You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Greg Ledford <gl...@phhwtechnology.com> on 2014/07/24 20:34:46 UTC
Is this how this is supposed to work?
Not sure if I'm asking the right group but being new to all of this, it seems like a good place to start. A little about my setup. I wanted to build a front-end filter for my Exchange server so I put together Postfix-Spamassassin-Amavis and tied in DCC, pyzor, and razor. I'm tailing the mail.log and it seems to catch a lot of stuff but it lets a TON of stuff through. I'll post the greater part of the email header on one seriously obvious spam message and see if anyone can tell me what I'm missing here. I appreciate any help and please be kind. I'm VERY new to this stuff. It was a miracle I got this working at all. Trying to tie all of my domain names into postfix config files was ridiculous!
Received: from data.gabowitztv.com (198.246.47.80) by mail.phhw.com (10.0.0.2)
with Microsoft SMTP Server id 14.3.181.6; Thu, 24 Jul 2014 10:49:29 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=gabowitztv.com;
h=Mime-Version:Content-Type:Message-Id:Date:From:To:Subject; i=pimsleurapproach@gabowitztv.com;
bh=bHddQVhew6uaKkn5Wru5J+kpECM=;
b=OMQ2jbeSaHzoNbvsPUfEFd0zfSgv9p9MCFxNrLkHEYwNmjuU0XUdKwLzGgvphTit6h7Ss5dYxIC7
3vIDjOVACIfKu5UL0X4Rr4AyNoQbsVWJe6477cM5rxydFeRoX7DTuhD/A0rdHhTzDXpA5rALsvGZ
NtMoMGCY9c+M7lEXVVs=
Received: by data.gabowitztv.com id hq4l9u0001gs for <my...@mydomain.com>; Thu,
24 Jul 2014 15:47:31 +0000 (envelope-from
<pi...@gabowitztv.com>)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="ade8-dbff-3531-7b86-2c0b-419d-0c87-208b"
Message-ID: <b8...@gabowitztv.com>
Date: Thu, 24 Jul 2014 15:47:31 +0000
From: Pimsleur Approach <pi...@gabowitztv.com>
To: <my...@mydomain.com>
Subject: =?utf-8?B?RldEOllvdSBjb3VsZCBsZWFybiBhIGxhbmd1YWdlIGluIGFzIGxpdHRsZSBhcyAxMCBEYXlz?=...
X-KSE-AntiSpam-Interceptor-Info: scan successful
X-KSE-AntiSpam-Version: 5.5.3, Database issued on: 07/24/2014 15:29:08
X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED
X-KSE-AntiSpam-Method: none
X-KSE-AntiSpam-Rate: 19
X-KSE-AntiSpam-Info: Lua profiles 64420 [Jul 24 2014]
X-KSE-AntiSpam-Info: Version: 5.5.3
X-KSE-AntiSpam-Info: Envelope from:
pimsleur-approach-myname@gabowitztv.com
X-KSE-AntiSpam-Info: {SMTP from is not routable}
X-KSE-AntiSpam-Info: SPF: pass
X-KSE-AntiSpam-Info: Rate: 19
X-KSE-AntiSpam-Info: Status: not_detected
X-KSE-AntiSpam-Info: Method: none
X-KSE-AntiSpam-Info: Moebius-Timestamps: 3032662, 3032697, 3032696
X-KSE-Antiphishing-Info: Clean
X-KSE-Antiphishing-Method: None
X-KSE-Antiphishing-Bases: 07/24/2014 15:29:00
X-KSE-Antivirus-Interceptor-Info: scan successful
X-KSE-Antivirus-Info: Clean
Resent-Message-ID: <20...@smtp.mydomain.com>
Resent-Date: Thu, 24 Jul 2014 10:49:47 -0500
Return-Path: myemail@mydomain.com
X-MS-Exchange-Organization-AuthSource: server.mail.mydomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
Greg Ledford
PHHW Technology Services LLC
1000 Corporate Centre Dr, Ste 200
Franklin, TN 37067
Office (615) 778-1777
Cell (615) 403-6989
Fax (615) 771-0081
Email gledford@phhwtechnology.com<ma...@phhwtechnology.com>
Re: Is this how this is supposed to work?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-07-25 at 03:16 +0000, Greg Ledford wrote:
> Good point. I'll post all of the headers and see if anyone has any tips.
Read inline-comments in the headers bottom up.
And finally, Microsoft SMTP seems to have got the message from Postfix.
