Failed to check the emails

[Piotr Zalewa <pi...@zalewa.info>]

Hi

On one server I have qmail with spamassassin.
Most of the emails are coming checked by spamassassin.

But some are coming not being checked ...
I can find this in the header of the message:

with qmail-scanner-2.01st  (clamdscan: 0.91.2/6473. spamassassin: 3.2.1.
perlscan: 2.01st. Clear:RC:0(140.211.11.2):SA:0(?/?):.  Processed in
3.031013 secs); 30 Mar 2008 15:34:59 -0000
X-Spam-Status: No, hits=? required=?

I found out that it comes unchecked always when I do the manual SMTP on
this server:
telnet mydomain
HELO something.somewhere
250 myfqdn.domain
MAIL FROM: someone@from.somewhere.else
250 ok
RCPT TO: existing_email@one.of.my.rcpt.hosts
250 ok
DATA
354 go ahead
Subject: test hello

Hello message
.
250 ok 1206835495 qp 5656

Spammers had already found this server ...
Please help.

Piotr

Re: Failed to check the emails

[Piotr Zalewa <pi...@zalewa.info>]

On Mon, 2008-03-31 at 12:38 +1300, Jason Haar wrote:
> Piotr Zalewa wrote:
> > But some are coming not being checked ...
> > I can find this in the header of the message:
> >
> > with qmail-scanner-2.01st  (clamdscan: 0.91.2/6473. spamassassin: 3.2.1.
> > perlscan: 2.01st. Clear:RC:0(140.211.11.2):SA:0(?/?):.  Processed in
> > 3.031013 secs); 30 Mar 2008 15:34:59 -0000
> > X-Spam-Status: No, hits=? required=?
> >   
> Please read the Qmail-Scanner FAQ - this either means the message was 
> considered too big for spamd to scan, or spamd had a problem and didn't 
> work correctly.

Thanks, I've seen the FAQ before. I've copy&pasted whole telnet session
in my post, the body (without Subject) has 13 bytes - it is not the
issue - there has to be something with the config

Piotr

RE: Failed to check the emails

[Piotr Zalewa <pi...@zalewa.info>]

Hi

I hate when it happened (well not 100% hate). I've done few things and
it's being checked now. No idea how anyway - probably changed something
an hour ago or so and just restarted recently, but it did the job.

Thanks for help, I'm sure there will be more issues - it's interesting
subject

Piotr

On Mon, 2008-03-31 at 02:26 +0100, Piotr Zalewa wrote:
> Thanks Michael.
> 
> I've run the 
> spamassassin -D --lint > spamassassin_lint 2>&
> 
> On Mon, 2008-03-31 at 13:02 +1300, Michael Hutchinson wrote:
> > > -----Original Message-----
> > > From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
> > > Piotr Zalewa wrote:
> > > > But some are coming not being checked ...
> > > > X-Spam-Status: No, hits=? required=?
> > It sounds like a config issue. It would pay to do a "spamassassin -D
> > --lint". This will produce a lot of output, but it is worth reading and
> > understanding all of the information, to be able to parse it for errors.
> > Cheers,
> > Mike
> > 
> > 
> 

RE: Failed to check the emails

[Piotr Zalewa <pi...@zalewa.info>]

On Mon, 2008-03-31 at 14:51 +1300, Michael Hutchinson wrote:
> > -----Original Message-----
> > From: Piotr Zalewa [mailto:piotr@zalewa.info]
> > Sent: Monday, 31 March 2008 2:26 p.m.
> > To: SpamAssassin
> > Subject: RE: Failed to check the emails
> > I've run the
> > spamassassin -D --lint > spamassassin_lint 2>&
> > dbg: bayes: no dbs present, cannot tie DB
> > R/O: /root/.spamassassin/bayes_toks
> > On Mon, 2008-03-31 at 13:02 +1300, Michael Hutchinson wrote:
> > > > From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
> > 
> From what you posted, S.A looks OK, except it couldn't tie your Bayes
> database. That's mostly a temp issue, if it recurs without resovling
> itself then it's an issue.

