Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th June 2008, 19:11
Thomas_Powers Thomas_Powers is offline
Junior Member
 
Join Date: Jun 2008
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Ubuntu 8.04 Spamsnake - all SA scores 0.00

Hello HTF guys!!

Let's get this out right now...I be a newbie at the linux world, so the problem here is probably simple to you guys. Anyway, I have followed the step by steps on building the perfect spamsnake on Ubuntu 8.04 (which kicks the snot out of our barracuda for capabilities).

But when I went active, all messages that came in got a spam score of 0.00 so it's letting everything through. When I run the spamassasin lint test, everything is cool and it gets a progressive score in the test of like 5 of so, so I'm a bit stumped as to where to look on this one.

All help is greatly appreciated.

Tom Powers
Reply With Quote
Sponsored Links
  #2  
Old 4th June 2008, 22:10
Rocky Rocky is offline
Senior Member
 
Join Date: Oct 2005
Posts: 553
Thanks: 14
Thanked 49 Times in 48 Posts
Default

Hey Tom,

Glad to hear another user is working with the SpamSnake! I'd be more than happy to help you out. First, are you using Sendmail or Postfix? Do you see the mails in the MailWatch interface? Finally, post the output of mail.log.

Rocky
__________________
Home of the SpamSnake
Reply With Quote
  #3  
Old 4th June 2008, 22:23
Thomas_Powers Thomas_Powers is offline
Junior Member
 
Join Date: Jun 2008
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Good to hear back from you!!

We are using postfix

I see the emails in mailwatch just fine.

Heres the last 100 lines of the mail log. At the top you'll see some of the messages coming in. THen towards the bottom, you'll see a complete reload of postfix after we added a couple domains to hopefully try again once we get an idea of where to go here.

