You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by njjrdell <nr...@dellmagazines.net> on 2010/09/29 17:00:44 UTC
DOS_OE_TO_MX
Hello,
one of our users at a remote location is having her mail trashed by
spamassassin.
Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
[127.0.0.1] at port 50226\n
Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
<00...@Traci> for (unknown):500\n
Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
(unknown):500 in 1.2 seconds, 2345 bytes.\n
Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<00...@Traci>,bayes=0.297864,autolearn=no\n
I'm trying to track down why this message is getting such a high score. I
have been trying to find were the DOS_OE_TO_MX rule is and what it's score
is set to, but can't find it anywhere.
--
View this message in context: http://old.nabble.com/DOS_OE_TO_MX-tp29839497p29839497.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: DOS_OE_TO_MX
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-09-29 at 08:32 -0700, njjrdell wrote:
> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0) for
> (unknown):500 in 1.0 seconds, 142218 bytes.\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0, [...]
I'd suspect your AWL database got corrupt. To remove just her address,
see 'man spamassassin-run' for the --remove-addr-from-whitelist=addr
option.
Alternatively, burn the entire auto-whitelist file and let it start from
scratch.
> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
> that is consistent, so I was hoping to find out where it is to make sure
> nothing is scored wrong
The reason for scores about 200, and now even 4000 is not a single rule,
unless you manually set it. Even GTUBE can not do *this*. Hence, I
suspect AWL database corruption. From memory, last time I saw scores in
such a range, this was the issue.
Anyway, serious question. Why does she trip on DOS_OE_TO_MX at all? It
implies she directly submits the message from her MUA to your MX. Does
that very same box run her (outgoing) SMTP and the MX for the
destination domain?
If so, make her use authentication (preferred over Submission port
rather than SMTP), and that hit should stop.
If the above is not the case, you got your trusted and internal networks
broken.
> by AWL do you mean manual whitelist in my local.cf. I'm not aware of auto
> white listing a user
As Larry already said, it's an (admittedly badly named) automatic score
averager, keeping track of previous scores per sender and net block.
On a related note, there's some more strangeness with the samples you
showed. She's hitting DATE_IN_FUTURE_12_24, which most likely means
either her machine's time, or your server's time is broken. Well,
intermittently, it seems -- the first sample did not hit it.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: DOS_OE_TO_MX
Posted by "Rosenbaum, Larry M." <ro...@ornl.gov>.
> From: njjrdell [mailto:nruggiero@dellmagazines.net]
> Sent: Wednesday, September 29, 2010 12:05 PM
> To: users@spamassassin.apache.org
> Subject: RE: DOS_OE_TO_MX
>
>
> also, won't whitelisting her address open her up for spoofing?
AWL has nothing to do with whitelist_from and other similar options. It's more of a score averager.
http://wiki.apache.org/spamassassin/AutoWhitelist
> thanks for the scores. Now would that just go into
> /usr/local/share/spamassassin/50_scores.cf?
> and why would that score be missing.
It's not missing. It is in
/var/lib/spamassassin/3.003001/updates_spamassassin_org/50_scores.cf
or some similar directory. To find your config directory path, try this:
spamassassin -D config --lint
>
> Rosenbaum, Larry M. wrote:
> >
> >
> >
> >> -----Original Message-----
> >> From: njjrdell [mailto:nruggiero@dellmagazines.net]
> >> Sent: Wednesday, September 29, 2010 11:32 AM
> >> To: users@spamassassin.apache.org
> >> Subject: Re: DOS_OE_TO_MX
> >>
> >>
> >> I'm pretty sure she would not send a GTUBE. Here is another from her
> >>
> >> Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
> >> [127.0.0.1] at port 50098\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
> >> <00...@Traci> for (unknown):500\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0)
> >> for
> >> (unknown):500 in 1.0 seconds, 142218 bytes.\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
> >> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
> >>
> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
> >>
> ocalhost,raddr=127.0.0.1,rport=50098,mid=<000b01cb5f6e$b1bbfe80$6629a8c0@T
> >> raci>,bayes=0.483846,autolearn=no\n
> >>
> >>
> >> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the
> rule
> >> that is consistent, so I was hoping to find out where it is to make
> sure
> >> nothing is scored wrong
> >
> > score DOS_OE_TO_MX 2.602 3.086 2.265 2.523
> >
> >
> >
>
> --
> View this message in context: http://old.nabble.com/DOS_OE_TO_MX-
> tp29839497p29840133.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: DOS_OE_TO_MX
Posted by njjrdell <nr...@dellmagazines.net>.
