You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jake Colman <co...@ppllc.com> on 2005/05/19 17:24:23 UTC
SA Sometimes Being Bypassed?
If my sendmail server is down, a backup MX in a different domain catches all
my email. When my sendmail server comes back up, the backup MX dumps all the
mail it's been holding for me. It seems that all the email sent to me in
this manner bypasses my SA filtering. Why should this be? I beleive that
what I am saying is accurate because if I examine the email headers for
emails sent by the backup MX, they do not have my X-Spam headers.
Thanks for any help.
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SA Sometimes Being Bypassed?
Posted by Jake Colman <co...@ppllc.com>.
Could it be something about trusted relays? Do I need to tell it scan email
received from my backup MX? I did not deliberately tell anything to bypass
SA and my /etc/procmail will, I assume, trigger for all mail delivered to my
sendmail server even if it comes from my backup MX, right?
>>>>> "MH" == Martin Hepworth <ma...@solid-state-logic.com> writes:
MH> Jake
MH> have a look at the output of "spamassassin -D --lint mailmessage". You might
MH> be trusting the secondary MX or it might be bypassing you SA system
MH> altogether.
MH> --
MH> Martin Hepworth
MH> Snr Systems Administrator
MH> Solid State Logic
MH> Tel: +44 (0)1865 842300
MH> Jake Colman wrote:
>> If my sendmail server is down, a backup MX in a different domain catches all
>> my email. When my sendmail server comes back up, the backup MX dumps all the
>> mail it's been holding for me. It seems that all the email sent to me in
>> this manner bypasses my SA filtering. Why should this be? I beleive that
>> what I am saying is accurate because if I examine the email headers for
>> emails sent by the backup MX, they do not have my X-Spam headers.
>> Thanks for any help.
>>
MH> **********************************************************************
MH> This email and any files transmitted with it are confidential and
MH> intended solely for the use of the individual or entity to whom they
MH> are addressed. If you have received this email in error please notify
MH> the system manager.
MH> This footnote confirms that this email message has been swept
MH> for the presence of computer viruses and is believed to be clean.
MH> **********************************************************************
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SA Sometimes Being Bypassed?
Posted by Jake Colman <co...@ppllc.com>.
>>>>> "w" == wolfgang <me...@gmx.net> writes:
w> In an older episode (Friday 20 May 2005 18:07), Jake Colman wrote:
>> When my server is up, all email is processed by my SA. If my server is
>> down, my email is held for me at the backup MX. When my server comes
>> back, the backup MX sends me all my email. It appears to me that when
>> my email is delivered in that scenario that it bypassed my SA.
w> I think it would be helpful to compare the headers of scanned mails and
w> unscanned mails line by line to understand the difference. Also, have
w> procmail add some "X-Been-There `hostname`" header to be sure you see
w> if the mail has passed through procmail and use "VERBOSE=yes" in
w> procmail, and re-activate the LOGFILE=* line and read the procmail log
w> to see what happens there.
I just spent a tremendous amount of time redoing my sendmail and SA
configuration as part of a server upgrade. Because of this, I totally
reviewed my setup and think I understand what I'm doing and I think it is all
working correctly.
However, I am still convinced that some messages, namely those received after
I have been offline for some period of time, are not being processed by my
SA.
My server was offline yesterday for quite a few hours while I redid my
sendmail and SA configuration. Here are the relevant headers for an email that was
received shortly after I came back online:
--------------------------------------------------
Received: from mxout1.mailhop.org (mxout1.mailhop.org [63.208.196.165]) by jnc.com (8.12.10/8.12.10) with ESMTP id j4OM0x8f014346 for <jc...@jnc.com>; Tue, 24 May 2005 20:23:10 -0400
Received: from mxin2.mailhop.org ([63.208.196.176] helo=mx1.mailhop.org) by mxout1.mailhop.org with esmtp (Exim 4.51) id 1DaKRJ-0000tj-1W for jcolman@jnc.com; Mon, 23 May 2005 17:26:21 -0400
Received: from [200.195.76.46] (helo=microsof-626218) by mx1.mailhop.org with esmtp (Exim 4.51) id 1DaKRF-0006gy-3Z for jcolman@jnc.com; Mon, 23 May 2005 17:26:21 -0400
MIME-Version: 1.0
X-Mailer: Internal Email Service (4.2.1.698)
Message-ID: <!~...@terra.com.br>
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mail-Handler: MailHop by DynDNS.org
X-Spam-Score: -1.7 (-)
--------------------------------------------------
After my server was back on-line for a while, this is what headers look like:
--------------------------------------------------
Received: from mxout2.mailhop.org (mxout2.mailhop.org [63.208.196.166]) by jnc.com (8.12.10/8.12.10) with ESMTP id j4PCQB4r009971 for <jc...@JNC.COM>; Wed, 25 May 2005 08:26:13 -0400
Received: from mxin2.mailhop.org ([63.208.196.176] helo=mx1.mailhop.org) by mxout2.mailhop.org with esmtp (Exim 4.51) id 1Dauxf-000DBG-5N for jcolman@JNC.COM; Wed, 25 May 2005 08:26:11 -0400
Received: from nmfs2.direct-notice.com ([71.4.247.139]) by mx1.mailhop.org with esmtp (Exim 4.51) id 1Dauxa-0005fs-AT for jcolman@JNC.COM; Wed, 25 May 2005 08:26:10 -0400
Received: from NMFS2 (nmfs2.direct-notice.com) by NMFS2.DIRECT-NOTICE.COM (LSMTP for Windows NT v1.1b) with SMTP id <7....@NMFS2.DIRECT-NOTICE.COM>; Wed, 25 May 2005 7:48:23 -0400
X-Mailerinfo: OTHR_JDR1218504 :: 7_050525_PRIME2_UN
Message-ID: <OT...@DIRECT-NOTICE.COM>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=OTHR_JDR1218504"
X-Mail-Handler: MailHop by DynDNS.org
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on firewall.jnchome.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.3 required=5.0 tests=ALL_TRUSTED,HTML_90_100, HTML_IMAGE_ONLY_12,HTML_MESSAGE,MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK,SARE_RECV_IP_071004200,URIBL_SBL autolearn=no version=3.0.3
--------------------------------------------------
What could possibly explain this? And how do I figure this out and fix it?
