Ubuntu 8.04 Spamsnake - all SA scores 0.00

Discussion in 'HOWTO-Related Questions' started by Thomas_Powers, Jun 4, 2008.

  1. Thomas_Powers

    Thomas_Powers New Member

    Hello HTF guys!!

    Let's get this out right now...I be a newbie at the linux world, so the problem here is probably simple to you guys. Anyway, I have followed the step by steps on building the perfect spamsnake on Ubuntu 8.04 (which kicks the snot out of our barracuda for capabilities).

    But when I went active, all messages that came in got a spam score of 0.00 so it's letting everything through. When I run the spamassasin lint test, everything is cool and it gets a progressive score in the test of like 5 of so, so I'm a bit stumped as to where to look on this one.

    All help is greatly appreciated.

    Tom Powers
     
  2. Rocky

    Rocky New Member

    Hey Tom,

    Glad to hear another user is working with the SpamSnake! I'd be more than happy to help you out. First, are you using Sendmail or Postfix? Do you see the mails in the MailWatch interface? Finally, post the output of mail.log.

    Rocky
     
  3. Thomas_Powers

    Thomas_Powers New Member

    Good to hear back from you!!

    We are using postfix

    I see the emails in mailwatch just fine.

    Heres the last 100 lines of the mail log. At the top you'll see some of the messages coming in. THen towards the bottom, you'll see a complete reload of postfix after we added a couple domains to hopefully try again once we get an idea of where to go here.