I think it's because it was called from the root account (I can't login
to qscand, but as I wrote just few minutes ago, the problem disappeared
magically). /root/.spamassassin/bayes_toks


> X-Spam-Status: No, hits=? required=?
> ^^ this isn't normal, S.A should know what it's required hits score is,
> no matter what it's doing. Can it read/write the file that sets this
> option?

I couldn't catch this in the logs. I have all logs from SA
in /var/log/messages. And the only log I've got from qmail was "message
delivered" ... I don't have files mail.warn and mail.info on my server.

Nothing to read though

Cheers for all the help - going to sleep.

Piotr

RE: Failed to check the emails

[Michael Hutchinson <mh...@manux.co.nz>]

> -----Original Message-----
> From: Piotr Zalewa [mailto:piotr@zalewa.info]
> Sent: Monday, 31 March 2008 2:26 p.m.
> To: SpamAssassin
> Subject: RE: Failed to check the emails
> 
> Thanks Michael.
> 
> I've run the
> spamassassin -D --lint > spamassassin_lint 2>&
> 
> I can't find anything suspicious there - but I'm not the master
either.
> I think it's rather qmail-scanner configuration problem ... I'll paste
> here parts which I think are important ... If it's not helpful I can
> attach the file (to priv as I think).
> 
> dbg: logger: adding facilities: all
> dbg: logger: logging level is DBG
> dbg: generic: SpamAssassin version 3.2.1
> dbg: config: score set 0 chosen.
> dbg: util: running in taint mode? no
> dbg: dns: is Net::DNS::Resolver available? yes
> dbg: dns: Net::DNS version: 0.59
> [...]
> dbg: bayes: no dbs present, cannot tie DB
> R/O: /root/.spamassassin/bayes_toks
> [...]
> dbg: dns: is_dns_available() last checked 1206925264 seconds ago;
> re-checking
> dbg: dns: is DNS available? 0
> [...]
> dbg: check: is spam? score=4.205 required=4
> dbg: check:
>
tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS
> dbg: check:
>
subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__M
SO
> E_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID
> 
> As I said - emails sent normally from other servers are being checked
> for spam
> 
> Piotr
> 
> On Mon, 2008-03-31 at 13:02 +1300, Michael Hutchinson wrote:
> > > -----Original Message-----
> > > From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
> > > Piotr Zalewa wrote:
> > > > But some are coming not being checked ...
> > > > X-Spam-Status: No, hits=? required=?
> > It sounds like a config issue. It would pay to do a "spamassassin -D
> > --lint". This will produce a lot of output, but it is worth reading
and
> > understanding all of the information, to be able to parse it for
errors.
> > Cheers,
> > Mike
> >
> >

>From what you posted, S.A looks OK, except it couldn't tie your Bayes
database. That's mostly a temp issue, if it recurs without resovling
itself then it's an issue.

However, I think you're right about the fact that it's a config error
somewhere else. I use Simscan myself, and haven't touched qmail-scanner
before. I do have a config file where I can turn Spam and AV checking on
or off for a particular domain, but it is Simscan specific. Besides,
that sort of feature should still not leave you with a S.A header in the
email. You might want to check the sanity of the receiving end's qmail
config. Especially the control files.

Have you attempted to track the email through your system by grepping
through the logs? 

I do this for tracking mails, and normally wind up using "tail -f
<logfile>" and leave it running while I do testing... If you're too busy
a domain, that wont work for you.

It'd be interesting to see if you're getting some kind of failure when
S.A is being called. 

X-Spam-Status: No, hits=? required=?
^^ this isn't normal, S.A should know what it's required hits score is,
no matter what it's doing. Can it read/write the file that sets this
option?

I can only hazard a guess with no more information:
Perhaps your system is running S.A in per-domain or per-user mode? There
could be a problem that there is no configuration file to read when it's
receiving mail from the other system you're talking about, or the config
file for that domain exists but S.A doesn't have permissions to deal
with it.

U could post your "spamassassin -D --lint" to me if you like... I'm not
guaranteeing expert analysis tho :)

Is qmail-scanner keeping a log on your system? And are you able to see
your email traverse from the other domain to the mail server in
question, in the log files? (/var/log). If so, perhaps post some log
entries or try to see what's going on when that email is being scanned.