How do I configure procmail to add a header so I can verify whether all my
email is passing through my procmail?
This is my current /etc/procmailrc:
DROPPRIVS=yes
##LOGFILE=/var/log/procmail
PATH=/usr/bin:/usr/local/bin
MAILDIR=$HOME/mail
:0:
* ^Subject:.*SPAM
caughtspam
:0fw
* < 256000
| spamc
:0:
* ^X-Spam-Status: Yes
caughtspam
Thanks!
...Jake
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SA Sometimes Being Bypassed?
Posted by wolfgang <me...@gmx.net>.
In an older episode (Friday 20 May 2005 18:07), Jake Colman wrote:
> When my server is up, all email is processed by my SA. If my server is
down,
> my email is held for me at the backup MX. When my server comes back, the
> backup MX sends me all my email. It appears to me that when my email is
> delivered in that scenario that it bypassed my SA.
I think it would be helpful to compare the headers of scanned mails and
unscanned mails line by line to understand the difference. Also, have
procmail add some "X-Been-There `hostname`" header to be sure you see if the
mail has passed through procmail and use "VERBOSE=yes" in procmail, and
re-activate the LOGFILE=* line and read the procmail log to see what happens
there.
regards,
wolfgang
Re: SA Sometimes Being Bypassed?
Posted by Jake Colman <co...@ppllc.com>.
Let me explain this system, since it might be relevant to the discussion.
This is a simple home-based network server that is processing mail for its
own domain. This domain (jnc.com) is known to the world and all email sent
to user@jnc.com is delivered to the sendmail running on my box. All users
have their mailboxes on this system and they use imap to view their email.
Since this machine has a dynamic IP address I use dyndns to host the DNS and
MX entries for jnc.com. I also use them a a mail relay to forward all my
email to my sendmail server and as a backup MX if my server is down.
When my server is up, all email is processed by my SA. If my server is down,
my email is held for me at the backup MX. When my server comes back, the
backup MX sends me all my email. It appears to me that when my email is
delivered in that scenario that it bypassed my SA.
Is this at all possible? Or if it works for one scenario it must work for
both?
The size of the email should not be an issue since it is all the standrd spam
crap we all get.
...Jake
>>>>> "MK" == Matt Kettler <mk...@EVI-INC.COM> writes:
MK> Martin Hepworth wrote:
>> Jake
>>
>> have a look at the output of "spamassassin -D --lint mailmessage". You
>> might be trusting the secondary MX or it might be bypassing you SA
>> system altogether.
>>
MK> SpamAssassin's concept of trust has nothing to do with it.
MK> There's no X-Spam-* headers, so SA is being bypassed completely.
MK> SA ALWAYS adds at least X-Spam-Checker-Version header, regardless of trust.
MK> (unless you use spamc and the size is over the limit for -s).
MK> Based on the procmail config that Jake posted, one of the following must be true:
MK> 1) the messages are too large to be scanned (>250k) and thus being bypassed by
MK> spamc (250k-255k) or his procmail rule (>256k).
MK> 2) the messages from the secondary are never reaching the box that runs SA via
MK> procmail, and are being delivered to a mailbox elsewhere.
MK> 3) The messages from the secondary are reaching the box running SA via procmail,
MK> but are relayed without local delivery. (procmail only gets called as the
MK> message is delivered on the local box)
MK> I suspect 2). Particularly if there's some kind of fetchmail,
MK> multi-server-pop-client, or internal groupware server involved in the picture.
MK> 3) Is really a theoretical problem, it's possible but highly unlikely. You'd
MK> have a pretty weird server that relays mail for a user only if it came in from a
MK> secondary MX.
MK> Looking at the Received: path and size of some of the messages should clear up
MK> what's going on.
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SA Sometimes Being Bypassed?
Posted by Matt Kettler <mk...@EVI-INC.COM>.