    Jun 4 12:00:42 spam postfix/smtpd[20039]: connect from unknown[189.180.17.7]
    Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<terri.quinn@btinternet.com> to=<hicks7@ksfuel.com> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net>
    Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<terri.quinn@btinternet.com> to=<hicks@ksfuel.com> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net>
    Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<terri.quinn@btinternet.com> to=<hawkins@ksfuel.com> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net>
    Jun 4 12:00:43 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a104.sub64.net78.udm.net[78.85.64.104]: 504 5.5.2 <fb979068bcb74f4>: Helo command rejected: need fully-qualified hostname; from=<ugdqqm@bonkworld.com> to=<boydd@ksfuel.com> proto=ESMTP helo=<fb979068bcb74f4>
    Jun 4 12:00:43 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a104.sub64.net78.udm.net[78.85.64.104]: 504 5.5.2 <fb979068bcb74f4>: Helo command rejected: need fully-qualified hostname; from=<ugdqqm@bonkworld.com> to=<boyd@ksfuel.com> proto=ESMTP helo=<fb979068bcb74f4>
    Jun 4 12:00:43 spam postfix/smtpd[20051]: lost connection after DATA (0 bytes) from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]
    Jun 4 12:00:43 spam postfix/smtpd[20051]: disconnect from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]
    Jun 4 12:00:44 spam postfix/smtpd[20201]: lost connection after DATA (0 bytes) from a104.sub64.net78.udm.net[78.85.64.104]
    Jun 4 12:00:44 spam postfix/smtpd[20201]: disconnect from a104.sub64.net78.udm.net[78.85.64.104]
    Jun 4 12:00:44 spam postfix/smtpd[20039]: NOQUEUE: reject: RCPT from unknown[189.180.17.7]: 554 5.7.1 Service unavailable; Client host [189.180.17.7] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.180.17.7; from=<arver@americanins.com> to=<032ccc57@ksfuel.com> proto=ESMTP helo=<dsl-189-180-17-7.prod-infinitum.com.mx>
    Jun 4 12:00:45 spam postfix/smtpd[20039]: lost connection after DATA (0 bytes) from unknown[189.180.17.7]
    Jun 4 12:00:45 spam postfix/smtpd[20039]: disconnect from unknown[189.180.17.7]
    Jun 4 12:00:45 spam postfix/smtpd[20041]: connect from unknown[88.235.36.128]
    Jun 4 12:00:47 spam postfix/smtpd[20059]: warning: 91.134.11.192: hostname 91-134-11-192.niskar.multimedia-bg.net verification failed: Name or service not known
    Jun 4 12:00:47 spam postfix/smtpd[20059]: connect from unknown[91.134.11.192]
    Jun 4 12:00:48 spam postfix/smtpd[20059]: NOQUEUE: reject: RCPT from unknown[91.134.11.192]: 554 5.7.1 Service unavailable; Client host [91.134.11.192] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=91.134.11.192; from=<ekcinrew1971@BACR.ORG> to=<lawrence|lawrence@ksfuel.com> proto=ESMTP helo=<91-134-11-192.niskar.multimedia-bg.net>
    Jun 4 12:00:48 spam postfix/smtpd[20059]: disconnect from unknown[91.134.11.192]
    Jun 4 12:00:48 spam postfix/smtpd[20041]: NOQUEUE: reject: RCPT from unknown[88.235.36.128]: 554 5.7.1 Service unavailable; Client host [88.235.36.128] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=88.235.36.128; from=<sly@bondrap.com> to=<bradley@ksfuel.com> proto=ESMTP helo=<dsldevice.lan>
    Jun 4 12:00:48 spam postfix/smtpd[20051]: connect from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]
    Jun 4 12:00:48 spam postfix/smtpd[20041]: lost connection after DATA (0 bytes) from unknown[88.235.36.128]
    Jun 4 12:00:48 spam postfix/smtpd[20041]: disconnect from unknown[88.235.36.128]
    Jun 4 12:00:48 spam postfix/smtpd[20045]: connect from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]
    Jun 4 12:00:48 spam postfix/smtpd[20278]: warning: 64.199.3.161: address not listed for hostname mail.iabusa.com
    Jun 4 12:00:48 spam postfix/smtpd[20278]: connect from unknown[64.199.3.161]
    Jun 4 12:00:49 spam postfix/smtpd[20201]: connect from a32-176.adsl.paltel.net[213.6.32.176]
    Jun 4 12:00:49 spam postfix/smtpd[20045]: NOQUEUE: reject: RCPT from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]: 554 5.7.1 Service unavailable; Client host [82.136.126.158] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=82.136.126.158; from=<CarissatepidFenton@cottyn.com> to=<blkf@ksfuel.com> proto=SMTP helo=<medion.dzcmts001cpe001.datazug.ch>
    Jun 4 12:00:50 spam postfix/smtpd[20045]: lost connection after RCPT from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]
    Jun 4 12:00:50 spam postfix/smtpd[20045]: disconnect from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]
    Jun 4 12:00:50 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a32-176.adsl.paltel.net[213.6.32.176]: 554 5.7.1 Service unavailable; Client host [213.6.32.176] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=213.6.32.176; from=<Darla-hsomehc@154154.com> to=<caldwell|caldwell@ksfuel.com> proto=ESMTP helo=<a32-176.adsl.paltel.net>
    Jun 4 12:00:50 spam postfix/smtpd[20042]: warning: 88.233.113.253: hostname dsl88-233-29181.ttnet.net.tr verification failed: Name or service not known
    Jun 4 12:00:50 spam postfix/smtpd[20042]: connect from unknown[88.233.113.253]
    Jun 4 12:00:50 spam postfix/smtpd[20277]: connect from unknown[88.235.54.251]
    Jun 4 12:00:50 spam postfix/smtpd[20201]: disconnect from a32-176.adsl.paltel.net[213.6.32.176]
    Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<bradleyd@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
    Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<brewerdd@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
    Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<brewerd@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
    Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<mty@bluefield.com.hk> to=<brewer@ksfuel.com> proto=ESMTP helo=<e4ef43843a9b4a7>
    Jun 4 12:05:28 spam postfix/smtpd[20052]: SSL_accept error from 66-194-50-2.static.twtelecom.net[66.194.50.2]: -1
    Jun 4 12:05:28 spam postfix/smtpd[20052]: lost connection after STARTTLS from 66-194-50-2.static.twtelecom.net[66.194.50.2]
    Jun 4 12:05:28 spam postfix/smtpd[20052]: disconnect from 66-194-50-2.static.twtelecom.net[66.194.50.2]
    Jun 4 12:05:49 spam postfix/smtpd[20278]: timeout after EHLO from unknown[64.199.3.161]
    Jun 4 12:05:49 spam postfix/smtpd[20278]: disconnect from unknown[64.199.3.161]
    Jun 4 12:05:50 spam postfix/smtpd[20042]: timeout after CONNECT from unknown[88.233.113.253]
    Jun 4 12:05:50 spam postfix/smtpd[20042]: disconnect from unknown[88.233.113.253]
    Jun 4 12:05:50 spam postfix/smtpd[20277]: timeout after CONNECT from unknown[88.235.54.251]
    Jun 4 12:05:50 spam postfix/smtpd[20277]: disconnect from unknown[88.235.54.251]
    Jun 4 12:05:51 spam postfix/smtpd[20051]: timeout after DATA (0 bytes) from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]
    Jun 4 12:05:51 spam postfix/smtpd[20051]: disconnect from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]
    Jun 4 12:07:24 spam postfix/qmgr[20005]: 9B648394093: from=<>, size=6061, nrcpt=1 (queue active)
    Jun 4 12:07:25 spam postfix/smtp[20422]: 9B648394093: to=<telqdi@eline.com>, relay=mx4.eline.com[204.16.159.164]:25, delay=498, delays=498/0.01/0.21/0.48, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4EA7CA4033)
    Jun 4 12:07:25 spam postfix/qmgr[20005]: 9B648394093: removed
    Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max connection rate 8/60s for (smtp:87.21.72.54) at Jun 4 11:59:34
    Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max connection count 4 for (smtp:122.162.83.111) at Jun 4 12:00:07
    Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max cache size 60 at Jun 4 12:00:36
    Jun 4 12:15:19 spam MailScanner[20493]: MailScanner E-Mail Virus Scanner version 4.68.8 starting...
    Jun 4 12:15:20 spam MailScanner[20493]: Read 817 hostnames from the phishing whitelist
    Jun 4 12:15:20 spam MailScanner[20493]: Read 5141 hostnames from the phishing blacklist
    Jun 4 12:15:20 spam MailScanner[20493]: Config: calling custom init function MailWatchLogging
    Jun 4 12:15:21 spam MailScanner[20493]: Started SQL Logging child
    Jun 4 12:15:21 spam MailScanner[20493]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
    Jun 4 12:15:21 spam MailScanner[20493]: Using SpamAssassin results cache
    Jun 4 12:15:22 spam MailScanner[20493]: Connected to SpamAssassin cache database
    Jun 4 12:15:22 spam MailScanner[20493]: Enabling SpamAssassin auto-whitelist functionality...
    Jun 4 12:15:25 spam MailScanner[20493]: ClamAV scanner using unrar command /usr/bin/unrar
    Jun 4 12:15:26 spam MailScanner[20493]: Using locktype = flock
    Jun 4 12:16:00 spam MailScanner[20527]: MailScanner E-Mail Virus Scanner version 4.68.8 starting...
    Jun 4 12:16:00 spam MailScanner[20527]: Read 817 hostnames from the phishing whitelist
    Jun 4 12:16:01 spam MailScanner[20527]: Read 5141 hostnames from the phishing blacklist
    Jun 4 12:16:01 spam MailScanner[20527]: Config: calling custom init function MailWatchLogging
    Jun 4 12:16:01 spam MailScanner[20527]: Started SQL Logging child
    Jun 4 12:16:01 spam MailScanner[20527]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
    Jun 4 12:16:02 spam MailScanner[20527]: Using SpamAssassin results cache
    Jun 4 12:16:02 spam MailScanner[20527]: Connected to SpamAssassin cache database
    Jun 4 12:16:02 spam MailScanner[20527]: Enabling SpamAssassin auto-whitelist functionality...
    Jun 4 12:16:06 spam MailScanner[20527]: ClamAV scanner using unrar command /usr/bin/unrar
    Jun 4 12:16:06 spam MailScanner[20527]: Using locktype = flock
    Jun 4 12:48:03 spam postfix/smtpd[21389]: warning: database /etc/postfix/sender_access.db is older than source file /etc/postfix/sender_access
    Jun 4 12:48:03 spam postfix/smtpd[21389]: connect from laptop1.ssi.private[10.0.0.44]
    Jun 4 12:48:03 spam postfix/smtpd[21389]: lost connection after CONNECT from laptop1.ssi.private[10.0.0.44]
    Jun 4 12:48:03 spam postfix/smtpd[21389]: disconnect from laptop1.ssi.private[10.0.0.44]
    Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max connection rate 1/60s for (smtp:10.0.0.44) at Jun 4 12:48:03
    Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max connection count 1 for (smtp:10.0.0.44) at Jun 4 12:48:03
    Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max cache size 1 at Jun 4 12:48:03
    Jun 4 14:12:24 spam postfix/smtpd[23678]: warning: database /etc/postfix/sender_access.db is older than source file /etc/postfix/sender_access
    Jun 4 14:12:24 spam postfix/smtpd[23678]: connect from laptop1.ssi.private[10.0.0.44]
    Jun 4 14:12:24 spam postfix/smtpd[23678]: lost connection after CONNECT from laptop1.ssi.private[10.0.0.44]
    Jun 4 14:12:24 spam postfix/smtpd[23678]: disconnect from laptop1.ssi.private[10.0.0.44]
    Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max connection rate 1/60s for (smtp:10.0.0.44) at Jun 4 14:12:24
    Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max connection count 1 for (smtp:10.0.0.44) at Jun 4 14:12:24
    Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max cache size 1 at Jun 4 14:12:24
     
