Re: SA Sometimes Being Bypassed?
w == wolfgang [EMAIL PROTECTED] writes: w In an older episode (Friday 20 May 2005 18:07), Jake Colman wrote: When my server is up, all email is processed by my SA. If my server is down, my email is held for me at the backup MX. When my server comes back, the backup MX sends me all my email. It appears to me that when my email is delivered in that scenario that it bypassed my SA. w I think it would be helpful to compare the headers of scanned mails and w unscanned mails line by line to understand the difference. Also, have w procmail add some X-Been-There `hostname` header to be sure you see w if the mail has passed through procmail and use VERBOSE=yes in w procmail, and re-activate the LOGFILE=* line and read the procmail log w to see what happens there. I just spent a tremendous amount of time redoing my sendmail and SA configuration as part of a server upgrade. Because of this, I totally reviewed my setup and think I understand what I'm doing and I think it is all working correctly. However, I am still convinced that some messages, namely those received after I have been offline for some period of time, are not being processed by my SA. My server was offline yesterday for quite a few hours while I redid my sendmail and SA configuration. Here are the relevant headers for an email that was received shortly after I came back online: -- Received: from mxout1.mailhop.org (mxout1.mailhop.org [63.208.196.165]) by jnc.com (8.12.10/8.12.10) with ESMTP id j4OM0x8f014346 for [EMAIL PROTECTED]; Tue, 24 May 2005 20:23:10 -0400 Received: from mxin2.mailhop.org ([63.208.196.176] helo=mx1.mailhop.org) by mxout1.mailhop.org with esmtp (Exim 4.51) id 1DaKRJ-tj-1W for [EMAIL PROTECTED]; Mon, 23 May 2005 17:26:21 -0400 Received: from [200.195.76.46] (helo=microsof-626218) by mx1.mailhop.org with esmtp (Exim 4.51) id 1DaKRF-0006gy-3Z for [EMAIL PROTECTED]; Mon, 23 May 2005 17:26:21 -0400 MIME-Version: 1.0 X-Mailer: Internal Email Service (4.2.1.698) Message-ID: [EMAIL PROTECTED] Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Mail-Handler: MailHop by DynDNS.org X-Spam-Score: -1.7 (-) -- After my server was back on-line for a while, this is what headers look like: -- Received: from mxout2.mailhop.org (mxout2.mailhop.org [63.208.196.166]) by jnc.com (8.12.10/8.12.10) with ESMTP id j4PCQB4r009971 for [EMAIL PROTECTED]; Wed, 25 May 2005 08:26:13 -0400 Received: from mxin2.mailhop.org ([63.208.196.176] helo=mx1.mailhop.org) by mxout2.mailhop.org with esmtp (Exim 4.51) id 1Dauxf-000DBG-5N for [EMAIL PROTECTED]; Wed, 25 May 2005 08:26:11 -0400 Received: from nmfs2.direct-notice.com ([71.4.247.139]) by mx1.mailhop.org with esmtp (Exim 4.51) id 1Dauxa-0005fs-AT for [EMAIL PROTECTED]; Wed, 25 May 2005 08:26:10 -0400 Received: from NMFS2 (nmfs2.direct-notice.com) by NMFS2.DIRECT-NOTICE.COM (LSMTP for Windows NT v1.1b) with SMTP id [EMAIL PROTECTED]; Wed, 25 May 2005 7:48:23 -0400 X-Mailerinfo: OTHR_JDR1218504 :: 7_050525_PRIME2_UN Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==OTHR_JDR1218504 X-Mail-Handler: MailHop by DynDNS.org X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on firewall.jnchome.com X-Spam-Level: X-Spam-Status: No, score=4.3 required=5.0 tests=ALL_TRUSTED,HTML_90_100, HTML_IMAGE_ONLY_12,HTML_MESSAGE,MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK,SARE_RECV_IP_071004200,URIBL_SBL autolearn=no version=3.0.3 -- What could possibly explain this? And how do I figure this out and fix it? How do I configure procmail to add a header so I can verify whether all my email is passing through my procmail? This is my current /etc/procmailrc: DROPPRIVS=yes ##LOGFILE=/var/log/procmail PATH=/usr/bin:/usr/local/bin MAILDIR=$HOME/mail :0: * ^Subject:.*SPAM caughtspam :0fw * 256000 | spamc :0: * ^X-Spam-Status: Yes caughtspam Thanks! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
Re: SA Sometimes Being Bypassed?