Cheers,
Mike

RE: Failed to check the emails

[Piotr Zalewa <pi...@zalewa.info>]

Thanks Michael.

I've run the 
spamassassin -D --lint > spamassassin_lint 2>&

I can't find anything suspicious there - but I'm not the master either.
I think it's rather qmail-scanner configuration problem ... I'll paste
here parts which I think are important ... If it's not helpful I can
attach the file (to priv as I think).

dbg: logger: adding facilities: all
dbg: logger: logging level is DBG
dbg: generic: SpamAssassin version 3.2.1
dbg: config: score set 0 chosen.
dbg: util: running in taint mode? no
dbg: dns: is Net::DNS::Resolver available? yes
dbg: dns: Net::DNS version: 0.59
[...]
dbg: bayes: no dbs present, cannot tie DB
R/O: /root/.spamassassin/bayes_toks
[...]
dbg: dns: is_dns_available() last checked 1206925264 seconds ago;
re-checking
dbg: dns: is DNS available? 0
[...]
dbg: check: is spam? score=4.205 required=4
dbg: check:
tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS
dbg: check:
subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID

As I said - emails sent normally from other servers are being checked
for spam

Piotr

On Mon, 2008-03-31 at 13:02 +1300, Michael Hutchinson wrote:
> > -----Original Message-----
> > From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
> > Piotr Zalewa wrote:
> > > But some are coming not being checked ...
> > > X-Spam-Status: No, hits=? required=?
> It sounds like a config issue. It would pay to do a "spamassassin -D
> --lint". This will produce a lot of output, but it is worth reading and
> understanding all of the information, to be able to parse it for errors.
> Cheers,
> Mike
> 
> 

Re: Failed to check the emails

[Loren Wilton <lw...@earthlink.net>]

> It sounds like a config issue. It would pay to do a "spamassassin -D
> --lint". This will produce a lot of output, but it is worth reading and
> understanding all of the information, to be able to parse it for errors.

Actually just 'spamassassin --lint' might be a good thing to do, being sure 
to run under the corredct usercode.  This should have no output if things 
are right.

        Loren

RE: Failed to check the emails

[Michael Hutchinson <mh...@manux.co.nz>]

> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
> Sent: Monday, 31 March 2008 12:38 p.m.
> To: SpamAssassin
> Subject: Re: Failed to check the emails
> 
> Piotr Zalewa wrote:
> > But some are coming not being checked ...
> > I can find this in the header of the message:
> >
> > with qmail-scanner-2.01st  (clamdscan: 0.91.2/6473. spamassassin:
3.2.1.
> > perlscan: 2.01st. Clear:RC:0(140.211.11.2):SA:0(?/?):.  Processed in
> > 3.031013 secs); 30 Mar 2008 15:34:59 -0000
> > X-Spam-Status: No, hits=? required=?
> >
> Please read the Qmail-Scanner FAQ - this either means the message was
> considered too big for spamd to scan, or spamd had a problem and
didn't
> work correctly.
> 

It sounds like a config issue. It would pay to do a "spamassassin -D
--lint". This will produce a lot of output, but it is worth reading and
understanding all of the information, to be able to parse it for errors.

If a message is too large to scan, you would normally get a log entry in
mail.log or mail.info or mail.warn (depending on your setup, the
location and names of these will most likely change) stating the message
was too large to scan. If that is the case, you should not get a
Spamassassin header in the e-mail, as it skips scanning the message
entirely if it's size is above the limit.

Cheers,
Mike

Re: Failed to check the emails

[Jason Haar <Ja...@trimble.co.nz>]

Piotr Zalewa wrote:
> But some are coming not being checked ...
> I can find this in the header of the message:
>
> with qmail-scanner-2.01st  (clamdscan: 0.91.2/6473. spamassassin: 3.2.1.
> perlscan: 2.01st. Clear:RC:0(140.211.11.2):SA:0(?/?):.  Processed in
> 3.031013 secs); 30 Mar 2008 15:34:59 -0000
> X-Spam-Status: No, hits=? required=?
>   
Please read the Qmail-Scanner FAQ - this either means the message was 
considered too big for spamd to scan, or spamd had a problem and didn't 
work correctly.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1