  4. Rocky

    Rocky New Member

    You're getting the following error
    warning: database /etc/postfix/sender_access.db.

    You need to postmap it using the following command:

    Code:
     
    postmap /etc/postfix/sender_access
    
    Then:
    Code:
     
    postfix reload
    
    Also, make sure you have the following set in your MailScanner.conf file:
    Code:
     
    Use SpamAssassin = yes
    
     
    Last edited: Jun 4, 2008
  5. Thomas_Powers

    Thomas_Powers New Member

    Error in postmap

    OK...I ran the first postmap command and got this reply

    postmap: warning: /etc/postfix/sender_access.db, line 0: expected format: key whitespace value

    And I confirmed that the Use SpamAssassin entry is in the MailScanner.conf file.

    Ideas?

    TP
     
  6. Rocky

    Rocky New Member

    My bad, the command is supposed to be:

    Code:
     
    postmap /etc/postfix/sender_access
    
     
  7. Thomas_Powers

    Thomas_Powers New Member

    Getting closer

    Well...it took that command, and the postfix reload.

    I pointed the traffic back at the system, and we are still seeing the system letting everything through and all SA scores are 0.00, however, it did catch a virus out of one of these...so at least we have a functioning viruswall!!

    Next step would be....?

    I greatly appreciate your time and help in this

    TomP
     
  8. Thomas_Powers

    Thomas_Powers New Member

    Mail forwarding appears to be using DNS

    I look through the mail log and I see that one of the domains we are filtering and forwarding for (this is a small ISP) seems to be grabbing MX records for relay out instead of using the SMTP entry in /etc/postfix/main.cf and in the /etc/postfix/transport

    The log shows when forwarding the received email, the warning is that the host replied with our own name...