Jun 4 12:00:42 spam postfix/smtpd[20039]: connect from unknown[189.180.17.7]
Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<terri.quinn@btinternet.com> to=<hicks7@ksfuel.com> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net>
Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<terri.quinn@btinternet.com> to=<hicks@ksfuel.com> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net>
Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<terri.quinn@btinternet.com> to=<hawkins@ksfuel.com> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net>
Jun 4 12:00:43 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a104.sub64.net78.udm.net[78.85.64.104]: 504 5.5.2 <fb979068bcb74f4>: Helo command rejected: need fully-qualified hostname; from=<ugdqqm@bonkworld.com> to=<boydd@ksfuel.com> proto=ESMTP helo=<fb979068bcb74f4>
Jun 4 12:00:43 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a104.sub64.net78.udm.net[78.85.64.104]: 504 5.5.2 <fb979068bcb74f4>: Helo command rejected: need fully-qualified hostname; from=<ugdqqm@bonkworld.com> to=<boyd@ksfuel.com> proto=ESMTP helo=<fb979068bcb74f4>
Jun 4 12:00:43 spam postfix/smtpd[20051]: lost connection after DATA (0 bytes) from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]
Jun 4 12:00:43 spam postfix/smtpd[20051]: disconnect from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]
Jun 4 12:00:44 spam postfix/smtpd[20201]: lost connection after DATA (0 bytes) from a104.sub64.net78.udm.net[78.85.64.104]
Jun 4 12:00:44 spam postfix/smtpd[20201]: disconnect from a104.sub64.net78.udm.net[78.85.64.104]
Jun 4 12:00:44 spam postfix/smtpd[20039]: NOQUEUE: reject: RCPT from unknown[189.180.17.7]: 554 5.7.1 Service unavailable; Client host [189.180.17.7] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.180.17.7; from=<arver@americanins.com> to=<032ccc57@ksfuel.com> proto=ESMTP helo=<dsl-189-180-17-7.prod-infinitum.com.mx>
Jun 4 12:00:45 spam postfix/smtpd[20039]: lost connection after DATA (0 bytes) from unknown[189.180.17.7]
Jun 4 12:00:45 spam postfix/smtpd[20039]: disconnect from unknown[189.180.17.7]
Jun 4 12:00:45 spam postfix/smtpd[20041]: connect from unknown[88.235.36.128]
Jun 4 12:00:47 spam postfix/smtpd[20059]: warning: 91.134.11.192: hostname 91-134-11-192.niskar.multimedia-bg.net verification failed: Name or service not known
Jun 4 12:00:47 spam postfix/smtpd[20059]: connect from unknown[91.134.11.192]
Jun 4 12:00:48 spam postfix/smtpd[20059]: NOQUEUE: reject: RCPT from unknown[91.134.11.192]: 554 5.7.1 Service unavailable; Client host [91.134.11.192] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=91.134.11.192; from=<ekcinrew1971@BACR.ORG> to=<lawrence|lawrence@ksfuel.com> proto=ESMTP helo=<91-134-11-192.niskar.multimedia-bg.net>
Jun 4 12:00:48 spam postfix/smtpd[20059]: disconnect from unknown[91.134.11.192]
Jun 4 12:00:48 spam postfix/smtpd[20041]: NOQUEUE: reject: RCPT from unknown[88.235.36.128]: 554 5.7.1 Service unavailable; Client host [88.235.36.128] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=88.235.36.128; from=<sly@bondrap.com> to=<bradley@ksfuel.com> proto=ESMTP helo=<dsldevice.lan>
Jun 4 12:00:48 spam postfix/smtpd[20051]: connect from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]
Jun 4 12:00:48 spam postfix/smtpd[20041]: lost connection after DATA (0 bytes) from unknown[88.235.36.128]
Jun 4 12:00:48 spam postfix/smtpd[20041]: disconnect from unknown[88.235.36.128]
Jun 4 12:00:48 spam postfix/smtpd[20045]: connect from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]
Jun 4 12:00:48 spam postfix/smtpd[20278]: warning: 64.199.3.161: address not listed for hostname mail.iabusa.com
Jun 4 12:00:48 spam postfix/smtpd[20278]: connect from unknown[64.199.3.161]
Jun 4 12:00:49 spam postfix/smtpd[20201]: connect from a32-176.adsl.paltel.net[213.6.32.176]
Jun 4 12:00:49 spam postfix/smtpd[20045]: NOQUEUE: reject: RCPT from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]: 554 5.7.1 Service unavailable; Client host [82.136.126.158] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=82.136.126.158; from=<CarissatepidFenton@cottyn.com> to=<blkf@ksfuel.com> proto=SMTP helo=<medion.dzcmts001cpe001.datazug.ch>
Jun 4 12:00:50 spam postfix/smtpd[20045]: lost connection after RCPT from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]
Jun 4 12:00:50 spam postfix/smtpd[20045]: disconnect from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]
Jun 4 12:00:50 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a32-176.adsl.paltel.net[213.6.32.176]: 554 5.7.1 Service unavailable; Client host [213.6.32.176] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=213.6.32.176; from=<Darla-hsomehc@154154.com> to=<caldwell|caldwell@ksfuel.com> proto=ESMTP helo=<a32-176.adsl.paltel.net>
Jun 4 12:00:50 spam postfix/smtpd[20042]: warning: 88.233.113.253: hostname dsl88-233-29181.ttnet.net.tr verification failed: Name or service not known
Jun 4 12:00:50 spam postfix/smtpd[20042]: connect from unknown[88.233.113.253]
Jun 4 12:00:50 spam postfix/smtpd[20277]: connect from unknown[88.235.54.251]
Jun 4 12:00:50 spam postfix/smtpd[20201]: disconnect from a32-176.adsl.paltel.net[213.6.32.176]
Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<bradleyd@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<brewerdd@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<brewerd@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<brewer@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
