spamc

This quest to track this down has all come from the fact that I am seeing over 900 
spam messages an hour. (see spam stats: http://www.flanigan.net/spam/) and there are 
only about a doze active mailboxes across my 3 or 4 domains. 

Any wisdom would be greatly appreciated!


---
Kind Regards,
David

http://www.flanigan.net

Re: SA Checking user unknown e-mail?

Posted by Jonas Eckerman <jo...@frukt.org>.

David Flanigan wrote:

> Jun  8 10:13:56 ns1 sendmail[20493]: k58EDuQQ020493: <ka...@flanigan.net>... User unknown
> Jun  8 10:13:56 ns1 sendmail[20493]: k58EDuQQ020493: from=<dy...@netzero.com>, 
> size=15866, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=ns2.flanigan.net 
> [67.36.126.141]
> Jun  8 10:13:57 ns1 sendmail[20493]: k58EDuQS020493: from=<>, size=19201, class=0, 
> nrcpts=1, msgid=<20...@ns2.flanigan.net>, proto=ESMTP, 
> daemon=MTA, relay=ns2.flanigan.net [67.36.126.141]

Those logs are for two different messages.

The mail to an unknown user has the queue ID "k58EDuQQ020493", while the one that's received has ID "k58EDuQS020493" and looks like a bounce (from <>).

> My question is why dose sendmail not just reject the message and leave it be?

To me the above log lines above *seems* to show sendmail rejectimg a mail to an unknown user.

Anyway, that's a sendmail issue.

/Jonas

-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/