> Received: from smtp.phhwtechnology.com (10.0.1.7)
> by mail.phhwtechnology.com (10.0.1.5)
> with Microsoft SMTP Server id 14.3.195.1; Thu, 24 Jul 2014 18:11:18 -0500
Postfix got the processed message back from Amavis.
> Received: from localhost (localhost [127.0.0.1])
> by smtp.phhwtechnology.com (Postfix) with ESMTP id E9A1D1943211
> for <gl...@phhwtechnology.com>; Thu, 24 Jul 2014 18:00:06 -0500 (CDT)
Amavis seems to have scanned for viruses.
> X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
Amavis got the message locally from Postfix.
> Received: from smtp.phhwtechnology.com ([127.0.0.1])
> by localhost (smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id l_YzbdhJopva for <gl...@phhwtechnology.com>; Thu, 24 Jul 2014 18:00:02 -0500 (CDT)
Your Postfix MX SMTP accepted the message.
> Received: from sell.pywor.eu (sell.pywor.eu [23.249.160.158])
> by smtp.phhwtechnology.com (Postfix) with ESMTP id 29AFE194320C
> for <gl...@phhwtechnology.com>; Thu, 24 Jul 2014 17:59:50 -0500 (CDT)
Headers below this point are generated externally, irrelevant to your
problem.
Obviously, Postfix works as MX SMTP, feeds the message to Amavis and
get's it back, and finally hands it off to your old Exchange.
Good. Next step is properly configuring Amavis. You said you want to use
SpamAssassin, which Amavis does not seem to invoke. You didn't mention
Virus scanning, which Amavis does seem to perform.
What's missing is Amavis calling SA. If it does, there should be some
X-Spam-* headers as mentioned before, somewhere close above Postfix
receiving the message. And logs...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Is this how this is supposed to work?
Posted by Greg Ledford <gl...@phhwtechnology.com>.
Good point. I'll post all of the headers and see if anyone has any tips.
Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com
(10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Thu, 24 Jul 2014
18:11:18 -0500
Received: from localhost (localhost [127.0.0.1]) by smtp.phhwtechnology.com
(Postfix) with ESMTP id E9A1D1943211 for <gl...@phhwtechnology.com>; Thu,
24 Jul 2014 18:00:06 -0500 (CDT)
X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
Received: from smtp.phhwtechnology.com ([127.0.0.1]) by localhost
(smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
l_YzbdhJopva for <gl...@phhwtechnology.com>; Thu, 24 Jul 2014 18:00:02
-0500 (CDT)
Received: from sell.pywor.eu (sell.pywor.eu [23.249.160.158]) by
smtp.phhwtechnology.com (Postfix) with ESMTP id 29AFE194320C for
<gl...@phhwtechnology.com>; Thu, 24 Jul 2014 17:59:50 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=pywor.eu;
h=Content-Type:MIME-Version:From:To:Subject:Message-ID:References:In-Reply-To:Date; i=smallbusinessloan@pywor.eu;
bh=WHIK8mEJdFg2fXt9Zz2ucXCGxPk=;
b=rxT2Eq1czjvL4ygXMD/Lxw4AZSYSW7ES8onIuJA3kpMwvVF3DUt7Oz3LP+r3jx6il9Y8ZjiFfIg2
B/JAjQQKIodjDTHxBvjIaoxaWP+b2vgl6AJxYf2PC9mWu1xmX+QEnNbY0ZbmVLmy24R+ODm7d0wU
P/eGjTK0IR/o4Uv6tts=
Content-Type: multipart/alternative;
boundary="===============8108863872609529479=="
MIME-Version: 1.0
From: Small Business Loan <sm...@pywor.eu>
To: <gl...@phhwtechnology.com>
Subject: Now trending: exciting small business loan opportunities
Message-ID: <61...@pywor.eu>
Thread-Topic: Now trending: exciting small business loan opportunities
References: <61...@pywor.eu>
In-Reply-To: <61...@pywor.eu>
Date: Thu, 24 Jul 2014 22:59:47 +0000
Return-Path: smallbusinessloan-gledford=phhwtechnology.com@pywor.eu
X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com
X-MS-Exchange-Organization-AuthAs: Anonymous
Greg Ledford
PHHW Technology Services LLC
1000 Corporate Centre Dr, Suite 200
Franklin, TN 37067
Office (615) 778-1777
Cell (615) 403-6989
Fax (615) 771-0081
-----Original Message-----
From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
Sent: Thursday, July 24, 2014 6:38 PM
To: users@spamassassin.apache.org
Subject: Re: Is this how this is supposed to work?
