spam quarantined and relayed

btb listsb-amavis at bitrate.net
Wed Aug 20 21:31:52 CEST 2014


i hope re-asking is ok - i'm still having trouble figuring this out.

On 2014.07.23 10.52, btb wrote:
> certain [but not all] messages detected to be spam are being both
> quarantined and relayed, and generating a notification message.  i'm
> having trouble understanding/figuring out what particular
> characteristics result in this outcome, and what setting[s] relate to
> it.  details:
>
> == notification message ==
> Return-Path: amavis at example.com
> Received: from msa.example.com (LHLO msa.example.com) (10.3.70.10) by
>   mda.example.com with LMTP; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
> Received: from localhost (mfa.example.com [10.3.70.9])
>      by msa.example.com (Postfix) with ESMTP id 3hJJb84pQBzJnJR
>      for <postmaster at example.com>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
> Content-Type: multipart/mixed; boundary="----------=_1406124884-4231-0"
> Content-Transfer-Encoding: 7bit
> MIME-Version: 1.0
> From: "Content-filter at mfa.example.com" <amavis at example.com>
> Date: Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
> Subject: Spam FROM [173.227.222.9]:14538
>   <magnapubs++148+857779 at p.magnapubs.com>
> To: <postmaster at example.com>
> Message-ID: <SASeHI_Po1JO9s at mfa.example.com>
>
> This is a multi-part message in MIME format...
>
> ------------=_1406124884-4231-0
> Content-Type: text/plain; charset="UTF-8"
> Content-Disposition: inline
> Content-Transfer-Encoding: 7bit
>
> Content type: Spam
> Internal reference code for the message is 04231-08-2/SeHI_Po1JO9s
>
> First upstream SMTP client IP address: [173.227.222.9] mx9.mailzeen.net
> According to a 'Received:' trace, the message apparently originated at:
>    [173.227.222.9], mx9.maileen.net mx9.mailzeen.net [173.227.222.9]
>
> Return-Path: <magnapubs++148+857779 at p.magnapubs.com>
> From: "Magna Publications" <magnapubs at p.magnapubs.com>
> Subject: Six reasons to attend The Teaching Professor Technology Conference
> The message has been quarantined as: S/spam-SeHI_Po1JO9s.gz
>
> The message WILL BE relayed to:
> <user at example.com>
>
> Spam scanner report:
>
> ------------=_1406124884-4231-0
> Content-Type: text/rfc822-headers; name="header"
> Content-Disposition: inline; filename="header"
> Content-Transfer-Encoding: 7bit
> Content-Description: Message header section
>
> Return-Path: <magnapubs++148+857779 at p.magnapubs.com>
> Received: from mx9.maileen.net (mx9.mailzeen.net [173.227.222.9])
>      by mta1.example.com (Postfix) with ESMTP id 3hJJb83WGszJmxp
>      for <user at example.com>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
> DKIM-Signature: v=1; a=rsa-sha1; d=p.magnapubs.com;s=magnapubs;
>      c=relaxed/relaxed; q=dns/txt; t=1406124885;
>      h=date:to:from:subject:content-transfer-encoding:list-unsubscribe:mime-version:content-type:content-length;
>      bh=s+XgjWNhjyLTXD/LSSDtpYypBYk=;
>      b=qzg0jsWumlBXUoSEYZMfHnVGGIUlDWjl6pNQRWWyKQudbFXgQhczg4HWthw+R+PoRgRnGJXgNwCbK9g2uvVnE30sLk58RViciN7CVzgRBohN/Vb8FgS+jvUygCm9AJkOQv+f2H4mIBdHGAzNQsTB3W/peNrRfJMt2NC159S2usI=
> X-MailzeenID: magnapubs,148
> X-IPRO:BLK, magnapubs, 857779, 119, 148
> Date: Wed, 23 Jul 2014 07:02:02 -0500 (CDT)
> To: user at example.com
> From: "Magna Publications" <magnapubs at p.magnapubs.com>
> Subject: Six reasons to attend The Teaching Professor Technology Conference
> Importance: Normal
> Content-Transfer-Encoding: 8bit
> List-Unsubscribe: <http://ww1.magnapubs.com/unsub/119/857779X>
> MIME-version: 1.0
> Content-type: multipart/alternative;
>      boundary="BoUnDaRyCmagnapubsM148D072314T"
>
> ------------=_1406124884-4231-0--
>
> == amavis logs ==
> Jul 23 10:14:44 mfa amavis[4231]: (04231-08-2) Passed SPAM
> {RelayedTaggedInbound,Quarantined}, external [173.227.222.9]:14538
> [173.227.222.9] <magnapubs++148+857779 at p.magnapubs.com> ->
> <user at example.com>, quarantine: S/spam-SeHI_Po1JO9s.gz, Queue-ID:
> 3hJJb83WGszJmxp, mail_id: SeHI_Po1JO9s, Hits: -, size: 9196, queued_as:
> 250 2.1.5 Delivery OK, 187 ms
>
> == headers from the actual message ==