also, won't whitelisting her address open her up for spoofing?
thanks for the scores. Now would that just go into
/usr/local/share/spamassassin/50_scores.cf?
and why would that score be missing.
Rosenbaum, Larry M. wrote:
>
>
>
>> -----Original Message-----
>> From: njjrdell [mailto:nruggiero@dellmagazines.net]
>> Sent: Wednesday, September 29, 2010 11:32 AM
>> To: users@spamassassin.apache.org
>> Subject: Re: DOS_OE_TO_MX
>>
>>
>> I'm pretty sure she would not send a GTUBE. Here is another from her
>>
>> Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
>> [127.0.0.1] at port 50098\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
>> <00...@Traci> for (unknown):500\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0)
>> for
>> (unknown):500 in 1.0 seconds, 142218 bytes.\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
>> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
>> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
>> ocalhost,raddr=127.0.0.1,rport=50098,mid=<000b01cb5f6e$b1bbfe80$6629a8c0@T
>> raci>,bayes=0.483846,autolearn=no\n
>>
>>
>> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
>> that is consistent, so I was hoping to find out where it is to make sure
>> nothing is scored wrong
>
> score DOS_OE_TO_MX 2.602 3.086 2.265 2.523
>
>
>
--
View this message in context: http://old.nabble.com/DOS_OE_TO_MX-tp29839497p29840133.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: DOS_OE_TO_MX
Posted by "Rosenbaum, Larry M." <ro...@ornl.gov>.
> -----Original Message-----
> From: njjrdell [mailto:nruggiero@dellmagazines.net]
> Sent: Wednesday, September 29, 2010 11:32 AM
> To: users@spamassassin.apache.org
> Subject: Re: DOS_OE_TO_MX
>
>
> I'm pretty sure she would not send a GTUBE. Here is another from her
>
> Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
> [127.0.0.1] at port 50098\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
> <00...@Traci> for (unknown):500\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0) for
> (unknown):500 in 1.0 seconds, 142218 bytes.\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
> ocalhost,raddr=127.0.0.1,rport=50098,mid=<000b01cb5f6e$b1bbfe80$6629a8c0@T
> raci>,bayes=0.483846,autolearn=no\n
>
>
> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
> that is consistent, so I was hoping to find out where it is to make sure
> nothing is scored wrong
score DOS_OE_TO_MX 2.602 3.086 2.265 2.523
Re: DOS_OE_TO_MX
Posted by njjrdell <nr...@dellmagazines.net>.
I'm pretty sure she would not send a GTUBE. Here is another from her
Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
[127.0.0.1] at port 50098\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
<00...@Traci> for (unknown):500\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0) for
(unknown):500 in 1.0 seconds, 142218 bytes.\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50098,mid=<00...@Traci>,bayes=0.483846,autolearn=no\n
I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
that is consistent, so I was hoping to find out where it is to make sure
nothing is scored wrong
by AWL do you mean manual whitelist in my local.cf. I'm not aware of auto
white listing a user
Regards
John Hardin wrote:
>
> On Wed, 29 Sep 2010, njjrdell wrote:
>
>> Hello,
>>
>> one of our users at a remote location is having her mail trashed by
>> spamassassin.
>>
>> Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
>> Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
>> [127.0.0.1] at port 50226\n
>> Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
>> <00...@Traci> for (unknown):500\n
>> Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
>> (unknown):500 in 1.2 seconds, 2345 bytes.\n
>> Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
>> AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
>> scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<00...@Traci>,bayes=0.297864,autolearn=no\n
>>
>> I'm trying to track down why this message is getting such a high score. I
>> have been trying to find were the DOS_OE_TO_MX rule is and what it's
>> score
>> is set to, but can't find it anywhere.