In an older episode (Friday 20 May 2005 18:07), Jake Colman wrote: When my server is up, all email is processed by my SA. If my server is down, my email is held for me at the backup MX. When my server comes back, the backup MX sends me all my email. It appears to me that when my email is delivered in that scenario that it bypassed my SA. I think it would be helpful to compare the headers of scanned mails and unscanned mails line by line to understand the difference. Also, have procmail add some X-Been-There `hostname` header to be sure you see if the mail has passed through procmail and use VERBOSE=yes in procmail, and re-activate the LOGFILE=* line and read the procmail log to see what happens there. regards, wolfgang
Re: SA Sometimes Being Bypassed?
Jake have a look at the output of spamassassin -D --lint mailmessage. You might be trusting the secondary MX or it might be bypassing you SA system altogether. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jake Colman wrote: If my sendmail server is down, a backup MX in a different domain catches all my email. When my sendmail server comes back up, the backup MX dumps all the mail it's been holding for me. It seems that all the email sent to me in this manner bypasses my SA filtering. Why should this be? I beleive that what I am saying is accurate because if I examine the email headers for emails sent by the backup MX, they do not have my X-Spam headers. Thanks for any help. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: SA Sometimes Being Bypassed?
MK == Matt Kettler [EMAIL PROTECTED] writes: MK Jake Colman wrote: If my sendmail server is down, a backup MX in a different domain catches all my email. When my sendmail server comes back up, the backup MX dumps all the mail it's been holding for me. It seems that all the email sent to me in this manner bypasses my SA filtering. Why should this be? I beleive that what I am saying is accurate because if I examine the email headers for emails sent by the backup MX, they do not have my X-Spam headers. MK How do you call spamassassin for your normal mail? MK Without knowing how normal mail gets to SA, it's hard to guess why MK mail from the secondary isn't getting to SA. I use a /etc/procmailrc with the following contents: DROPPRIVS=yes ##LOGFILE=/var/log/procmail PATH=/usr/bin:/usr/local/bin MAILDIR=$HOME/mail :0: * ^Subject:.*SPAM caughtspam :0fw * 256000 | spamc :0: * ^X-Spam-Status: Yes caughtspam This should file all emails flagged with SPAM in the subject (my emails get pre-filtered by a relay box) in a 'caughtspam' folder. All other mails are piped through spamc and then, if X-Spam-Status is 'Yes', they also get filed in 'caughtspam'. -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
Re: SA Sometimes Being Bypassed?
Jake Colman wrote: MK == Matt Kettler [EMAIL PROTECTED] writes: MK Jake Colman wrote: If my sendmail server is down, a backup MX in a different domain catches all my email. When my sendmail server comes back up, the backup MX dumps all the mail it's been holding for me. It seems that all the email sent to me in this manner bypasses my SA filtering. Why should this be? I beleive that what I am saying is accurate because if I examine the email headers for emails sent by the backup MX, they do not have my X-Spam headers. MK How do you call spamassassin for your normal mail? MK Without knowing how normal mail gets to SA, it's hard to guess why MK mail from the secondary isn't getting to SA. I use a /etc/procmailrc with the following contents: Hmmm, does the unscanned mail get delivered to a mailbox on the server running procmail, or does it go around it? Check your Received: headers.
Re: SA Sometimes Being Bypassed?