Jun 4 12:05:28 spam postfix/smtpd[20052]: SSL_accept error from 66-194-50-2.static.twtelecom.net[66.194.50.2]: -1
Jun 4 12:05:28 spam postfix/smtpd[20052]: lost connection after STARTTLS from 66-194-50-2.static.twtelecom.net[66.194.50.2]
Jun 4 12:05:28 spam postfix/smtpd[20052]: disconnect from 66-194-50-2.static.twtelecom.net[66.194.50.2]
Jun 4 12:05:49 spam postfix/smtpd[20278]: timeout after EHLO from unknown[64.199.3.161]
Jun 4 12:05:49 spam postfix/smtpd[20278]: disconnect from unknown[64.199.3.161]
Jun 4 12:05:50 spam postfix/smtpd[20042]: timeout after CONNECT from unknown[88.233.113.253]
Jun 4 12:05:50 spam postfix/smtpd[20042]: disconnect from unknown[88.233.113.253]
Jun 4 12:05:50 spam postfix/smtpd[20277]: timeout after CONNECT from unknown[88.235.54.251]
Jun 4 12:05:50 spam postfix/smtpd[20277]: disconnect from unknown[88.235.54.251]
Jun 4 12:05:51 spam postfix/smtpd[20051]: timeout after DATA (0 bytes) from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]
Jun 4 12:05:51 spam postfix/smtpd[20051]: disconnect from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]
Jun 4 12:07:24 spam postfix/qmgr[20005]: 9B648394093: from=<>, size=6061, nrcpt=1 (queue active)
Jun 4 12:07:25 spam postfix/smtp[20422]: 9B648394093: to=<telqdi@eline.com>, relay=mx4.eline.com[204.16.159.164]:25, delay=498, delays=498/0.01/0.21/0.48, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4EA7CA4033)
Jun 4 12:07:25 spam postfix/qmgr[20005]: 9B648394093: removed
Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max connection rate 8/60s for (smtp:87.21.72.54) at Jun 4 11:59:34
Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max connection count 4 for (smtp:122.162.83.111) at Jun 4 12:00:07
Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max cache size 60 at Jun 4 12:00:36
Jun 4 12:15:19 spam MailScanner[20493]: MailScanner E-Mail Virus Scanner version 4.68.8 starting...
Jun 4 12:15:20 spam MailScanner[20493]: Read 817 hostnames from the phishing whitelist
Jun 4 12:15:20 spam MailScanner[20493]: Read 5141 hostnames from the phishing blacklist
Jun 4 12:15:20 spam MailScanner[20493]: Config: calling custom init function MailWatchLogging
Jun 4 12:15:21 spam MailScanner[20493]: Started SQL Logging child
Jun 4 12:15:21 spam MailScanner[20493]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
Jun 4 12:15:21 spam MailScanner[20493]: Using SpamAssassin results cache
Jun 4 12:15:22 spam MailScanner[20493]: Connected to SpamAssassin cache database
Jun 4 12:15:22 spam MailScanner[20493]: Enabling SpamAssassin auto-whitelist functionality...
Jun 4 12:15:25 spam MailScanner[20493]: ClamAV scanner using unrar command /usr/bin/unrar
Jun 4 12:15:26 spam MailScanner[20493]: Using locktype = flock
Jun 4 12:16:00 spam MailScanner[20527]: MailScanner E-Mail Virus Scanner version 4.68.8 starting...
Jun 4 12:16:00 spam MailScanner[20527]: Read 817 hostnames from the phishing whitelist
Jun 4 12:16:01 spam MailScanner[20527]: Read 5141 hostnames from the phishing blacklist
Jun 4 12:16:01 spam MailScanner[20527]: Config: calling custom init function MailWatchLogging
Jun 4 12:16:01 spam MailScanner[20527]: Started SQL Logging child
Jun 4 12:16:01 spam MailScanner[20527]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
Jun 4 12:16:02 spam MailScanner[20527]: Using SpamAssassin results cache
Jun 4 12:16:02 spam MailScanner[20527]: Connected to SpamAssassin cache database
Jun 4 12:16:02 spam MailScanner[20527]: Enabling SpamAssassin auto-whitelist functionality...
Jun 4 12:16:06 spam MailScanner[20527]: ClamAV scanner using unrar command /usr/bin/unrar
Jun 4 12:16:06 spam MailScanner[20527]: Using locktype = flock
Jun 4 12:48:03 spam postfix/smtpd[21389]: warning: database /etc/postfix/sender_access.db is older than source file /etc/postfix/sender_access
Jun 4 12:48:03 spam postfix/smtpd[21389]: connect from laptop1.ssi.private[10.0.0.44]
Jun 4 12:48:03 spam postfix/smtpd[21389]: lost connection after CONNECT from laptop1.ssi.private[10.0.0.44]
Jun 4 12:48:03 spam postfix/smtpd[21389]: disconnect from laptop1.ssi.private[10.0.0.44]
Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max connection rate 1/60s for (smtp:10.0.0.44) at Jun 4 12:48:03
Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max connection count 1 for (smtp:10.0.0.44) at Jun 4 12:48:03
Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max cache size 1 at Jun 4 12:48:03
Jun 4 14:12:24 spam postfix/smtpd[23678]: warning: database /etc/postfix/sender_access.db is older than source file /etc/postfix/sender_access
Jun 4 14:12:24 spam postfix/smtpd[23678]: connect from laptop1.ssi.private[10.0.0.44]
Jun 4 14:12:24 spam postfix/smtpd[23678]: lost connection after CONNECT from laptop1.ssi.private[10.0.0.44]
Jun 4 14:12:24 spam postfix/smtpd[23678]: disconnect from laptop1.ssi.private[10.0.0.44]
Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max connection rate 1/60s for (smtp:10.0.0.44) at Jun 4 14:12:24
Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max connection count 1 for (smtp:10.0.0.44) at Jun 4 14:12:24
Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max cache size 1 at Jun 4 14:12:24
Reply With Quote
  #4  
Old 4th June 2008, 22:41
Rocky Rocky is offline
Senior Member
 
