Re: new version always trusts 127.0.0.1

2008-03-12 Thread Doug Poulin 
Well here is the actual headers:

Mar 11 13:48:20 x1mail spamd[6116]: spamd: result: Y 22 -
DATE_IN_FUTURE_12_24,
FORGED_MUA_OUTLOOK,HTML_MESSAGE,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,
URIBL_SC_SURBL scantime=17.6,size=3023,user=root,uid=501,required_score=3.0,
rhost=localhost,raddr=127.0.0.1,rport=34757,
mid=<[EMAIL PROTECTED]>,autolearn=disabled

Thanks for any help.  And believe it or not, that was a LEGITIMATE
messageI need to do a little digging to see where this guy was sending
from, but it was  a proposal to reorder some forms we use!

Thanks again!


On Wed, Mar 12, 2008 at 10:14 AM, Matt Kettler <[EMAIL PROTECTED]>
wrote:

> dougp23 wrote:
> > Hi.  Running SA 3.1.8
> >
> > Would like to move to a newer version for a few reasons...
> >
> > Anyways the 3.2.3 version looks compelling, but I use a mailserver
> called
> > Scalix.  It uses Sendmail as its engine.  But each X-Spam header shows
> this:
> >
> > rhost=localhost,raddr=127.0.0.1,rport=34757,
> >
> Erm.. What's that generated by? That's not SpamAssassin...
> > Which makes me think that for my mailserver, ALL email appears to
> originate
> > from the localhost.  In fact, under 3.1.8, I once tried to set the
> network
> > ignore option to 127.0.0.1, and all spam immediately was let through.
> >
> Well, even if SpamAssassin trusts a host, and all the hosts involved in
> handling a message, it will still scan it. You'll just see the
> ALL_TRUSTED rule fire off. That reduces the score a little, but not
> enough that you'd be missing all spam..
>
> Your problem is more compressive, as it sounds like email isn't even
> being scanned by SA.
>
> Is there a spamassassin generated X-Spam-Status with a list of rule hits
> on those spam emails?
>
>
>
> > Just wondering if I am missing something or do I just utilize a flaky
> > mailserver, lol!
> >
> >
> >
>
>

Re: new version always trusts 127.0.0.1

2008-03-12 Thread Matt Kettler 

Doug Poulin wrote:

Well here is the actual headers:

Mar 11 13:48:20 x1mail spamd[6116]: spamd: result: Y 22 - 
DATE_IN_FUTURE_12_24,

FORGED_MUA_OUTLOOK,HTML_MESSAGE,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,
URIBL_SC_SURBL 
scantime=17.6,size=3023,user=root,uid=501,required_score=3.0,

rhost=localhost,raddr=127.0.0.1 ,rport=34757,
mid=<[EMAIL PROTECTED]>,autolearn=disabled


Ahh, that's the spamd logs, not the X-Spam headers..

All the rhost=localhost... bit means is that's where spamc is running 
and feeding spamd messages. Since it's possible to run spamd on a 
separate server than your email frontent, this isn't always localhost 
for everyone, but in your case it likely always will be. However, that 
part has nothing to do with spamassassin's analysis. SA will always 
process the message the same way, no matter how it got fed to spamd, and 
the spam tests do not have access to that information.





Thanks for any help.  And believe it or not, that was a LEGITIMATE 
messageI need to do a little digging to see where this guy was 
sending from, but it was  a proposal to reorder some forms we use! 
Sounds like he needs to fix his clock, and find out what URL in the 
message body was blacklisted by every SURBL test... The rest is probably 
minor.. the FORGED_MUA_OUTLOOK is probably a FP. Microsoft changes 
outlook's output formats faster than you can blink an eye.


Thanks again!

No problem.

RE: new version always trusts 127.0.0.1

2008-03-12 Thread James E. Pratt 
> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 12, 2008 11:14 AM
> To: dougp23
> Cc: users@spamassassin.apache.org
> Subject: Re: new version always trusts 127.0.0.1
> 
> dougp23 wrote:
> > Hi.  Running SA 3.1.8
> >
> > Would like to move to a newer version for a few reasons...
> >
> > Anyways the 3.2.3 version looks compelling, but I use a mailserver
> called
> > Scalix.  It uses Sendmail as its engine.  But each X-Spam header
> shows this:
> >
> > rhost=localhost,raddr=127.0.0.1,rport=34757,
> >
> Erm.. What's that generated by? That's not SpamAssassin...
> > Which makes me think that for my mailserver, ALL email appears to
> originate
> > from the localhost.  In fact, under 3.1.8, I once tried to set the
> network
> > ignore option to 127.0.0.1, and all spam immediately was let
through.
> >
> Well, even if SpamAssassin trusts a host, and all the hosts involved
in
> handling a message, it will still scan it. You'll just see the
> ALL_TRUSTED rule fire off. That reduces the score a little, but not
> enough that you'd be missing all spam..
> 
> Your problem is more compressive, as it sounds like email isn't even
> being scanned by SA.
> 
> Is there a spamassassin generated X-Spam-Status with a list of rule
> hits
> on those spam emails?
> 
> 
> 
> > Just wondering if I am missing something or do I just utilize a
flaky
> > mailserver, lol!
> >
> >
> >

LOL... I won't answer your last question for fear of being flamed(!),
... but.. have you tried hitting up the Scalix folks and/or their
dev/support forums on this? 

Regards,
jamie

Re: new version always trusts 127.0.0.1

2008-03-12 Thread Matt Kettler 

dougp23 wrote:

Hi.  Running SA 3.1.8

Would like to move to a newer version for a few reasons...

Anyways the 3.2.3 version looks compelling, but I use a mailserver called
Scalix.  It uses Sendmail as its engine.  But each X-Spam header shows this:

rhost=localhost,raddr=127.0.0.1,rport=34757,
  

Erm.. What's that generated by? That's not SpamAssassin...

Which makes me think that for my mailserver, ALL email appears to originate
from the localhost.  In fact, under 3.1.8, I once tried to set the network
ignore option to 127.0.0.1, and all spam immediately was let through.  
  
Well, even if SpamAssassin trusts a host, and all the hosts involved in 
handling a message, it will still scan it. You'll just see the 
ALL_TRUSTED rule fire off. That reduces the score a little, but not 
enough that you'd be missing all spam..


Your problem is more compressive, as it sounds like email isn't even 
being scanned by SA.


Is there a spamassassin generated X-Spam-Status with a list of rule hits 
on those spam emails?





Just wondering if I am missing something or do I just utilize a flaky
mailserver, lol!