Martin Hepworth wrote: Jake have a look at the output of spamassassin -D --lint mailmessage. You might be trusting the secondary MX or it might be bypassing you SA system altogether. SpamAssassin's concept of trust has nothing to do with it. There's no X-Spam-* headers, so SA is being bypassed completely. SA ALWAYS adds at least X-Spam-Checker-Version header, regardless of trust. (unless you use spamc and the size is over the limit for -s). Based on the procmail config that Jake posted, one of the following must be true: 1) the messages are too large to be scanned (250k) and thus being bypassed by spamc (250k-255k) or his procmail rule (256k). 2) the messages from the secondary are never reaching the box that runs SA via procmail, and are being delivered to a mailbox elsewhere. 3) The messages from the secondary are reaching the box running SA via procmail, but are relayed without local delivery. (procmail only gets called as the message is delivered on the local box) I suspect 2). Particularly if there's some kind of fetchmail, multi-server-pop-client, or internal groupware server involved in the picture. 3) Is really a theoretical problem, it's possible but highly unlikely. You'd have a pretty weird server that relays mail for a user only if it came in from a secondary MX. Looking at the Received: path and size of some of the messages should clear up what's going on.
Re: SA Sometimes Being Bypassed?
Let me explain this system, since it might be relevant to the discussion. This is a simple home-based network server that is processing mail for its own domain. This domain (jnc.com) is known to the world and all email sent to [EMAIL PROTECTED] is delivered to the sendmail running on my box. All users have their mailboxes on this system and they use imap to view their email. Since this machine has a dynamic IP address I use dyndns to host the DNS and MX entries for jnc.com. I also use them a a mail relay to forward all my email to my sendmail server and as a backup MX if my server is down. When my server is up, all email is processed by my SA. If my server is down, my email is held for me at the backup MX. When my server comes back, the backup MX sends me all my email. It appears to me that when my email is delivered in that scenario that it bypassed my SA. Is this at all possible? Or if it works for one scenario it must work for both? The size of the email should not be an issue since it is all the standrd spam crap we all get. ...Jake MK == Matt Kettler [EMAIL PROTECTED] writes: MK Martin Hepworth wrote: Jake have a look at the output of spamassassin -D --lint mailmessage. You might be trusting the secondary MX or it might be bypassing you SA system altogether. MK SpamAssassin's concept of trust has nothing to do with it. MK There's no X-Spam-* headers, so SA is being bypassed completely. MK SA ALWAYS adds at least X-Spam-Checker-Version header, regardless of trust. MK (unless you use spamc and the size is over the limit for -s). MK Based on the procmail config that Jake posted, one of the following must be true: MK 1) the messages are too large to be scanned (250k) and thus being bypassed by MK spamc (250k-255k) or his procmail rule (256k). MK 2) the messages from the secondary are never reaching the box that runs SA via MK procmail, and are being delivered to a mailbox elsewhere. MK 3) The messages from the secondary are reaching the box running SA via procmail, MK but are relayed without local delivery. (procmail only gets called as the MK message is delivered on the local box) MK I suspect 2). Particularly if there's some kind of fetchmail, MK multi-server-pop-client, or internal groupware server involved in the picture. MK 3) Is really a theoretical problem, it's possible but highly unlikely. You'd MK have a pretty weird server that relays mail for a user only if it came in from a MK secondary MX. MK Looking at the Received: path and size of some of the messages should clear up MK what's going on. -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
Re: SA Sometimes Being Bypassed?
Jake Colman wrote: If my sendmail server is down, a backup MX in a different domain catches all my email. When my sendmail server comes back up, the backup MX dumps all the mail it's been holding for me. It seems that all the email sent to me in this manner bypasses my SA filtering. Why should this be? I beleive that what I am saying is accurate because if I examine the email headers for emails sent by the backup MX, they do not have my X-Spam headers. How do you call spamassassin for your normal mail? Without knowing how normal mail gets to SA, it's hard to guess why mail from the secondary isn't getting to SA.