On Thu, 2014-07-24 at 22:33 +0000, Greg Ledford wrote:
> Sorry about that. I'm new to this list, too.
Don't worry. I simply pointed it out so with further discussion, everyone is on the same page. After all, there is more helpful folks on this list -- and quite a few of them way better at Postfix and Amavis stuff than I am.
Now if you could correct that top-posting... SCNR. ;)
> It helps if I actually add content_filter to postfix, I guess. This
> is all I'm seeing in the headers at this point so it seems like I've
> got ONE part of it working. Does this look like it's a start?
That Received header below? Yeah, looks good, Amavis seems to be in the loop.
I wonder how that could be "all you're seeing at this point", though.
Amavis added a header it received a message locally, but who passed it on? Isn't Postfix supposed to do that? So where is the Postfix Received header?
It seems you're snipping too much stuff from the raw headers you may believe to be irrelevant. However, unless you *know* it's irrelevant and snipping it does *not* affect interpretation of the full mail flow, do include it in the paste.
FWIW, in this case all headers beginning with the very first Received from external by your server is likely to be relevant in some way.
> Also my MX records are fine. I just removed them from the headers
So you ask about help with a set-up including Postfix being your MX, and you snip all traces of Postfix acting like your MX. See where this is bad?
> [...] I posted to keep people from seeing all my info but I guess
> that was sort of pointless since they could have just done a
> nslookup and got that data anyway. :/ Thanks again for your help.
Correct. These public (sic) IPs are no secret. The mail you posted to this list includes them...
Feel free to mask IP addresses and domain names if need be, in particular email addresses. However, please keep it to a minimum and definitely with a consistent pattern. Don't break headers, and don't simply remove whole headers.
BTW, your outgoing SMTP server claims to be hostnamed "smtp", though its IP actually resolves to "mail", breaking rDNS forward confirmation.
Probably outfall from adding that first line of defense Postfix server...
> X-Virus-Scanned: Debian amavisd-new at smtp.mymailserver.com
> Received: from smtp.mymailserver.com ([127.0.0.1])
> by localhost (smtp.mymailserver.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Is this how this is supposed to work?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2014-07-24 at 22:33 +0000, Greg Ledford wrote:
> Sorry about that. I'm new to this list, too.
Don't worry. I simply pointed it out so with further discussion,
everyone is on the same page. After all, there is more helpful folks on
this list -- and quite a few of them way better at Postfix and Amavis
stuff than I am.
Now if you could correct that top-posting... SCNR. ;)
> It helps if I actually add content_filter to postfix, I guess. This is
> all I'm seeing in the headers at this point so it seems like I've got
> ONE part of it working. Does this look like it's a start?
That Received header below? Yeah, looks good, Amavis seems to be in the
loop.
I wonder how that could be "all you're seeing at this point", though.
Amavis added a header it received a message locally, but who passed it
on? Isn't Postfix supposed to do that? So where is the Postfix Received
header?
It seems you're snipping too much stuff from the raw headers you may
believe to be irrelevant. However, unless you *know* it's irrelevant and
snipping it does *not* affect interpretation of the full mail flow, do
include it in the paste.
FWIW, in this case all headers beginning with the very first Received
from external by your server is likely to be relevant in some way.
> Also my MX records are fine. I just removed them from the headers
So you ask about help with a set-up including Postfix being your MX, and
you snip all traces of Postfix acting like your MX. See where this is
bad?
> [...] I posted to keep people from seeing all my info but I guess
> that was sort of pointless since they could have just done a
> nslookup and got that data anyway. :/ Thanks again for your help.
Correct. These public (sic) IPs are no secret. The mail you posted to
this list includes them...
Feel free to mask IP addresses and domain names if need be, in
particular email addresses. However, please keep it to a minimum and
definitely with a consistent pattern. Don't break headers, and don't
simply remove whole headers.
BTW, your outgoing SMTP server claims to be hostnamed "smtp", though its
IP actually resolves to "mail", breaking rDNS forward confirmation.
Probably outfall from adding that first line of defense Postfix
server...
> X-Virus-Scanned: Debian amavisd-new at smtp.mymailserver.com
> Received: from smtp.mymailserver.com ([127.0.0.1])
> by localhost (smtp.mymailserver.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Is this how this is supposed to work?
Posted by Greg Ledford <gl...@phhwtechnology.com>.
Sorry about that. I'm new to this list, too. It helps if I actually add content_filter to postfix, I guess. This is all I'm seeing in the headers at this point so it seems like I've got ONE part of it working. Does this look like it's a start? Also my MX records are fine. I just removed them from the headers I posted to keep people from seeing all my info but I guess that was sort of pointless since they could have just done a nslookup and got that data anyway. :/ Thanks again for your help.
