On 11/1/2013 6:17 PM, Eric Shubert wrote:
On 11/01/2013 08:45 AM, Tim Whitaker wrote:
Hi everybody... I've been running qmail toaster on a fresh CentOS 5.9
install for about a month now and all has been well except for one
thing... spam. I have googled as much as I could to try and figure out
what my problem might be and I've made some changes but still some
really annoying spam is coming through with file attachments and such.
My problem is I can't figure out how to find any logs to tell me if
SpamAssassin is actually working. I know the service is running. In
there spirit of giving too much information, here's a bunch of stuff:
cat /etc/tcprules.d/tcp.smtp
127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private"
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",DKSIGN="/var/qmail/control/domainkeys/%/private"
cat /var/qmail/control/simcontrol
:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif
qmailctl stat
authlib: up (pid 16643) 49008 seconds
clamd: up (pid 16614) 49008 seconds
imap4: down 49008 seconds
imap4-ssl: down 49008 seconds
pop3: up (pid 16603) 49008 seconds
pop3-ssl: up (pid 16665) 49008 seconds
send: up (pid 16626) 49008 seconds
smtp: up (pid 16635) 49008 seconds
spamd: up (pid 16622) 49008 seconds
submission: up (pid 16685) 49007 seconds
authlib/log: up (pid 16645) 49008 seconds
clamd/log: up (pid 16616) 49008 seconds
imap4/log: down 49008 seconds
imap4-ssl/log: down 49008 seconds
pop3/log: up (pid 16605) 49008 seconds
pop3-ssl/log: up (pid 16671) 49008 seconds
send/log: up (pid 16610) 49008 seconds
smtp/log: up (pid 16640) 49008 seconds
spamd/log: up (pid 16631) 49008 seconds
submission/log: up (pid 16661) 49008 seconds
Nice thread, everyone. I'm happy to see the community taking such an
active role.
I'd like to add and reinforce a few things.
Spamdyke will be included qmailtoaster-list@qmailtoaster.com in the
forthcoming stock QMT release. It's a must have. If I had to pick a
single anti-spam piece of software, it'd be spamdyke hands down. Sam C
(the author) deserves many kudos for this great product. FWIW, Sam
will probably be modifying the next version to be able to function as
an smtp proxy, so it will be usable by any smtp transport, not just
qmail. When that happens, I expect that spamdyke will become widely
adopted.
I hope that Dspam will be available with a future QMT release, but
don't look for it any time soon. It will likely be implemented along
with amavisd-new, which will replace simscan.
I'm a little surprised more of you aren't using qmlog. It's a great
tool for examining logs. I often do:
# qmlog -f smtp
to tail the smtp log. qmlog also has powerful search capabilities with
the -lc (log containing) option for searching for any regex. qmlog
also nicely formats the date/time stamp, so you don't need to remember
to pipe through tai64nlocal (which is part of the daemontools package,
so should be on every QMT host). For spamassassin, you might do:
# qmlog -f spamd
to see spmaassassin at work. Of course if you have spamdyke installed,
there won't be a lot to see there. :) Enter the qmlog command by
itself to see all of its options. You'll never need to manually
examine logs again.
While sanesecurity doesn't catch a lot of spam, what it does
specialize in is phishing attempts, which nothing else appears to
catch. I do use it. The only problem I've had is that some phishing
attempts are so good at appearing to be emails from banking
institutions that sometimes it blocks monthly statements from AmExp
and Chase. As a work-around I've chosen to bypass scanning of emails
from these institutions.
Thanks again to everyone for their participation here. Nice work!
In addition to qmlog, a tool I cannot live without is *mtrack *- a perl
script that allows you to ferret out messages (not unlike the -lc option
of qmlog), but then gathers all of the lines of the log file concerning
that message together. (NOTE: To keep my head on straight, I rename the
program qmtrack -- just for my feeble mind.)
As an example, to make finding "bad actors" easier, I use qmlog, grep,
and wc to count (every 15 minutes) how many failed attempts have
happened today (so far)... when they reach a certain threshold, I send
an automated email to my cell phone and run a [q]mtrack on the log files
over the same time which shows me the same messages, but grouped by
failed attempt.
To show you the value of this, let me show you a snippet (redacted to
protect client data):
11-01 14:13:17 new msg 135400183
11-01 14:13:17 info msg 135400183: bytes 20503 from <f...@m.com> qp
29365 uid 89
11-01 14:13:17 starting delivery 10363: msg 135400183 to remote
c...@mk.com
11-01 14:13:41 delivery 10363: deferral:
Connected_to_xx.xx.xx.xx_but_sender_was_rejected./Remote_host_said:_452_4.1.0_..._temporary_failure/
11-01 14:19:58 starting delivery 10560: msg 135400183 to remote
c...@mk.com
11-01 14:20:55 delivery 10560: success:
User_and_password_not_set,_continuing_without_authentication./<c...@mk.com>_xx.xx.xx.xx_accepted_message./Remote_host_said:_250_ok:__Message_505069548_accepted/
11-01 14:20:55 end msg 135400183
This snipped is pulled from a log file containing over 100K lines of
messages (and the full output of my [q]mtrack query shows 30+ failed
messages) -- but here I can see QUICKLY (and grouped together) that THIS
message had only a temporary failure, and was delivered with only a
7-minute delay ... a delay caused by the remote server.
My only real issue with [q]mtrack is that it is designed SOLELY for
qmail-send logs (there is a separate tool - [qm]strack for qmail-smtpd
logs) -- and both sometimes have perl-script errors (due to unexpected
line formats)... which I conveniently send to /dev/null.
I have not attempted to reach the guy who wrote these (see
http://qmail.jms1.net/scripts/) -- in part because they haven't been
updated in SOOO long (though he did update the (C) notice to 2013
<grin>).... in any case, I'm afraid if I point out problems he may take
the site (or the scripts) down... and I've only just begun to mine the
plethora of stuff he's got on there...
Just my thoughts...
Dan McAllister
IT4SOHO
QMT Mirror/DNS Admin
--
PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