Join Date: Oct 2005
Posts: 553
Thanks: 14
Thanked 49 Times in 48 Posts
Default

You're getting the following error
warning: database /etc/postfix/sender_access.db.

You need to postmap it using the following command:

Code:
 
postmap /etc/postfix/sender_access
Then:
Code:
 
postfix reload
Also, make sure you have the following set in your MailScanner.conf file:
Code:
 
Use SpamAssassin = yes
__________________
Home of the SpamSnake

Last edited by Rocky; 4th June 2008 at 22:43.
Reply With Quote
  #5  
Old 4th June 2008, 22:47
Thomas_Powers Thomas_Powers is offline
Junior Member
 
Join Date: Jun 2008
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Error in postmap

OK...I ran the first postmap command and got this reply

postmap: warning: /etc/postfix/sender_access.db, line 0: expected format: key whitespace value

And I confirmed that the Use SpamAssassin entry is in the MailScanner.conf file.

Ideas?

TP
Reply With Quote
  #6  
Old 4th June 2008, 22:48
Rocky Rocky is offline
Senior Member
 
Join Date: Oct 2005
Posts: 553
Thanks: 14
Thanked 49 Times in 48 Posts
Default

My bad, the command is supposed to be:

Code:
 
postmap /etc/postfix/sender_access
__________________
Home of the SpamSnake
Reply With Quote
  #7  
Old 4th June 2008, 22:55
Thomas_Powers Thomas_Powers is offline
Junior Member
 
Join Date: Jun 2008
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Getting closer

Well...it took that command, and the postfix reload.

I pointed the traffic back at the system, and we are still seeing the system letting everything through and all SA scores are 0.00, however, it did catch a virus out of one of these...so at least we have a functioning viruswall!!

Next step would be....?

I greatly appreciate your time and help in this

TomP
Reply With Quote
  #8  
Old 4th June 2008, 23:35
Thomas_Powers Thomas_Powers is offline
Junior Member
 
Join Date: Jun 2008
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Mail forwarding appears to be using DNS

I look through the mail log and I see that one of the domains we are filtering and forwarding for (this is a small ISP) seems to be grabbing MX records for relay out instead of using the SMTP entry in /etc/postfix/main.cf and in the /etc/postfix/transport

The log shows when forwarding the received email, the warning is that the host replied with our own name...

Jun 4 15:52:40 spam postfix/smtpd[26546]: connect from unknown[10.0.0.101]
Jun 4 15:52:40 spam postfix/smtp[26422]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net
Jun 4 15:52:40 spam postfix/smtp[26422]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net
Jun 4 15:52:40 spam postfix/smtpd[26440]: connect from unknown[10.0.0.101]
Jun 4 15:52:40 spam postfix/smtp[26560]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net
Jun 4 15:52:40 spam postfix/smtp[26560]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net
Jun 4 15:52:40 spam postfix/smtp[26422]: 69048394095: to=<jmakid@ksfuel.com>, relay=mail.ksfuel.com[65.211.156.114]:25, delay=12, delays=12/0/0.01/0, dsn=5.4.6, status=bounced (mail for ksfuel.com loops back to myself)
Jun 4 15:52:40 spam postfix/smtpd[26546]: disconnect from unknown[10.0.0.101]
Jun 4 15:52:40 spam postfix/smtp[26560]: D3A59394092: to=<jmakidd@ksfuel.com>, relay=mail.ksfuel.com[65.211.156.114]:25, delay=13, delays=13/0.01/0/0, dsn=5.4.6, status=bounced (mail for ksfuel.com loops back to myself)
Jun 4 15:52:40 spam postfix/smtpd[26440]: disconnect from unknown[10.0.0.101]



So...when relaying for these domains...it appears to be looking up MX records (mail.ksfuel.com) and getting our outside IP address of 65.211.156.114 instead of the entry I have in transport file of ksfuel.com smtp:[24.197.231.70]
Reply With Quote
  #9  
Old 4th June 2008, 23:45
Thomas_Powers Thomas_Powers is offline
Junior Member
 
Join Date: Jun 2008
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
Default Could be????

Now is it possible I have the actions hosed up? I look in the logs and see stuff being blocked

