New mail not being logged anywhere but /var/spool/qmailscan/mailstats.csv?

Wed, 14 Sep 2005 18:01:12 -0700 

I've been running SA 3.04 / ClamAV 0.86.2 /qmail-scanner 1.25st for about 2 
months now. Things have been working perfectly. I wrote my own stats parsing 
script to dump things into a database so I can break down stats based on 
domains, spammers, etc...(I have two mail servers acting as load balancing...a 
3rd server is where the SQL db sits)

Today, we added a new client to our filtering system, and this client is 
receiving email from one address that seemed like a duplicate mysql insert at 
first to me, but after investigating further, the mails were actually listed in 
/var/spool/qmailscan/mailstats.csv. These are the lines in question in 
mailstats.csv:

8357:Wed, 14 Sep 2005 14:06:54 EDT      Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.683338        10027   [EMAIL PROTECTED]      [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!       <[EMAIL PROTECTED]>   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8358:Wed, 14 Sep 2005 14:06:54 EDT      Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.683338        10027   [EMAIL PROTECTED]      [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!       <[EMAIL PROTECTED]>   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8359:Wed, 14 Sep 2005 14:06:54 EDT      Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.683338        10027   [EMAIL PROTECTED]      [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!       <[EMAIL PROTECTED]>   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8360:Wed, 14 Sep 2005 14:06:54 EDT      Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.683338        10027   [EMAIL PROTECTED]      [EMAIL PROTECTED]       Utica 
Homeowners will soon offer Identity Theft Coverage!       <[EMAIL PROTECTED]>   
    unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8361:Wed, 14 Sep 2005 14:06:54 EDT      Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.683338        10027   [EMAIL PROTECTED]      [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!       <[EMAIL PROTECTED]>   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8362:Wed, 14 Sep 2005 14:06:54 EDT      Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.683338        10027   [EMAIL PROTECTED]      [EMAIL PROTECTED]       Utica 
Homeowners will soon offer Identity Theft Coverage!       <[EMAIL PROTECTED]>   
    unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8363:Wed, 14 Sep 2005 14:06:54 EDT      Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.683338        10027   [EMAIL PROTECTED]      [EMAIL PROTECTED]  Utica 
Homeowners will soon offer Identity Theft Coverage!       <[EMAIL PROTECTED]>   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109


That's just an sample from mailstats.csv. As it says, SA deems it spam at 5.6 
points, and tags it and passes it along (I think). However, a few things 
confuse me with this. First of all, multiple entries under the same exact 
timestamp seems odd to me. Every piece of data in each line is identical. This 
doesn't seem normal, or correct. Secondly, there is NO record of the sender's 
email address in /var/spool/qmailscan/qmail-queue.log OR /var/log/maillog. It 
only appears in mailstats.csv. Furthermore, when adding the blacklist_from 
preference for this domain in my SQL database, I still see entries from this 
user in mailstats.csv with the score of 5.6, obviously ignoring my blacklist. 
Also, the 5.0 is telling as well, as I have a required_hits preference for this 
domain set to 4.0. Scanning through mailstats.csv shows that I have even more 
entries which set 5.0 as the bar for spam, incorrectly:

4278:Wed, 14 Sep 2005 09:41:25 EDT      
SA:SPAM-DELETE:RC:0(222.108.160.49):SA:1(21.1/5.0):     0       1385    [EMAIL 
PROTECTED]      [EMAIL PROTECTED]       Solid Funding hassle free       <[EMAIL 
PROTECTED]>     MAILER-02112670527972228950-unpacked:1385
4279:Wed, 14 Sep 2005 09:41:25 EDT      
SA:SPAM-DELETE:RC:0(222.108.160.49):SA:1(21.1/5.0):     0       1385    [EMAIL 
PROTECTED]      [EMAIL PROTECTED]    Solid Funding hassle free       <[EMAIL 
PROTECTED]>     MAILER-02112670527972228950-unpacked:1385

However, there ARE lines that display correct information:

4298:Wed, 14 Sep 2005 09:41:58 EDT      
SA:SPAM-DELETE:RC:0(216.195.74.34):SA:1(10.8/4.0):      0       3658    [EMAIL 
PROTECTED]     [EMAIL PROTECTED]    Undeliverable Mail      <[EMAIL PROTECTED]> 
 MAILER-02112670531272229114-unpacked:3658
4309:Wed, 14 Sep 2005 09:42:16 EDT      
Clear:RC:0(209.51.158.242):SA:0(-0.6/4.0):      5.509505        3384    [EMAIL 
PROTECTED]      [EMAIL PROTECTED]   Automatic message from SafestMail 
(c2FmZXN0bWFpbF9yZXBseQ==-OTkzMDE4MDE1)       <[EMAIL PROTECTED]>   
1126705331.29238-0.MAILER-02:2226

Note the 4.0. 

I'm so confused...I can't seem to find the reason why it isn't logging to 
qmail-queue.log for certain messages. There IS a correlation, however, between 
when it doesn't log to qmail-queue.log, and when it uses a base score of 5.0 
instead of the sql-deemed 4.0. IT seems both of those conditions occur together 
on these 'problem' messages.

Can anyone shed some light on this for me? Thank you so much

Matthew Yette
Senior Engineer (NOC/Operations)
M.A. Polce Consulting

Reply via email to