> Return-Path: magnapubs++148+857779 at p.magnapubs.com
> Received: from mfa.example.com (LHLO localhost) (10.3.70.9) by
>   mda.example.com with LMTP; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
> X-Quarantine-ID: <SeHI_Po1JO9s>
> X-Virus-Scanned: amavisd-new at example.com
> X-Spam-Flag: YES
> X-Spam-Score: 64
> X-Spam-Level:
> ****************************************************************
> X-Spam-Status: Yes, score=x required=5 BLACKLISTED tests=[]
>      autolearn=unavailable
> Authentication-Results: mfa.example.com (amavisd-new); dkim=fail
> (1024-bit key)
>      reason="fail (message has been altered)" header.d=p.magnapubs.com
> Received: from mta1.example.com ([10.3.70.5])
>      by localhost (mfa.example.com [10.3.70.9]) (amavisd-new, port 11024)
>      with LMTP id SeHI_Po1JO9s for <user at example.com>;
>      Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
> Received: from mx9.maileen.net (mx9.mailzeen.net [173.227.222.9])
>      by mta1.example.com (Postfix) with ESMTP id 3hJJb83WGszJmxp
>      for <user at example.com>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT)
> DKIM-Signature: v=1; a=rsa-sha1; d=p.magnapubs.com;s=magnapubs;
>      c=relaxed/relaxed; q=dns/txt; t=1406124885;
>      h=date:to:from:subject:content-transfer-encoding:list-unsubscribe:mime-version:content-type:content-length;
>      bh=s+XgjWNhjyLTXD/LSSDtpYypBYk=;
>      b=qzg0jsWumlBXUoSEYZMfHnVGGIUlDWjl6pNQRWWyKQudbFXgQhczg4HWthw+R+PoRgRnGJXgNwCbK9g2uvVnE30sLk58RViciN7CVzgRBohN/Vb8FgS+jvUygCm9AJkOQv+f2H4mIBdHGAzNQsTB3W/peNrRfJMt2NC159S2usI=
> X-MailzeenID: magnapubs,148
> X-IPRO:BLK, magnapubs, 857779, 119, 148
> Date: Wed, 23 Jul 2014 07:02:02 -0500 (CDT)
> To: user at example.com
> From: "Magna Publications" <magnapubs at p.magnapubs.com>
> Subject: ***SPAM*** Six reasons to attend The Teaching Professor Technology
>      Conference
> Importance: Normal
> Content-Transfer-Encoding: 8bit
> List-Unsubscribe: <http://ww1.magnapubs.com/unsub/119/857779X>
> MIME-version: 1.0
> Content-type: multipart/alternative;
>      boundary="BoUnDaRyCmagnapubsM148D072314T"
>
> == some hopefully relevant bits from the amavis config ==
> $mydomain   = 'example.com';
> $myhostname = "mfa.$mydomain";
>
> my $mda_host = "mda.$mydomain";
> my $msa_host = "msa.$mydomain";
>
> my $external_port = '11024';
> my $internal_port = '11026';
> my $mda_lmtp_port = '7025';
> my $internal_reinject_port = '11027';
> my $p0f_analyzer_port = '10032';
>
> my($default_recipient)  = "postmaster\@$mydomain";
> my($default_sender)     = "amavis\@$mydomain";
>
> $inet_socket_port = undef;
> @listen_sockets=(":$external_port", ":$internal_port");
>
> $forward_method     = "lmtp:[$mda_host]:$mda_lmtp_port";
> $notify_method      = "smtp:[$msa_host]:$internal_reinject_port";
> $requeue_method     = "lmtp:[localhost]:$external_port";
>
> $enable_dkim_verification = 1;
>
> $sa_tag_level_deflt     = undef;
> $sa_tag2_level_deflt    = 5.0;
> $sa_kill_level_deflt    = 100;
> $sa_dsn_cutoff_level    = 10;
>
> $final_virus_destiny        = D_DISCARD;
> $final_banned_destiny       = D_DISCARD;
> $final_spam_destiny         = D_PASS;
> $final_bad_header_destiny   = D_PASS;
>
> $virus_admin        = $default_recipient;
> $spam_admin         = $default_recipient;
> $warnbannedsender   = undef;
> $warnbadhsender     = undef;
>
> $mailfrom_notify_admin      = $default_sender;
> $mailfrom_notify_spamadmin  = $default_sender;
> $mailfrom_notify_recip      = $default_sender;
> $mailfrom_to_quarantine     = $default_sender;
>
> $interface_policy{$external_port} = 'external';
> $policy_bank{'external'} = {
>      os_fingerprint_method => "p0f:*:$p0f_analyzer_port",
> };
>
> $interface_policy{$internal_port} = 'internal';
> $policy_bank{'internal'} = {
>      inet_acl            => [ '127.0.0.0/8', '[::1]', '10.3.70.10/32',
> '10.3.70.11/32', '10.68.0.0/16' ],
>      forward_method      => "smtp:[$msa_host]:$internal_reinject_port",
>      requeue_method      => "lmtp:[localhost]:$internal_port",
>
>      final_spam_destiny          => D_DISCARD,
>      final_bad_header_destiny    => D_DISCARD,
> };
>
> thanks
> -ben


More information about the amavis-users mailing list