    Jun 4 15:52:40 spam postfix/smtpd[26546]: connect from unknown[10.0.0.101]
    Jun 4 15:52:40 spam postfix/smtp[26422]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net
    Jun 4 15:52:40 spam postfix/smtp[26422]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net
    Jun 4 15:52:40 spam postfix/smtpd[26440]: connect from unknown[10.0.0.101]
    Jun 4 15:52:40 spam postfix/smtp[26560]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net
    Jun 4 15:52:40 spam postfix/smtp[26560]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net
    Jun 4 15:52:40 spam postfix/smtp[26422]: 69048394095: to=<jmakid@ksfuel.com>, relay=mail.ksfuel.com[65.211.156.114]:25, delay=12, delays=12/0/0.01/0, dsn=5.4.6, status=bounced (mail for ksfuel.com loops back to myself)
    Jun 4 15:52:40 spam postfix/smtpd[26546]: disconnect from unknown[10.0.0.101]
    Jun 4 15:52:40 spam postfix/smtp[26560]: D3A59394092: to=<jmakidd@ksfuel.com>, relay=mail.ksfuel.com[65.211.156.114]:25, delay=13, delays=13/0.01/0/0, dsn=5.4.6, status=bounced (mail for ksfuel.com loops back to myself)
    Jun 4 15:52:40 spam postfix/smtpd[26440]: disconnect from unknown[10.0.0.101]



    So...when relaying for these domains...it appears to be looking up MX records (mail.ksfuel.com) and getting our outside IP address of 65.211.156.114 instead of the entry I have in transport file of ksfuel.com smtp:[24.197.231.70]
     
  9. Thomas_Powers

    Thomas_Powers New Member

    Could be????

    Now is it possible I have the actions hosed up? I look in the logs and see stuff being blocked

    entries such as

    Jun 4 16:39:47 spam postfix/smtpd[27616]: NOQUEUE: reject: RCPT from unknown[85.104.12.29]: 554 5.7.1 Service unavailable; Client host [85.104.12.29] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=85.104.12.29; from=<petgord34truew@onlyinternet.net> to=<murray@ksfuel.com> proto=SMTP helo=<dsl85-104-3101.ttnet.net.tr>
    Jun 4 16:39:47 spam postfix/smtpd[27417]: connect from unknown[200.127.131.151]
    Jun 4 16:39:47 spam postfix/smtpd[27616]: disconnect from unknown[85.104.12.29]
    Jun 4 16:39:48 spam postfix/smtp[27448]: 3526F394094: to=<jaana-naakniis@4esyt.com>, relay=smtp.secureserver.net[208.109.80.149]:25, delay=3.6, delays=0.02/0/3.5/0.09, dsn=5.0.0, status=bounced (host smtp.secureserver.net[208.109.80.149] said: 553 sorry, relaying denied from your location [65.211.156.114] (#5.7.1) (in reply to RCPT TO command))
    Jun 4 16:39:48 spam postfix/qmgr[27394]: 3526F394094: removed
    Jun 4 16:39:48 spam postfix/smtpd[27412]: connect from unknown[190.41.36.129]
    Jun 4 16:39:49 spam postfix/smtpd[27409]: NOQUEUE: reject: RCPT from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34]: 554 5.7.1 Service unavailable; Client host [72.87.113.34] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=72.87.113.34; from=<ehuyapjspq@bradbury.com.sg> to=<joseph@ksfuel.com> proto=ESMTP helo=<static-72-87-113-34.prvdri.fios.verizon.net>
    Jun 4 16:39:49 spam postfix/smtpd[27409]: lost connection after DATA (0 bytes) from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34]
    Jun 4 16:39:49 spam postfix/smtpd[27409]: disconnect from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34]
    Jun 4 16:39:49 spam postfix/smtpd[27413]: connect from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199]
    Jun 4 16:39:49 spam postfix/smtpd[27417]: NOQUEUE: reject: RCPT from unknown[200.127.131.151]: 554 5.7.1 Service unavailable; Client host [200.127.131.151] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=200.127.131.151; from=<Rinelda-enicyerf@Fard.com> to=<fleming@ksfuel.com> proto=ESMTP helo=<200-127-140-34.dsl.prima.net.ar>
    Jun 4 16:39:50 spam postfix/smtpd[27416]: connect from host121-211-dynamic.10-87-r.retail.telecomitalia.it[87.10.211.121]
    Jun 4 16:39:50 spam postfix/smtpd[27413]: NOQUEUE: reject: RCPT from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199]: 554 5.7.1 Service unavailable; Client host [86.149.182.199] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.149.182.199; from=<juugekis_1960@LubyPublishing.com> to=<deann@ksfuel.com> proto=ESMTP helo=<host86-149-182-199.range86-149.btcentralplus.com>
    Jun 4 16:39:50 spam postfix/smtpd[27413]: disconnect from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199]
    Jun 4 16:39:50 spam postfix/smtpd[27412]: NOQUEUE: reject: RCPT from unknown[190.41.36.129]: 554 5.7.1 Service unavailable; Client host [190.41.36.129] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=190.41.36.129; from=<ksjsrvqvnub@bonniebethel.com> to=<fslnyq@ksfuel.com> proto=ESMTP helo=<[190.41.36.129]>
    Jun 4 16:39:50 spam postfix/smtpd[27412]: NOQUEUE: reject: RCPT from unknown[190.41.36.129]: 554 5.7.1 Service unavailable; Client host [190.41.36.129] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=190.41.36.129; from=<ksjsrvqvnub@bonniebethel.com> to=<crwamr@ksfuel.com> proto=ESMTP helo=<[190.41.36.129]>


    So I notice it's blocking using zen.spamhaus but I have told it to use the spamcop stuff...see configuration below. It's like I didn't get a setting to commit somewhere eh? And the stuff that it is blocking is not showing up in the Mailwatch window.


