Re: sa missed to scan some of email

[martin]

David B Funk  engineering.uiowa.edu> writes:
> Exactly so.
> Usually you can find the related message by matching the time-stamp
> from your maillog to your spamd log. You can also do some detective work,
> eliminate maillog entries that have an incoming msgid (IE one from the
> sending MTA) and just concentrate on those that have a locally added
> msgid.
> 
> Dave
> 

  thx help, it seem ur correct, as based on the timestamp search, most of
unknown msgid at spam.log had a msgid like '[EMAIL PROTECTED]'
at maillog. 

Re: sa missed to scan some of email

[David B Funk]

On Thu, 13 Apr 2006, martin wrote:

>   thx info, that mean that if email don't given msgid when arrived, sendmail
> default will add itself id for this mail and this msgid will not pass to 
> milter?
> So is it no method to find related message from maillog at such case?

Exactly so.
Usually you can find the related message by matching the time-stamp
from your maillog to your spamd log. You can also do some detective work,
eliminate maillog entries that have an incoming msgid (IE one from the
sending MTA) and just concentrate on those that have a locally added
msgid.

Dave

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: sa missed to scan some of email

[martin]

David B Funk  engineering.uiowa.edu> writes:
 
> Because some messages arrive at your MTA without a msgid to log
> (usually a sign of either a forged message or a brain-damaged
> sending MTA).
> 
> The standard sendmail config will add a locally generated msgid to
> such messages but the "milter" interface is handed the message in the
> form that it arrived (IE before any local header adding or modification).
> 
> So if the message was sent to you without a msgid, your SA will not log
> any msgid.
> 
  thx info, that mean that if email don't given msgid when arrived, sendmail
default will add itself id for this mail and this msgid will not pass to milter?
So is it no method to find related message from maillog at such case?

Re: sa missed to scan some of email

[David B Funk]

On Wed, 12 Apr 2006, martin wrote:

>also, just wonder why at spam.log, some scanned message can't log down 
> msgid
> (which at maillog using)

Because some messages arrive at your MTA without a msgid to log
(usually a sign of either a forged message or a brain-damaged
sending MTA).

The standard sendmail config will add a locally generated msgid to
such messages but the "milter" interface is handed the message in the
form that it arrived (IE before any local header adding or modification).

So if the message was sent to you without a msgid, your SA will not log
any msgid.


-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: sa missed to scan some of email

[martin]

Matt Kettler  comcast.net> writes:

> 
> martin wrote:
> > Matt Kettler  comcast.net> writes:
> >
> >   
> >> martin wrote:
> >thx info, that seem the cause, becoz the email att. with a 
> >image around 250k in size.
> >just wonder, can this parameter tuneable from config file? And SA had any
> > ruleset to due with a image spamming email?
> 
> Normally this is tunable as a parameter to spamc.  I'm not sure how this
> works with spamass-milter, but it will be on that end of the system you
> have to tune.
> 
  just found from man spamc, -s max_size (default: 250k). But will SA spammed by
larger image mail?

   also, just wonder why at spam.log, some scanned message can't log down msgid
(which at maillog using)

Re: sa missed to scan some of email

[Matt Kettler]

martin wrote:
> Matt Kettler  comcast.net> writes:
>
>   
>> martin wrote:
>> 
>>>   using spamassassin-3.0.4-2, spamass-milter-0.3.0, clamav-0.88,
>>> clamav-milter-0.88, sendmail-8.13.1 under FC3. All parts seem work fine, but
>>> found some mails had dropped to mbox directly and seem not scanned 
>>> by sa (X-Spam header had not added, spam.log can't found related message). >
>>> The system (P4,512M ram) seem not too busy.
>>>   
>> How big were the messages? By default most tools bypass scanning of
>> large messages because they bog SA down, and rarely turn out to be spam.
>> By default, spamc does this at 250k, and spamass-milter probably has a
>> similar threshold.
>> 
>thx info, that seem the cause, becoz the email att. with a image around 
> 250k
> in size.
>just wonder, can this parameter tuneable from config file? And SA had any
> ruleset to due with a image spamming email?
>
>   

Normally this is tunable as a parameter to spamc.  I'm not sure how this
works with spamass-milter, but it will be on that end of the system you
have to tune.

Re: sa missed to scan some of email

[martin]

Matt Kettler  comcast.net> writes:

> 
> martin wrote:
> >   using spamassassin-3.0.4-2, spamass-milter-0.3.0, clamav-0.88,
> > clamav-milter-0.88, sendmail-8.13.1 under FC3. All parts seem work fine, but
> > found some mails had dropped to mbox directly and seem not scanned 
> > by sa (X-Spam header had not added, spam.log can't found related message). >
> > The system (P4,512M ram) seem not too busy.
> How big were the messages? By default most tools bypass scanning of
> large messages because they bog SA down, and rarely turn out to be spam.
> By default, spamc does this at 250k, and spamass-milter probably has a
> similar threshold.
   thx info, that seem the cause, becoz the email att. with a image around 250k
in size.
   just wonder, can this parameter tuneable from config file? And SA had any
ruleset to due with a image spamming email?

> >   another problem is, i found that at spam.log, some message id of 
> > message (e.g "processing message  for spamass:59") show "unknown" 
> > rather than the related msgid at maillog.
> Check the timestamp in the Received: header against the timestamp of the
> log message?
   but without the msgid info, how can i related mail at maillog? coz the
spam.log just log spamc its pid, connection and scoring info. I just found the
msgid info related to maillog.

   thx again

Re: sa missed to scan some of email

[Matt Kettler]

martin wrote:
>   using spamassassin-3.0.4-2, spamass-milter-0.3.0, clamav-0.88,
> clamav-milter-0.88, sendmail-8.13.1 under FC3. All parts seem work fine, but
> found some mails had dropped to mbox directly and seem not scanned by sa 
> (X-Spam
> header had not added, spam.log can't found related message). The system (P4,
> 512M ram) seem not too busy.
>   
How big were the messages? By default most tools bypass scanning of
large messages because they bog SA down, and rarely turn out to be spam.

By default, spamc does this at 250k, and spamass-milter probably has a
similar threshold.
>   another problem is, i found that at spam.log, some message id of message 
> (e.g
> "processing message  for spamass:59") show "unknown" rather than the
> related msgid at maillog.
>   so, how can i sure that message had been scanned by spamassassin and found
> related record from spam.log to maillog? thx
>   
Check the timestamp in the Received: header against the timestamp of the
log message?
>   
>
>
>