X-Virus-Scanned: Debian amavisd-new at smtp.mymailserver.com
Received: from smtp.mymailserver.com ([127.0.0.1]) by localhost
(smtp.mymailserver.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
Greg Ledford
PHHW Technology Services LLC
1000 Corporate Centre Dr, Ste 200
Franklin, TN 37067
Office (615) 778-1777
Cell (615) 403-6989
Fax (615) 771-0081
Email gledford@phhwtechnology.com
-----Original Message-----
From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
Sent: Thursday, July 24, 2014 4:54 PM
To: users@spamassassin.apache.org
Subject: Re: Is this how this is supposed to work?
On Thu, 2014-07-24 at 21:43 +0000, Greg Ledford wrote:
> So it looks like SA and Amavis are being totally bypassed?
Yes, there should be a few X-Spam-* headers added by SA or Amavis above the pasted ones. And of course there should be a Received header by postfix.
Since you didn't mentioned it in your reply, let me stress again that's where you need to look into first -- if I understood your intended set-up of Postfix with Amavis/SA *before* the MS server. Direct delivery to the Microsoft SMTP (as it was till now) instead of Postfix might be as easy as a bad or stale MX record...
FWIW, instead of only looking out for the relevant headers, both Postfix and Amavis/SA have log files. Might be worth having a look at or tail -f 'ing.
Also, all this including X-Spam-* headers applies to ham, too. So you can send yourself test mail, to observe it eventually flowing through your Postfix environment.
> Great. Looks like I'll be spending another night in front of this box.
> Thanks for the input.
NP. Oh, and please always keep threads on-list, until you really mean to reply in private only.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Is this how this is supposed to work?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2014-07-24 at 21:43 +0000, Greg Ledford wrote:
> So it looks like SA and Amavis are being totally bypassed?
Yes, there should be a few X-Spam-* headers added by SA or Amavis above
the pasted ones. And of course there should be a Received header by
postfix.
Since you didn't mentioned it in your reply, let me stress again that's
where you need to look into first -- if I understood your intended
set-up of Postfix with Amavis/SA *before* the MS server. Direct delivery
to the Microsoft SMTP (as it was till now) instead of Postfix might be
as easy as a bad or stale MX record...
FWIW, instead of only looking out for the relevant headers, both Postfix
and Amavis/SA have log files. Might be worth having a look at or tail -f
'ing.
Also, all this including X-Spam-* headers applies to ham, too. So you
can send yourself test mail, to observe it eventually flowing through
your Postfix environment.
> Great. Looks like I'll be spending another night in front of this box.
> Thanks for the input.
NP. Oh, and please always keep threads on-list, until you really mean to
reply in private only.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Is this how this is supposed to work?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2014-07-24 at 18:34 +0000, Greg Ledford wrote:
> Not sure if I’m asking the right group but being new to all of this,
> it seems like a good place to start. A little about my setup. I wanted
> to build a front-end filter for my Exchange server so I put together
> Postfix-Spamassassin-Amavis and tied in DCC, pyzor, and razor. I’m
> tailing the mail.log and it seems to catch a lot of stuff but it lets
> a TON of stuff through. I’ll post the greater part of the email header
> on one seriously obvious spam message and see if anyone can tell me
> what I’m missing here.
There is absolutely no SA header, including Amavis' flavor.
So there's nothing we can tell you, other than to review your entire
chain and verify the messages do get processed by Amavis and thus SA. If
they do, you will need to configure Amavis to add the usual headers --
which should be default, I believe.
(There are quite a few "AntiSpam" named headers which are totally
unrelated to Amavis and SA. Given their place in the headers, those
might be added by the sending SMTP.)
Next time pasting headers, please use a pastebin or tell your MUA to
behave and not inject empty lines...
> I appreciate any help and please be kind. I’m VERY new to this stuff.
The first step would be to verify Postfix, Amavis and SpamAssassin do
get involved.
The headers you pasted seems to show a single Received header on your
side, Microsoft SMTP. There's no Postfix Received header.
The environment you try to set-up is SA, being called by Amavis, which
in turn is called by Postfix. For help on getting Postfix into your
chain, the postfix mailing-list would be a better place to start. ;)
> Received: from data.gabowitztv.com (198.246.47.80)
> by mail.phhw.com (10.0.0.2)
> with Microsoft SMTP Server id 14.3.181.6; Thu, 24 Jul 2014 10:49:29 -0500
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}