>
> 288 points? I'd look to AWL rather than any of the other rules. Did she
> perhaps send a GTUBE at some point?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> The yardstick you should use when considering whether to support a
> given piece of legislation is "what if my worst enemy is chosen to
> administer this law?"
> -----------------------------------------------------------------------
> 79 days until TRON Legacy
>
>
--
View this message in context: http://old.nabble.com/DOS_OE_TO_MX-tp29839497p29839666.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: DOS_OE_TO_MX
Posted by John Hardin <jh...@impsec.org>.
On Wed, 29 Sep 2010, njjrdell wrote:
> Hello,
>
> one of our users at a remote location is having her mail trashed by
> spamassassin.
>
> Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
> Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
> [127.0.0.1] at port 50226\n
> Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
> <00...@Traci> for (unknown):500\n
> Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
> (unknown):500 in 1.2 seconds, 2345 bytes.\n
> Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
> AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
> scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<00...@Traci>,bayes=0.297864,autolearn=no\n
>
> I'm trying to track down why this message is getting such a high score. I
> have been trying to find were the DOS_OE_TO_MX rule is and what it's score
> is set to, but can't find it anywhere.
288 points? I'd look to AWL rather than any of the other rules. Did she
perhaps send a GTUBE at some point?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The yardstick you should use when considering whether to support a
given piece of legislation is "what if my worst enemy is chosen to
administer this law?"
-----------------------------------------------------------------------
79 days until TRON Legacy
Re: DOS_OE_TO_MX
Posted by njjrdell <nr...@dellmagazines.net>.
thanks for all your help it seems as thou it was a corrupt AWL database. I
nuked it and everything seems to be fine.
I'm going to look more into smtp auth. Seems like such a simple way to lock
down mail, and prevent relaying. For some reason I remember looking into
smtp auth and deciding it wasn't right for us, but the reason escapes me
right now.
Thanks again
Matus UHLAR - fantomas wrote:
>
> On 29.09.10 08:00, njjrdell wrote:
>> one of our users at a remote location is having her mail trashed by
>> spamassassin.
>>
>> Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
>> Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
>> [127.0.0.1] at port 50226\n
>> Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
>> <00...@Traci> for (unknown):500\n
>> Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
>> (unknown):500 in 1.2 seconds, 2345 bytes.\n
>> Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
>> AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
>> scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<00...@Traci>,bayes=0.297864,autolearn=no\n
>>
>> I'm trying to track down why this message is getting such a high score. I
>> have been trying to find were the DOS_OE_TO_MX rule is and what it's
>> score
>> is set to, but can't find it anywhere.
>
> DOS_OE_TO_MX triggers on mail send teom outlook express sdirectly to mail
> servers. This can happen when you use your MX servers for "outgoing" mail
> too and users don't use SMTP authentication.
>
> You can solve this by requiring the user to use SMTP auth, or work around
> it
> by adding the sending IP to trusted_networks.
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
>
>
--
View this message in context: http://old.nabble.com/DOS_OE_TO_MX-tp29839497p29850386.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: DOS_OE_TO_MX
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 29.09.10 08:00, njjrdell wrote:
> one of our users at a remote location is having her mail trashed by
> spamassassin.
>
> Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
> Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
> [127.0.0.1] at port 50226\n
> Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
> <00...@Traci> for (unknown):500\n
> Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
> (unknown):500 in 1.2 seconds, 2345 bytes.\n
> Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
> AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
> scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<00...@Traci>,bayes=0.297864,autolearn=no\n
>
> I'm trying to track down why this message is getting such a high score. I
> have been trying to find were the DOS_OE_TO_MX rule is and what it's score
> is set to, but can't find it anywhere.
DOS_OE_TO_MX triggers on mail send teom outlook express sdirectly to mail
servers. This can happen when you use your MX servers for "outgoing" mail
too and users don't use SMTP authentication.
You can solve this by requiring the user to use SMTP auth, or work around it
by adding the sending IP to trusted_networks.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...