entries such as

Jun 4 16:39:47 spam postfix/smtpd[27616]: NOQUEUE: reject: RCPT from unknown[85.104.12.29]: 554 5.7.1 Service unavailable; Client host [85.104.12.29] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=85.104.12.29; from=<petgord34truew@onlyinternet.net> to=<murray@ksfuel.com> proto=SMTP helo=<dsl85-104-3101.ttnet.net.tr>
Jun 4 16:39:47 spam postfix/smtpd[27417]: connect from unknown[200.127.131.151]
Jun 4 16:39:47 spam postfix/smtpd[27616]: disconnect from unknown[85.104.12.29]
Jun 4 16:39:48 spam postfix/smtp[27448]: 3526F394094: to=<jaana-naakniis@4esyt.com>, relay=smtp.secureserver.net[208.109.80.149]:25, delay=3.6, delays=0.02/0/3.5/0.09, dsn=5.0.0, status=bounced (host smtp.secureserver.net[208.109.80.149] said: 553 sorry, relaying denied from your location [65.211.156.114] (#5.7.1) (in reply to RCPT TO command))
Jun 4 16:39:48 spam postfix/qmgr[27394]: 3526F394094: removed
Jun 4 16:39:48 spam postfix/smtpd[27412]: connect from unknown[190.41.36.129]
Jun 4 16:39:49 spam postfix/smtpd[27409]: NOQUEUE: reject: RCPT from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34]: 554 5.7.1 Service unavailable; Client host [72.87.113.34] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=72.87.113.34; from=<ehuyapjspq@bradbury.com.sg> to=<joseph@ksfuel.com> proto=ESMTP helo=<static-72-87-113-34.prvdri.fios.verizon.net>
Jun 4 16:39:49 spam postfix/smtpd[27409]: lost connection after DATA (0 bytes) from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34]
Jun 4 16:39:49 spam postfix/smtpd[27409]: disconnect from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34]
Jun 4 16:39:49 spam postfix/smtpd[27413]: connect from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199]
Jun 4 16:39:49 spam postfix/smtpd[27417]: NOQUEUE: reject: RCPT from unknown[200.127.131.151]: 554 5.7.1 Service unavailable; Client host [200.127.131.151] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=200.127.131.151; from=<Rinelda-enicyerf@Fard.com> to=<fleming@ksfuel.com> proto=ESMTP helo=<200-127-140-34.dsl.prima.net.ar>
Jun 4 16:39:50 spam postfix/smtpd[27416]: connect from host121-211-dynamic.10-87-r.retail.telecomitalia.it[87.10.211.121]
Jun 4 16:39:50 spam postfix/smtpd[27413]: NOQUEUE: reject: RCPT from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199]: 554 5.7.1 Service unavailable; Client host [86.149.182.199] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.149.182.199; from=<juugekis_1960@LubyPublishing.com> to=<deann@ksfuel.com> proto=ESMTP helo=<host86-149-182-199.range86-149.btcentralplus.com>
Jun 4 16:39:50 spam postfix/smtpd[27413]: disconnect from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199]
Jun 4 16:39:50 spam postfix/smtpd[27412]: NOQUEUE: reject: RCPT from unknown[190.41.36.129]: 554 5.7.1 Service unavailable; Client host [190.41.36.129] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=190.41.36.129; from=<ksjsrvqvnub@bonniebethel.com> to=<fslnyq@ksfuel.com> proto=ESMTP helo=<[190.41.36.129]>
Jun 4 16:39:50 spam postfix/smtpd[27412]: NOQUEUE: reject: RCPT from unknown[190.41.36.129]: 554 5.7.1 Service unavailable; Client host [190.41.36.129] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=190.41.36.129; from=<ksjsrvqvnub@bonniebethel.com> to=<crwamr@ksfuel.com> proto=ESMTP helo=<[190.41.36.129]>


So I notice it's blocking using zen.spamhaus but I have told it to use the spamcop stuff...see configuration below. It's like I didn't get a setting to commit somewhere eh? And the stuff that it is blocking is not showing up in the Mailwatch window.