    MailScanner Configuration
    %org-name% Keylink Technologies
    %org-long-name% Keylink Technologies
    %web-site% www.klinktech.net
    %etc-dir% /etc/MailScanner
    %report-dir% /etc/MailScanner/reports/en
    %rules-dir% /etc/MailScanner/rules
    %mcp-dir% /etc/MailScanner/mcp
    Max Children 1
    Run As User postfix
    Run As Group postfix
    Queue Scan Interval 6
    Incoming Queue Dir /var/spool/postfix/hold
    Outgoing Queue Dir /var/spool/postfix/incoming
    Incoming Work Dir /var/spool/MailScanner/incoming
    Quarantine Dir /var/spool/MailScanner/quarantine
    PID file /var/run/MailScanner/MailScanner.pid
    Restart Every 7200
    MTA postfix
    Sendmail /usr/sbin/sendmail
    Sendmail2 /usr/sbin/sendmail -DOUTGOING
    Incoming Work Permissions 0600
    Quarantine User root
    Quarantine Group www-data
    Quarantine Permissions 0660
    Max Unscanned Bytes Per Scan 100m
    Max Unsafe Bytes Per Scan 50m
    Max Unscanned Messages Per Scan 30
    Max Unsafe Messages Per Scan 30
    Max Normal Queue Size 800
    Scan Messages yes
    Reject Message no
    Maximum Attachments Per Message 200
    Expand TNEF yes
    Use TNEF Contents replace
    Deliver Unparsable TNEF no
    TNEF Expander /usr/bin/tnef --maxsize=100000000
    TNEF Timeout 120
    File Command /usr/bin/file
    File Timeout 20
    Gunzip Command /bin/gunzip
    Gunzip Timeout 50
    Unrar Command /usr/bin/unrar
    Unrar Timeout 50
    Find UU-Encoded Files no
    Maximum Message Size /etc/MailScanner/rules/max.message.size.rules
    Maximum Attachment Size -1
    Minimum Attachment Size -1
    Maximum Archive Depth 2
    Find Archives By Content yes
    Zip Attachments no
    Attachments Zip Filename MessageAttachments.zip
    Attachments Min Total Size To Zip 100k
    Attachment Extensions Not To Zip .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml
    Virus Scanning yes
    Virus Scanners clamav
    Virus Scanner Timeout 300
    Deliver Disinfected Files no
    Silent Viruses HTML-IFrame All-Viruses
    Still Deliver Silent Viruses no
    Non-Forging Viruses Joke/ OF97/ WM97/ W97M/ eicar
    Block Encrypted Messages no
    Block Unencrypted Messages no
    Allow Password-Protected Archives no
    Check Filenames In Password-Protected Archives yes
    Sophos IDE Dir /opt/sophos-av/lib/sav
    Sophos Lib Dir /opt/sophos-av/lib
    Monitors For Sophos Updates /opt/sophos-av/lib/sav/*.ide
    Monitors for ClamAV Updates /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd
    ClamAVmodule Maximum Recursion Level 8
    ClamAVmodule Maximum Files 1000
    ClamAVmodule Maximum File Size 10000000
    ClamAVmodule Maximum Compression Ratio 250
    Clamd Port 3310
    Clamd Socket /var/run/clamav/clamd.ctl
    Clamd Lock File /var/run/clamav/clamd.pid
    Clamd Use Threads no
    ClamAV Full Message Scan yes
    Fpscand Port 10200
    Dangerous Content Scanning yes
    Allow Partial Messages no
    Allow External Message Bodies no
    Find Phishing Fraud yes
    Also Find Numeric Phishing yes
    Use Stricter Phishing Net yes
    Highlight Phishing Fraud yes
    Phishing Safe Sites File /etc/MailScanner/phishing.safe.sites.conf
    Phishing Bad Sites File /etc/MailScanner/phishing.bad.sites.conf
    Country Sub-Domains List /etc/MailScanner/country.domains.conf
    Allow IFrame Tags disarm
    Allow Form Tags disarm
    Allow Script Tags disarm
    Allow WebBugs disarm
    Ignored Web Bug Filenames spacer pixel.gif pixel.png gap shim
    Known Web Bug Servers msgtag.com
    Web Bug Replacement http://www.mailscanner.tv/1x1spacer.gif
    Allow Object Codebase Tags disarm
    Convert Dangerous HTML To Text no
    Convert HTML To Text no
    Filename Rules /etc/MailScanner/filename.rules.conf
    Filetype Rules /etc/MailScanner/filetype.rules.conf
    Quarantine Infections yes
    Quarantine Silent Viruses no
    Quarantine Modified Body no
    Quarantine Whole Message yes
    Quarantine Whole Messages As Queue Files no
    Keep Spam And MCP Archive Clean no
    Language Strings /etc/MailScanner/reports/en/languages.conf
    Rejection Report /etc/MailScanner/reports/en/rejection.report.txt
    Deleted Bad Content Message Report /etc/MailScanner/reports/en/deleted.content.message.txt
    Deleted Bad Filename Message Report /etc/MailScanner/reports/en/deleted.filename.message.txt
    Deleted Virus Message Report /etc/MailScanner/reports/en/deleted.virus.message.txt
    Deleted Size Message Report /etc/MailScanner/reports/en/deleted.size.message.txt
    Stored Bad Content Message Report /etc/MailScanner/reports/en/stored.content.message.txt
    Stored Bad Filename Message Report /etc/MailScanner/reports/en/stored.filename.message.txt
    Stored Virus Message Report /etc/MailScanner/reports/en/stored.virus.message.txt
    Stored Size Message Report /etc/MailScanner/reports/en/stored.size.message.txt
    Disinfected Report /etc/MailScanner/reports/en/disinfected.report.txt
    Inline HTML Signature /etc/MailScanner/reports/en/inline.sig.html
    Inline Text Signature /etc/MailScanner/reports/en/inline.sig.txt
    Signature Image Filename /etc/MailScanner/reports/en/sig.jpg
    Signature Image Filename signature.jpg
    Inline HTML Warning /etc/MailScanner/reports/en/inline.warning.html
    Inline Text Warning /etc/MailScanner/reports/en/inline.warning.txt
    Sender Content Report /etc/MailScanner/reports/en/sender.content.report.txt
    Sender Error Report /etc/MailScanner/reports/en/sender.error.report.txt
    Sender Bad Filename Report /etc/MailScanner/reports/en/sender.filename.report.txt
    Sender Virus Report /etc/MailScanner/reports/en/sender.virus.report.txt
    Sender Size Report /etc/MailScanner/reports/en/sender.size.report.txt
    Hide Incoming Work Dir yes
    Include Scanner Name In Reports yes
    Mail Header X-Keylink Technologies-MailScanner:
    Spam Header X-Keylink Technologies-MailScanner-SpamCheck:
    Spam Score Header X-Keylink Technologies-MailScanner-SpamScore:
    Add Envelope From Header yes
    Add Envelope To Header no
    Envelope From Header X-Keylink Technologies-MailScanner-From:
    Envelope To Header X-Keylink Technologies-MailScanner-To:
    Spam Score Character s
    SpamScore Number Instead Of Stars no
    Minimum Stars If On Spam List 0
    Clean Header Value Found to be clean
    Infected Header Value Found to be infected
    Disinfected Header Value Disinfected