Martin Hepworth wrote:
> Jake
>
> have a look at the output of "spamassassin -D --lint mailmessage". You
> might be trusting the secondary MX or it might be bypassing you SA
> system altogether.
>
SpamAssassin's concept of trust has nothing to do with it.
There's no X-Spam-* headers, so SA is being bypassed completely.
SA ALWAYS adds at least X-Spam-Checker-Version header, regardless of trust.
(unless you use spamc and the size is over the limit for -s).
Based on the procmail config that Jake posted, one of the following must be true:
1) the messages are too large to be scanned (>250k) and thus being bypassed by
spamc (250k-255k) or his procmail rule (>256k).
2) the messages from the secondary are never reaching the box that runs SA via
procmail, and are being delivered to a mailbox elsewhere.
3) The messages from the secondary are reaching the box running SA via procmail,
but are relayed without local delivery. (procmail only gets called as the
message is delivered on the local box)
I suspect 2). Particularly if there's some kind of fetchmail,
multi-server-pop-client, or internal groupware server involved in the picture.
3) Is really a theoretical problem, it's possible but highly unlikely. You'd
have a pretty weird server that relays mail for a user only if it came in from a
secondary MX.
Looking at the Received: path and size of some of the messages should clear up
what's going on.
Re: SA Sometimes Being Bypassed?
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Jake
have a look at the output of "spamassassin -D --lint mailmessage". You
might be trusting the secondary MX or it might be bypassing you SA
system altogether.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Jake Colman wrote:
> If my sendmail server is down, a backup MX in a different domain catches all
> my email. When my sendmail server comes back up, the backup MX dumps all the
> mail it's been holding for me. It seems that all the email sent to me in
> this manner bypasses my SA filtering. Why should this be? I beleive that
> what I am saying is accurate because if I examine the email headers for
> emails sent by the backup MX, they do not have my X-Spam headers.
>
> Thanks for any help.
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: SA Sometimes Being Bypassed?
Posted by Matt Kettler <mk...@evi-inc.com>.
Jake Colman wrote:
>>>>>>"MK" == Matt Kettler <mk...@evi-inc.com> writes:
>
>
> MK> Jake Colman wrote:
> >> If my sendmail server is down, a backup MX in a different domain catches all
> >> my email. When my sendmail server comes back up, the backup MX dumps all the
> >> mail it's been holding for me. It seems that all the email sent to me in
> >> this manner bypasses my SA filtering. Why should this be? I beleive that
> >> what I am saying is accurate because if I examine the email headers for
> >> emails sent by the backup MX, they do not have my X-Spam headers.
>
> MK> How do you call spamassassin for your normal mail?
>
> MK> Without knowing how normal mail gets to SA, it's hard to guess why
> MK> mail from the secondary isn't getting to SA.
>
> I use a /etc/procmailrc with the following contents:
>
Hmmm, does the unscanned mail get delivered to a mailbox on the server running
procmail, or does it go around it? Check your Received: headers.
Re: SA Sometimes Being Bypassed?
Posted by Jake Colman <co...@ppllc.com>.
>>>>> "MK" == Matt Kettler <mk...@evi-inc.com> writes:
MK> Jake Colman wrote:
>> If my sendmail server is down, a backup MX in a different domain catches all
>> my email. When my sendmail server comes back up, the backup MX dumps all the
>> mail it's been holding for me. It seems that all the email sent to me in
>> this manner bypasses my SA filtering. Why should this be? I beleive that
>> what I am saying is accurate because if I examine the email headers for
>> emails sent by the backup MX, they do not have my X-Spam headers.
MK> How do you call spamassassin for your normal mail?
MK> Without knowing how normal mail gets to SA, it's hard to guess why
MK> mail from the secondary isn't getting to SA.
I use a /etc/procmailrc with the following contents:
DROPPRIVS=yes
##LOGFILE=/var/log/procmail
PATH=/usr/bin:/usr/local/bin
MAILDIR=$HOME/mail
:0:
* ^Subject:.*SPAM
caughtspam
:0fw
* < 256000
| spamc
:0:
* ^X-Spam-Status: Yes
caughtspam
This should file all emails flagged with "SPAM" in the subject (my emails get
pre-filtered by a relay box) in a 'caughtspam' folder. All other mails are
piped through spamc and then, if X-Spam-Status is 'Yes', they also get filed
in 'caughtspam'.
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SA Sometimes Being Bypassed?
Posted by Matt Kettler <mk...@evi-inc.com>.
Jake Colman wrote:
> If my sendmail server is down, a backup MX in a different domain catches all
> my email. When my sendmail server comes back up, the backup MX dumps all the
> mail it's been holding for me. It seems that all the email sent to me in
> this manner bypasses my SA filtering. Why should this be? I beleive that
> what I am saying is accurate because if I examine the email headers for
> emails sent by the backup MX, they do not have my X-Spam headers.
How do you call spamassassin for your normal mail?
Without knowing how normal mail gets to SA, it's hard to guess why mail from the
secondary isn't getting to SA.