MailScanner Configuration
%org-name% Keylink Technologies
%org-long-name% Keylink Technologies
%web-site% www.klinktech.net
%etc-dir% /etc/MailScanner
%report-dir% /etc/MailScanner/reports/en
%rules-dir% /etc/MailScanner/rules
%mcp-dir% /etc/MailScanner/mcp
Max Children 1
Run As User postfix
Run As Group postfix
Queue Scan Interval 6
Incoming Queue Dir /var/spool/postfix/hold
Outgoing Queue Dir /var/spool/postfix/incoming
Incoming Work Dir /var/spool/MailScanner/incoming
Quarantine Dir /var/spool/MailScanner/quarantine
PID file /var/run/MailScanner/MailScanner.pid
Restart Every 7200
MTA postfix
Sendmail /usr/sbin/sendmail
Sendmail2 /usr/sbin/sendmail -DOUTGOING
Incoming Work Permissions 0600
Quarantine User root
Quarantine Group www-data
Quarantine Permissions 0660
Max Unscanned Bytes Per Scan 100m
Max Unsafe Bytes Per Scan 50m
Max Unscanned Messages Per Scan 30
Max Unsafe Messages Per Scan 30
Max Normal Queue Size 800
Scan Messages yes
Reject Message no
Maximum Attachments Per Message 200
Expand TNEF yes
Use TNEF Contents replace
Deliver Unparsable TNEF no
TNEF Expander /usr/bin/tnef --maxsize=100000000
TNEF Timeout 120
File Command /usr/bin/file
File Timeout 20
Gunzip Command /bin/gunzip
Gunzip Timeout 50
Unrar Command /usr/bin/unrar
Unrar Timeout 50
Find UU-Encoded Files no
Maximum Message Size /etc/MailScanner/rules/max.message.size.rules
Maximum Attachment Size -1
Minimum Attachment Size -1
Maximum Archive Depth 2
Find Archives By Content yes
Zip Attachments no
Attachments Zip Filename MessageAttachments.zip
Attachments Min Total Size To Zip 100k
Attachment Extensions Not To Zip .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml
Virus Scanning yes
Virus Scanners clamav
Virus Scanner Timeout 300
Deliver Disinfected Files no
Silent Viruses HTML-IFrame All-Viruses
Still Deliver Silent Viruses no
Non-Forging Viruses Joke/ OF97/ WM97/ W97M/ eicar
Block Encrypted Messages no
Block Unencrypted Messages no
Allow Password-Protected Archives no
Check Filenames In Password-Protected Archives yes
Sophos IDE Dir /opt/sophos-av/lib/sav
Sophos Lib Dir /opt/sophos-av/lib
Monitors For Sophos Updates /opt/sophos-av/lib/sav/*.ide
Monitors for ClamAV Updates /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd
ClamAVmodule Maximum Recursion Level 8
ClamAVmodule Maximum Files 1000
ClamAVmodule Maximum File Size 10000000
ClamAVmodule Maximum Compression Ratio 250
Clamd Port 3310
Clamd Socket /var/run/clamav/clamd.ctl
Clamd Lock File /var/run/clamav/clamd.pid
Clamd Use Threads no
ClamAV Full Message Scan yes
Fpscand Port 10200
Dangerous Content Scanning yes
Allow Partial Messages no
Allow External Message Bodies no
Find Phishing Fraud yes
Also Find Numeric Phishing yes
Use Stricter Phishing Net yes
Highlight Phishing Fraud yes
Phishing Safe Sites File /etc/MailScanner/phishing.safe.sites.conf
Phishing Bad Sites File /etc/MailScanner/phishing.bad.sites.conf
Country Sub-Domains List /etc/MailScanner/country.domains.conf
Allow IFrame Tags disarm
Allow Form Tags disarm
Allow Script Tags disarm
Allow WebBugs disarm
Ignored Web Bug Filenames spacer pixel.gif pixel.png gap shim
Known Web Bug Servers msgtag.com
Web Bug Replacement http://www.mailscanner.tv/1x1spacer.gif
Allow Object Codebase Tags disarm
Convert Dangerous HTML To Text no
Convert HTML To Text no
Filename Rules /etc/MailScanner/filename.rules.conf
Filetype Rules /etc/MailScanner/filetype.rules.conf
Quarantine Infections yes
Quarantine Silent Viruses no
Quarantine Modified Body no
Quarantine Whole Message yes
Quarantine Whole Messages As Queue Files no
Keep Spam And MCP Archive Clean no
Language Strings /etc/MailScanner/reports/en/languages.conf
Rejection Report /etc/MailScanner/reports/en/rejection.report.txt
Deleted Bad Content Message Report /etc/MailScanner/reports/en/deleted.content.message.txt
Deleted Bad Filename Message Report /etc/MailScanner/reports/en/deleted.filename.message.txt
Deleted Virus Message Report /etc/MailScanner/reports/en/deleted.virus.message.txt
Deleted Size Message Report /etc/MailScanner/reports/en/deleted.size.message.txt
Stored Bad Content Message Report /etc/MailScanner/reports/en/stored.content.message.txt
Stored Bad Filename Message Report /etc/MailScanner/reports/en/stored.filename.message.txt
Stored Virus Message Report /etc/MailScanner/reports/en/stored.virus.message.txt
Stored Size Message Report /etc/MailScanner/reports/en/stored.size.message.txt
Disinfected Report /etc/MailScanner/reports/en/disinfected.report.txt
Inline HTML Signature /etc/MailScanner/reports/en/inline.sig.html
Inline Text Signature /etc/MailScanner/reports/en/inline.sig.txt
Signature Image Filename /etc/MailScanner/reports/en/sig.jpg
Signature Image Filename signature.jpg
Inline HTML Warning /etc/MailScanner/reports/en/inline.warning.html
Inline Text Warning /etc/MailScanner/reports/en/inline.warning.txt
Sender Content Report /etc/MailScanner/reports/en/sender.content.report.txt
Sender Error Report /etc/MailScanner/reports/en/sender.error.report.txt
Sender Bad Filename Report /etc/MailScanner/reports/en/sender.filename.report.txt
Sender Virus Report /etc/MailScanner/reports/en/sender.virus.report.txt
Sender Size Report /etc/MailScanner/reports/en/sender.size.report.txt
Hide Incoming Work Dir yes
Include Scanner Name In Reports yes
Mail Header X-Keylink Technologies-MailScanner:
Spam Header X-Keylink Technologies-MailScanner-SpamCheck:
Spam Score Header X-Keylink Technologies-MailScanner-SpamScore:
Add Envelope From Header yes
Add Envelope To Header no
Envelope From Header X-Keylink Technologies-MailScanner-From:
Envelope To Header X-Keylink Technologies-MailScanner-To:
Spam Score Character s
SpamScore Number Instead Of Stars no
Minimum Stars If On Spam List 0
Clean Header Value Found to be clean
Infected Header Value Found to be infected
Disinfected Header Value Disinfected
Information Header Value Please contact the ISP for more information