    Information Header Value Please contact the ISP for more information
    Detailed Spam Report yes
    Include Scores In SpamAssassin Report yes
    Always Include SpamAssassin Report no
    Multiple Headers append
    Hostname the Keylink Technologies ($HOSTNAME) MailScanner
    Sign Messages Already Processed no
    Sign Clean Messages yes
    Attach Image To Signature no
    Attach Image To HTML Message Only yes
    Mark Infected Messages yes
    Mark Unscanned Messages yes
    Unscanned Header Value Not scanned: please contact your Internet E-Mail Service Provider for details
    Remove These Headers X-Mozilla-Status: X-Mozilla-Status2:
    Deliver Cleaned Messages yes
    Notify Senders no
    Notify Senders Of Viruses no
    Notify Senders Of Blocked Filenames Or Filetypes yes
    Notify Senders Of Blocked Size Attachments no
    Notify Senders Of Other Blocked Content yes
    Never Notify Senders Of Precedence list bulk
    Scanned Modify Subject no
    Scanned Subject Text {Scanned}
    Virus Modify Subject start
    Virus Subject Text {Virus?}
    Filename Modify Subject start
    Filename Subject Text {Filename?}
    Content Modify Subject start
    Content Subject Text {Dangerous Content?}
    Size Modify Subject start
    Size Subject Text {Size}
    Disarmed Modify Subject start
    Disarmed Subject Text {Disarmed}
    Phishing Modify Subject no
    Phishing Subject Text {Fraud?}
    Spam Modify Subject start
    Spam Subject Text {Spam?}
    High Scoring Spam Modify Subject start
    High Scoring Spam Subject Text {Spam?}
    Warning Is Attachment yes
    Attachment Warning Filename Keylink Technologies-Attachment-Warning.txt
    Attachment Encoding Charset ISO-8859-1
    Send Notices yes
    Notices Include Full Headers yes
    Hide Incoming Work Dir in Notices no
    Notice Signature --
    MailScanner
    Email Virus Scanner
    www.mailscanner.info
    Notices From MailScanner
    Notices To postmaster
    Local Postmaster postmaster
    Spam List Definitions /etc/MailScanner/spam.lists.conf
    Virus Scanner Definitions /etc/MailScanner/virus.scanners.conf
    Spam Checks yes
    Spam List spamcop.net SBL+XBL
    Spam Lists To Be Spam 1
    Spam Lists To Reach High Score 3
    Spam List Timeout 10
    Max Spam List Timeouts 7
    Spam List Timeouts History 10
    Is Definitely Not Spam @SQLWhitelist
    Is Definitely Spam @SQLBlacklist
    Definite Spam Is High Scoring no
    Ignore Spam Whitelist If Recipients Exceed 20
    Max Spam Check Size 200k
    Use Watermarking no
    Add Watermark yes
    Check Watermarks With No Sender yes
    Treat Invalid Watermarks With No Sender as Spam nothing
    Check Watermarks To Skip Spam Checks yes
    Watermark Secret Keylink Technologies-Secret
    Watermark Lifetime 604800
    Watermark Header X-Keylink Technologies-MailScanner-Watermark:
    Use SpamAssassin yes
    Max SpamAssassin Size 200k
    Required SpamAssassin Score 6
    High SpamAssassin Score 10
    SpamAssassin Auto Whitelist yes
    SpamAssassin Timeout 75
    Max SpamAssassin Timeouts 10
    SpamAssassin Timeouts History 30
    Check SpamAssassin If On Spam List yes
    Include Binary Attachments In SpamAssassin no
    Spam Score yes
    Cache SpamAssassin Results yes
    SpamAssassin Cache Database File /var/spool/MailScanner/incoming/SpamAssassin.cache.db
    Rebuild Bayes Every 0
    Wait During Bayes Rebuild no
    Use Custom Spam Scanner no
    Max Custom Spam Scanner Size 20k
    Custom Spam Scanner Timeout 20
    Max Custom Spam Scanner Timeouts 10
    Custom Spam Scanner Timeout History 20
    Spam Actions store deliver header "X-Spam-Status: Yes"
    High Scoring Spam Actions store
    Non Spam Actions store deliver header "X-Spam-Status: No"
    Sender Spam Report /etc/MailScanner/reports/en/sender.spam.report.txt
    Sender Spam List Report /etc/MailScanner/reports/en/sender.spam.rbl.report.txt
    Sender SpamAssassin Report /etc/MailScanner/reports/en/sender.spam.sa.report.txt
    Inline Spam Warning /etc/MailScanner/reports/en/inline.spam.warning.txt
    Recipient Spam Report /etc/MailScanner/reports/en/recipient.spam.report.txt
    Enable Spam Bounce /etc/MailScanner/rules/bounce.rules
    Bounce Spam As Attachment no
    Syslog Facility mail
    Log Speed no
    Log Spam no
    Log Non Spam no
    Log Permitted Filenames no
    Log Permitted Filetypes no
    Log Permitted File MIME Types no
    Log Silent Viruses no
    Log Dangerous HTML Tags no
    Log SpamAssassin Rule Actions no
    SpamAssassin Temporary Dir /var/spool/MailScanner/incoming/SpamAssassin-Temp
    SpamAssassin User State Dir /var/spool/MailScanner/spamassassin
    SpamAssassin Site Rules Dir /etc/mail/spamassassin
    MCP Checks no
    First Check spam
    MCP Required SpamAssassin Score 1
    MCP High SpamAssassin Score 10
    MCP Error Score 1
    MCP Header X-Keylink Technologies-MailScanner-MCPCheck:
    Non MCP Actions deliver
    MCP Actions deliver
    High Scoring MCP Actions deliver
    Bounce MCP As Attachment no
    MCP Modify Subject start
    MCP Subject Text {MCP?}
    High Scoring MCP Modify Subject start
    High Scoring MCP Subject Text {MCP?}
    Is Definitely MCP no
    Is Definitely Not MCP no
    Definite MCP Is High Scoring no
    Always Include MCP Report no
    Detailed MCP Report yes
    Include Scores In MCP Report no
    Log MCP no
    MCP Max SpamAssassin Timeouts 20
    MCP Max SpamAssassin Size 100k
    MCP SpamAssassin Timeout 10
    MCP SpamAssassin Prefs File /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf
    MCP SpamAssassin Local Rules Dir /etc/MailScanner/mcp
    MCP SpamAssassin Default Rules Dir /etc/MailScanner/mcp
    MCP SpamAssassin Install Prefix /etc/MailScanner/mcp
    Recipient MCP Report /etc/MailScanner/reports/en/recipient.mcp.report.txt
    Sender MCP Report /etc/MailScanner/reports/en/sender.mcp.report.txt
    Use Default Rules With Multiple Recipients no
    Spam Score Number Format %d
    MailScanner Version Number 4.68.8
    SpamAssassin Cache Timings 1800,300,10800,172800,600
    Debug no
    Debug SpamAssassin no
    Run In Foreground no
    Always Looked Up Last &MailWatchLogging
    Always Looked Up Last After Batch no
    Deliver In Background yes
    Delivery Method batch
    Split Exim Spool no
    Lockfile Dir /var/lock/subsys/MailScanner
    Custom Functions Dir /etc/MailScanner/CustomFunctions
    Automatic Syntax Check yes
    Minimum Code Status supported
     
