Les Ault a écrit : > One of my users just received some spam that made it past > amavisd/SpamAssassin; The > message was your average text formatted "mortgage" spam. > > This message has been blocked by amavisd/SpamAssassin in the past so I did > some > checking and found the envelope sender on this message was different. The > envelope > sender's address contains a space; the original message has an envelope > sender of: > > MAIL FROM: <"[EMAIL PROTECTED] "> > > When this message passes through my setup, the amavisd log shows that the > sender is > white-listed. I have checked my white-list file and also deleted the > /var/amavisd/.spamassassin/auto-whitelist.db file and the message is always > passed with > the same result. If I remove the space from the envelope sender making it: > > MAIL FROM: <"[EMAIL PROTECTED]"> > > then amavisd/SpamAssassin correctly identifies and quarantines the message; I > would > appreciate any ideas on how to fix this. I am running the following software > versions: > > OpenBSD 3.6 > Postfix 2.10 > amavisd-new-2.2.0 (20041102) > Spamassassin 3.0.1 > > Here are the relevant log entries: > > ---------------- Begin Original Message -------------------- > Feb 7 16:13:00 mta1 postfix/smtpd[3729]: connect from localhost[127.0.0.1] > Feb 7 16:13:00 mta1 postfix/smtpd[3729]: NOQUEUE: client=localhost[127.0.0.1] > Feb 7 16:13:00 mta1 amavis[32152]: (32152-02) ESMTP::10024 > /var/amavisd/tmp/amavis-20060207T160942-32152: <[EMAIL PROTECTED] > -> > <[EMAIL PROTECTED]> Received: BODY=8BITMIME from mta1.markmansdiamonds.com > ([127.0.0.1]) by localhost (mta1.markmansdiamonds.com [127.0.0.1]) > (amavisd-new, port 10024) with ESMTP id 32152-02 for <[EMAIL PROTECTED]>; > Tue, 7 Feb 2006 16:13:00 -0500 (EST) > Feb 7 16:13:00 mta1 amavis[32152]: (32152-02) Checking: [127.0.0.1] <"[EMAIL > PROTECTED] "> -> <[EMAIL PROTECTED]> > Feb 7 16:13:00 mta1 amavis[32152]: (32152-02) p001 1 Content-Type: > text/html, size: 622 B, name: > Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) wbl: whitelisted sender > <[EMAIL PROTECTED] > > Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) SPAM-TAG, <"[EMAIL PROTECTED] > "> -> <[EMAIL PROTECTED]>, No, hits=x tagged_above=-50 required=3.75 > WHITELISTED > Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) FWD via SMTP: > [127.0.0.1]:10025 <[EMAIL PROTECTED] > -> <[EMAIL PROTECTED]> > Feb 7 16:13:01 mta1 postfix/smtpd[19530]: connect from localhost[127.0.0.1] > Feb 7 16:13:01 mta1 postfix/smtpd[19530]: 1E0EE91EF1: > client=localhost[127.0.0.1] > Feb 7 16:13:01 mta1 postfix/cleanup[30349]: 1E0EE91EF1: message-id=<[EMAIL > PROTECTED]> > Feb 7 16:13:01 mta1 postfix/qmgr[3198]: 1E0EE91EF1: from=<[EMAIL > PROTECTED]>, size=2460, nrcpt=1 (queue active) > Feb 7 16:13:01 mta1 postfix/smtpd[19530]: disconnect from > localhost[127.0.0.1] > Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) Passed, <[EMAIL PROTECTED] > > -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: - > Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) Passed CLEAN, <[EMAIL > PROTECTED] > -> <[EMAIL PROTECTED]>, Hits: -, tag=-50, tag2=3.75, kill=3.75, > L/Y/0/0 > Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) TIMING [total 471 ms] - SMTP > EHLO: 6 (1%), SMTP pre-MAIL: 2 (0%), SMTP pre-DATA-flush: 10 (2%), SMTP DATA: > 1 (0%), body_hash: 1 (0%), mime_decode: 41 (9%), get-file-type1: 31 (7%), > decompose_part: 3 (1%), parts_decode: 0 (0%), AV-scan-1: 18 (4%), > spam-wb-list: 5 (1%), update_cache: 1 (0%), fwd-connect: 50 (11%), > fwd-xforward: 1 (0%), fwd-mail-from: 4 (1%), fwd-rcpt-to: 46 (10%), > write-header: 9 (2%), fwd-data: 1 (0%), fwd-data-end: 195 (41%), fwd-rundown: > 5 (1%), main_log_entry: 30 (6%), update_snmp: 0 (0%), unlink-1-files: 7 (1%), > rundown: 1 (0%)Feb 7 16:13:01 mta1 postfix/cleanup[30349]: 61B4B91EF2: > message-id=<[EMAIL PROTECTED]> > ---------------- End Original Message --------------------
Seems like a bug somewhere. - what/who/when/... added the space? the postfix line shows the right sender (no space and no quotes). do you have any canonical maps in postfix that contain such bogus conversion? if not, sounds like a net::smtp or amavisd bug - even then, you should check your whitelists. PS. "[EMAIL PROTECTED] " is an address with no domain part (so it's local). ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642 _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/