Detailed Spam Report yes
Include Scores In SpamAssassin Report yes
Always Include SpamAssassin Report no
Multiple Headers append
Hostname the Keylink Technologies ($HOSTNAME) MailScanner
Sign Messages Already Processed no
Sign Clean Messages yes
Attach Image To Signature no
Attach Image To HTML Message Only yes
Mark Infected Messages yes
Mark Unscanned Messages yes
Unscanned Header Value Not scanned: please contact your Internet E-Mail Service Provider for details
Remove These Headers X-Mozilla-Status: X-Mozilla-Status2:
Deliver Cleaned Messages yes
Notify Senders no
Notify Senders Of Viruses no
Notify Senders Of Blocked Filenames Or Filetypes yes
Notify Senders Of Blocked Size Attachments no
Notify Senders Of Other Blocked Content yes
Never Notify Senders Of Precedence list bulk
Scanned Modify Subject no
Scanned Subject Text {Scanned}
Virus Modify Subject start
Virus Subject Text {Virus?}
Filename Modify Subject start
Filename Subject Text {Filename?}
Content Modify Subject start
Content Subject Text {Dangerous Content?}
Size Modify Subject start
Size Subject Text {Size}
Disarmed Modify Subject start
Disarmed Subject Text {Disarmed}
Phishing Modify Subject no
Phishing Subject Text {Fraud?}
Spam Modify Subject start
Spam Subject Text {Spam?}
High Scoring Spam Modify Subject start
High Scoring Spam Subject Text {Spam?}
Warning Is Attachment yes
Attachment Warning Filename Keylink Technologies-Attachment-Warning.txt
Attachment Encoding Charset ISO-8859-1
Send Notices yes
Notices Include Full Headers yes
Hide Incoming Work Dir in Notices no
Notice Signature --
MailScanner
Email Virus Scanner
www.mailscanner.info
Notices From MailScanner
Notices To postmaster
Local Postmaster postmaster
Spam List Definitions /etc/MailScanner/spam.lists.conf
Virus Scanner Definitions /etc/MailScanner/virus.scanners.conf
Spam Checks yes
Spam List spamcop.net SBL+XBL
Spam Lists To Be Spam 1
Spam Lists To Reach High Score 3
Spam List Timeout 10
Max Spam List Timeouts 7
Spam List Timeouts History 10
Is Definitely Not Spam @SQLWhitelist
Is Definitely Spam @SQLBlacklist
Definite Spam Is High Scoring no
Ignore Spam Whitelist If Recipients Exceed 20
Max Spam Check Size 200k
Use Watermarking no
Add Watermark yes
Check Watermarks With No Sender yes
Treat Invalid Watermarks With No Sender as Spam nothing
Check Watermarks To Skip Spam Checks yes
Watermark Secret Keylink Technologies-Secret
Watermark Lifetime 604800
Watermark Header X-Keylink Technologies-MailScanner-Watermark:
Use SpamAssassin yes
Max SpamAssassin Size 200k
Required SpamAssassin Score 6
High SpamAssassin Score 10
SpamAssassin Auto Whitelist yes
SpamAssassin Timeout 75
Max SpamAssassin Timeouts 10
SpamAssassin Timeouts History 30
Check SpamAssassin If On Spam List yes
Include Binary Attachments In SpamAssassin no
Spam Score yes
Cache SpamAssassin Results yes
SpamAssassin Cache Database File /var/spool/MailScanner/incoming/SpamAssassin.cache.db
Rebuild Bayes Every 0
Wait During Bayes Rebuild no
Use Custom Spam Scanner no
Max Custom Spam Scanner Size 20k
Custom Spam Scanner Timeout 20
Max Custom Spam Scanner Timeouts 10
Custom Spam Scanner Timeout History 20
Spam Actions store deliver header "X-Spam-Status: Yes"
High Scoring Spam Actions store
Non Spam Actions store deliver header "X-Spam-Status: No"
Sender Spam Report /etc/MailScanner/reports/en/sender.spam.report.txt
Sender Spam List Report /etc/MailScanner/reports/en/sender.spam.rbl.report.txt
Sender SpamAssassin Report /etc/MailScanner/reports/en/sender.spam.sa.report.txt
Inline Spam Warning /etc/MailScanner/reports/en/inline.spam.warning.txt
Recipient Spam Report /etc/MailScanner/reports/en/recipient.spam.report.txt
Enable Spam Bounce /etc/MailScanner/rules/bounce.rules
Bounce Spam As Attachment no
Syslog Facility mail
Log Speed no
Log Spam no
Log Non Spam no
Log Permitted Filenames no
Log Permitted Filetypes no
Log Permitted File MIME Types no
Log Silent Viruses no
Log Dangerous HTML Tags no
Log SpamAssassin Rule Actions no
SpamAssassin Temporary Dir /var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin User State Dir /var/spool/MailScanner/spamassassin
SpamAssassin Site Rules Dir /etc/mail/spamassassin
MCP Checks no
First Check spam
MCP Required SpamAssassin Score 1
MCP High SpamAssassin Score 10
MCP Error Score 1
MCP Header X-Keylink Technologies-MailScanner-MCPCheck:
Non MCP Actions deliver
MCP Actions deliver
High Scoring MCP Actions deliver
Bounce MCP As Attachment no
MCP Modify Subject start
MCP Subject Text {MCP?}
High Scoring MCP Modify Subject start
High Scoring MCP Subject Text {MCP?}
Is Definitely MCP no
Is Definitely Not MCP no
Definite MCP Is High Scoring no
Always Include MCP Report no
Detailed MCP Report yes
Include Scores In MCP Report no
Log MCP no
MCP Max SpamAssassin Timeouts 20
MCP Max SpamAssassin Size 100k
MCP SpamAssassin Timeout 10
MCP SpamAssassin Prefs File /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf
MCP SpamAssassin Local Rules Dir /etc/MailScanner/mcp
MCP SpamAssassin Default Rules Dir /etc/MailScanner/mcp
MCP SpamAssassin Install Prefix /etc/MailScanner/mcp
Recipient MCP Report /etc/MailScanner/reports/en/recipient.mcp.report.txt
Sender MCP Report /etc/MailScanner/reports/en/sender.mcp.report.txt
Use Default Rules With Multiple Recipients no
Spam Score Number Format %d
MailScanner Version Number 4.68.8
SpamAssassin Cache Timings 1800,300,10800,172800,600
Debug no
Debug SpamAssassin no
Run In Foreground no
Always Looked Up Last &MailWatchLogging
Always Looked Up Last After Batch no
Deliver In Background yes
Delivery Method batch
Split Exim Spool no
Lockfile Dir /var/lock/subsys/MailScanner
Custom Functions Dir /etc/MailScanner/CustomFunctions
Automatic Syntax Check yes
Minimum Code Status supported
Reply With Quote
  #10  
Old 5th June 2008, 00:13
Thomas_Powers Thomas_Powers is offline
Junior Member
 