  10. Thomas_Powers

    Thomas_Powers New Member

    Probably something config'd wrong for the actions

    OK....as I look through the last 1000 lines of the mail.log, I searched for the word "blocked" and found like 100 hits. All blocked by spamhaus. Yet...mailwatch shows none of the blocked messages.

    SO...

    1. Why would this thing be using mail.ksfuel.com and it's MX records to forward to the client server rather then using it's transport entry (which was postmapped)..yet it forwards to other domains just fine (like our internal one)

    2. Blocked stuff doesn't appear in Mailwatch

    3. Why would it be using zev.spmhaus instead of the spamcop.net entry in the docs and that shows in the config.

    All good questions....that a simple noob has his head swimming over!!

    Thanks

    TP
     
  11. Rocky

    Rocky New Member

    Tom

    I went through your settings and found the following needs to be set as they are below:

    Code:
    SpamScore Number Instead Of Stars yes 
    Is Definitely Not Spam &SQLWhitelist 
    Is Definitely Spam &SQLBlacklist 
    Spam Actions deliver store 
    High Scoring Spam Actions delete store 
    Non Spam Actions deliver store 
    Make sure to reboot after making the changes.

    Let me know how it turns out.
     
  12. Thomas_Powers

    Thomas_Powers New Member

    We're rollin now - couple issues yet...

    OK...scores are showing up now just fine and it's blocking.

    I still see in the logs these errors

    Jun 5 10:14:02 spam postfix/smtp[5224]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net
    Jun 5 10:14:02 spam postfix/smtp[5224]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net


    ksfuel.com is one of the domains we filter for at this ISP then forward to their mail server in their office. I have the domain defined in the transport file and postmapped, yet it still seems to be using DNS to try to get an MX record to forward this mail to. So.....how does one stop this and get it to actually use that transport file?

    We're so close I can taste it!!

    THanks

    TP
     
  13. Rocky

    Rocky New Member

    Tom,
    Create /etc/postfix/helo_access so that it looks like the below:

    Code:
    #Helo Access
    65.211.156.114  OK
    spam.klinktech.net  OK
    mail.ksfuel.com  OK
    
    They run:
    Code:
    postmap /etc/postfix/helo_access
    If you've created a /etc/postfix/sender_access, add the following to it like this:
    Code:
    #Sender Access
    65.211.156.114  OK
    spam.klinktech.net  OK
    mail.ksfuel.com  OK
    
    Then run:
    Code:
    postmap /etc/postfix/sender_access
    Make sure to edit /etc/postfix/main.cf and verify that the following settings are correct:

    Code:
     
    smtpd_delay_reject = yes
    smtpd_helo_required = yes
    smtpd_helo_restrictions =
            permit_mynetworks,
            check_helo_access hash:/etc/postfix/helo_access,
            reject_invalid_hostname,
            permit
    smtpd_sender_restrictions =
            check_sender_access hash:/etc/postfix/sender_access,
            reject_non_fqdn_sender,
            reject_unknown_sender_domain,
            permit
    
    
    Finally, run:
    Code:
     
    postfix reload
    
    Let me know how that turns out.
     
  14. Thomas_Powers

    Thomas_Powers New Member

    Wow....

    Ok...I'll start typin.

    I did find in the main.cf of postfix where I had type tansport_maps = hash:/etc/postfix/transport instead of transport_maps

    so on one hand I'm an idiot for mistyping (too many years of clicking the mouse in microsoft) but on the other hand I'm glad I actually found that.

    TP
     
  15. Thomas_Powers

    Thomas_Powers New Member

    Better....

    Seems to be gettin there.

    3 questions though. (regret reading this post yet?) :)

    1. How does one change the disclaimer at the bottom of the emails that Mailscanner lets through right now the default is

    This message has been scanned for viruses and
    dangerous content by MailScanner, and is
    believed to be clean.

    And we need to add to that.

    2. When I go in and try to release an email in Mailwatch that has been blocked i get....

    Result
    Release: error (unable to add recipient [tomp@sound-solutions.biz]: Invalid response code received from server)
    Close Window

    and finally

    3. Is it possible to create a script that reads recipient addresses from an Exchange server and loads them into the recipient list rather than having to do it manually? We right now have the @domainname.com wide open for the domains, so we're not filtering by valid recipient. I ask because on the inside, we have around 1500 addresses that I would rather not typpe in and the people here will never be able to update themselves. The point and click Exchange server is beyond them, this would kill em!!

    TP
     
  16. Rocky

    Rocky New Member

    Hey Tom,

    Glad to hear things are getting better.

    1. Inline signature reports can be found in /etc/MailScanner/en. Edit to customize to your liking.

    2. Edit the below line in /var/www/mailscanner/conf.php and make sure you've entered the full email address, including the domain name:

    Code:
    define(QUARANTINE_FROM_ADDR, [EMAIL="'postmaster@domain.tld'"]'postmaster@domain.tld'[/EMAIL]);
    3. Chapter 12 explains how to pull out the email addresses automatically.

    Let me know how it turns out.
     
  17. Thomas_Powers

    Thomas_Powers New Member

    Uh...??

    Cool...got #1 and found the inline signature html to change.

    #2 has been put in and we're rebooting now

    #3 Chapter 12? Chapter 12 of what doc?

    TP
     
  18. Rocky

    Rocky New Member

  19. Thomas_Powers

    Thomas_Powers New Member

    Duh!!!

    Ok..I'm an idiot. You mean section 12 of the online docs....when you mentioned chapter 12, I was thinking of a book somewhere.


    The changing of the email address in line 2 did the job, but releasing a message now gives the error of

    Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 5239334 bytes) in /var/www/mailscanner/pear/Mail/mimePart.php on line 232


    ideas?

    TP
     
  20. Rocky

    Rocky New Member

    Tom,

    Try changing the memory_limit in /etc/php5/apache/php.ini to something higher than 16M.

    Default Value:
    Code:
     
    memory_limit = 16M 
    
     

Share This Page