Mail discarded with http

[Sasa <sa...@shoponweb.it>]

Hi, I have a problem with some mails that are discarded when in body message
there is a web link with http prefix, i.e. with:

http://www.example.com/example

with this link the mail is discarded and in log file I have:

[root@mail ~]# grep 707F026A302 /var/log/maillog
May 20 10:52:16 mail postfix/smtpd[12804]: 707F026A302:
client=unknown[192.168.1.88], sasl_method=LOGIN,
sasl_username=user@mydomain.com
May 20 10:52:16 mail postfix/cleanup[13001]: 707F026A302:
message-id=000d01caf7f9$c95308e0$5bf91aa0$@com
May 20 10:52:20 mail postfix/qmgr[12573]: 707F026A302:
from=<us...@mydomain.com>, size=3075, nrcpt=2 (queue active)
May 20 10:52:39 mail postfix/smtp[13776]: 707F026A302:
to=<dv...@domain.it>, relay=127.0.0.1[127.0.0.1]:10024,delay=23,
delays=4.2/0/0.01/19, dsn=2.7.1, status=sent (250 2.7.1 Ok, discarded, UBE,
id=13116-02)

now the same mail and the same 'from' and 'to' address but in body message I
have:
www.example.com/example

..therefore without http prefix, this mail is delivered to destination
address without problem ! and in log file I have:

May 20 11:02:49 mail amavis[15631]: (15631-01) Passed CLEAN, [192.168.1.88]
[192.168.1.88] <us...@mydomain.com> -> <dv...@domain.it>, Message-ID:
<00...@com>, Hits: 4.339, 9381 ms
May 20 11:02:49 mail postfix/smtp[15401]: 549B926A45C:
to=<dv...@domain.it>, relay=127.0.0.1[127.0.0.1]:10024, delay=18,
delays=5.2/3.1/0.07/9.6, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=15631-01,
from MTA: 250 2.0.0 Ok: queued as A3CC026A424)
May 20 11:02:52 mail postfix/smtp[14403]: A3CC026A424:
to=<dv...@domain.it>, relay=mxdomain5.domain.it[212.52.84.83]:25,
delay=3.6, delays=0.38/0/3.1/0.14, dsn=2.0.0, status=sent (250 ok:  Message
140289514 accepted)

On my mail server I have:

postfix 2.5.6
amavisd-new
spamassassin
clamav

Thanks.

------

   Salvatore. 

Re: Mail discarded with http

[Gary V <mr...@gmail.com>]

On 5/21/10, Karsten Bräckelmann wrote:
> On Fri, 2010-05-21 at 15:58 +0200, Sasa wrote:
> > Hi, I have a problem with some mails that are discarded when in body message
> > there is a web link with http prefix, i.e. with:
> > http://www.example.com/example
> >
> > with this link the mail is discarded and in log file I have:
>
> You didn't show *any* traces of SA even being involved here. At the very
> least, we'd need the rules hit.
>
> > [root@mail ~]# grep 707F026A302 /var/log/maillog
> > May 20 10:52:16 mail postfix/smtpd[12804]: 707F026A302:
> > client=unknown[192.168.1.88], sasl_method=LOGIN,
> > sasl_username=user@mydomain.com
> > May 20 10:52:16 mail postfix/cleanup[13001]: 707F026A302:
> > message-id=000d01caf7f9$c95308e0$5bf91aa0$@com
> > May 20 10:52:20 mail postfix/qmgr[12573]: 707F026A302:
> > from=<us...@mydomain.com>, size=3075, nrcpt=2 (queue active)
>
> So you're filtering outbound mail?
>
> > May 20 10:52:39 mail postfix/smtp[13776]: 707F026A302:
> > to=<dv...@domain.it>, relay=127.0.0.1[127.0.0.1]:10024,delay=23,
> > delays=4.2/0/0.01/19, dsn=2.7.1, status=sent (250 2.7.1 Ok, discarded, UBE,
> > id=13116-02)
>
> SA does not discard mail. It merely classifies it, any action is left to
> other tools in your chain.
>
> You just clearly showed that it is postfix discarding the mail. What's
> missing from your pasted logs is the reason *why* postfix did that.
> You'll need to dig deeper.
>
> > postfix 2.5.6
> > amavisd-new
> > spamassassin
> > clamav
>
> So, first question to check for in the logs is, which of these tools
> even processed the message, and what the respective results are.
>

Actually, Postfix did not discard the mail, it delivered it to
amavisd-new at 127.0.0.1:10024 and amavisd-new reported back to
Postfic that it discarded the UBE mail. The mail is not necessarily
discarded however, it may have been quarantined by amavisd-new. Of
course this all depends on settings in amavisd-new. The first message
shows the amavisd-new log entry where spamassassin scored Hits: 4.339
and this message was Passed CLEAN. You do not show the amavisd-new log
entry for the second message. If the message has only this small amout
of text it it, this seems like a pretty high score, so you do need to
see which rules hit. If you increase amavisd-new $log_level to 2
during testing, you should see which rules were triggered. Here is a
sample from amavisd-new 2.6.4:

# tail -f /var/log/mail.log | grep SPAM

May 23 02:55:54 filter amavis[3942]: (03942-01) SPAM-TAG,
<ga...@example.com> -> <ga...@example.com>, No, score=1.317
required=6.1 tests=[ALL_TRUSTED=-1, AWL=0.549,
DATE_IN_FUTURE_06_12=0.001, MISSING_SUBJECT=1.767] autolearn=no

-- 
Gary V

Re: Mail discarded with http

[Karsten Bräckelmann <gu...@rudersport.de>]

On Fri, 2010-05-21 at 15:58 +0200, Sasa wrote:
> Hi, I have a problem with some mails that are discarded when in body message
> there is a web link with http prefix, i.e. with:
> http://www.example.com/example
> 
> with this link the mail is discarded and in log file I have:

You didn't show *any* traces of SA even being involved here. At the very
least, we'd need the rules hit.

> [root@mail ~]# grep 707F026A302 /var/log/maillog
> May 20 10:52:16 mail postfix/smtpd[12804]: 707F026A302:
> client=unknown[192.168.1.88], sasl_method=LOGIN,
> sasl_username=user@mydomain.com
> May 20 10:52:16 mail postfix/cleanup[13001]: 707F026A302:
> message-id=000d01caf7f9$c95308e0$5bf91aa0$@com
> May 20 10:52:20 mail postfix/qmgr[12573]: 707F026A302:
> from=<us...@mydomain.com>, size=3075, nrcpt=2 (queue active)

So you're filtering outbound mail?

> May 20 10:52:39 mail postfix/smtp[13776]: 707F026A302:
> to=<dv...@domain.it>, relay=127.0.0.1[127.0.0.1]:10024,delay=23,
> delays=4.2/0/0.01/19, dsn=2.7.1, status=sent (250 2.7.1 Ok, discarded, UBE,
> id=13116-02)

SA does not discard mail. It merely classifies it, any action is left to
other tools in your chain.

You just clearly showed that it is postfix discarding the mail. What's
missing from your pasted logs is the reason *why* postfix did that.
You'll need to dig deeper.

> postfix 2.5.6
> amavisd-new
> spamassassin
> clamav

So, first question to check for in the logs is, which of these tools
even processed the message, and what the respective results are.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}