Join Date: Jun 2008
Posts: 25
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Probably something config'd wrong for the actions

OK....as I look through the last 1000 lines of the mail.log, I searched for the word "blocked" and found like 100 hits. All blocked by spamhaus. Yet...mailwatch shows none of the blocked messages.

SO...

1. Why would this thing be using mail.ksfuel.com and it's MX records to forward to the client server rather then using it's transport entry (which was postmapped)..yet it forwards to other domains just fine (like our internal one)

2. Blocked stuff doesn't appear in Mailwatch

3. Why would it be using zev.spmhaus instead of the spamcop.net entry in the docs and that shows in the config.

All good questions....that a simple noob has his head swimming over!!

Thanks

TP
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Errors after following The Perfect SpamSnake (Ubuntu 8.04) hvrossum HOWTO-Related Questions 21 27th June 2008 17:14
Virtual users... Ubuntu 8.04 spaceuser HOWTO-Related Questions 12 19th June 2008 08:04
Problem on restart bind9 satimis Server Operation 6 30th October 2007 02:01
Log for Debugging jwan Installation/Configuration 5 27th October 2006 14:34
Traffic overview in ISP Manager > ISP Site > Statistics: Overall 0.00 tom Installation/Configuration 2 23rd April 2006 14:17


All times are GMT +2. The time now is 07:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.