Discussion:
[SA-exim] greylisting
Marcin Krol
2008-11-24 16:19:02 UTC
Permalink
Hello,

My greylisting for mails with score > SAtempreject doesn't work - the
mails are getting 451 all the time, long after greylistsecs passes,
excerpt from local.cf:

loadplugin Greylisting
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm

header GREYLIST_ISWHITE eval:greylisting("( 'dir' =>
'/var/spool/sa-exim/tuplets'; 'method' => 'dir'
; 'greylistsecs' => '60'; 'dontgreylistthreshold' => 15; 'connectiphdr'
=> 'X-SA-Exim-Connect-IP'; '
envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' =>
'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; '
greylistfourthbyte' => 0 )")

describe GREYLIST_ISWHITE The incoming server has been whitelisted for
this recipient and sender

score GREYLIST_ISWHITE -1.5


I'm getting this in mail.info when any mail is sent through SA:


Nov 24 17:00:17 fidkar spamd[4069]: Use of uninitialized value in
concatenation (.) or string at
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 176,
<GEN5> line 46.

Nov 24 17:00:17 fidkar spamd[4069]: Use of uninitialized value in
concatenation (.) or string at
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 177,
<GEN5> line 46.

spamassassin -D --lint produces warning:

[23037] warn: Couldn't get Connecting IP header X-SA-Exim-Connect-IP for
message <***@lint_rules>, skipping greylisting call


I'm using standard Debian Etch packages.



My sa-exim.conf:

SAEximDebug: 1


SAspamcpath: /usr/bin/spamc



SAspamcHost: 127.0.0.1
SAspamcPort: 783


SAEximRunCond: ${if and { {!eq {$sender_host_address}{127.0.0.1}} {!eq
{$h_X-SA-Do-Not-Rej:}{Yes}} } {1}{0} }





SAmaxbody: 256000

SATruncBodyCond: 0

SARewriteBody: 0

SAPrependArchiveWithFrom: 1

SAmaxarchivebody: 20971520

SAerrmaxarchivebody: 1073741824

SAmaxrcptlistlength: 8000

SAaddSAEheaderBeforeSA: 1


SAtimeoutsave: /var/spool/sa-exim/SAtimeoutsave

SAtimeoutSavCond: 1


SAerrorsave: /var/spool/sa-exim/SAerrorsave

SAerrorSavCond: 1

SAtemprejectonerror: 0






SAteergrubetime: 900

SAteergrubeSavCond: 1

SAteergrubesave: /var/spool/sa-exim/SAteergrube

SAteergrubeoverwrite: 1




SAdevnullSavCond: 1

SAdevnullsave: /var/spool/sa-exim/SAdevnull



SApermreject: 30.0

SApermrejectSavCond: 0

SApermrejectsave: /var/spool/sa-exim/SApermreject



SAtempreject: 16.0

SAtemprejectSavCond: 1

SAtemprejectsave: /var/spool/sa-exim/SAtempreject

SAtemprejectoverwrite: 1

SAgreylistiswhitestr: GREYLIST_ISWHITE

SAgreylistraisetempreject: 13.0


SAspamacceptsave: /var/spool/sa-exim/SAspamaccept

SAspamacceptSavCond: 0


SAnotspamsave: /var/spool/sa-exim/SAnotspam

SAnotspamSavCond: 0

SAmsgteergrubewait: Wait for more output
SAmsgteergruberej: Please try again later
SAmsgpermrej: Rejected as SPAM, contact BTW to whitelist
SAmsgtemprej: Please try again later
SAmsgerror: Temporary local error while processing message, please
contact postmaster.
Marc MERLIN
2008-11-24 16:39:16 UTC
Permalink
Post by Marcin Krol
Hello,
My greylisting for mails with score > SAtempreject doesn't work - the
mails are getting 451 all the time, long after greylistsecs passes,
loadplugin Greylisting
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
header GREYLIST_ISWHITE eval:greylisting("( 'dir' =>
'/var/spool/sa-exim/tuplets'; 'method' => 'dir'
; 'greylistsecs' => '60'; 'dontgreylistthreshold' => 15; 'connectiphdr'
=> 'X-SA-Exim-Connect-IP'; '
envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' =>
'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; '
greylistfourthbyte' => 0 )")
Nov 24 17:00:17 fidkar spamd[4069]: Use of uninitialized value in
concatenation (.) or string at
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 176,
<GEN5> line 46.
I should have put a die in there, but basically it says that it can't find a
X-SA-Exim-Connect-IP header in there (or more specifically I think it means
it got an empty one).

Can you check in your Exim / Sa-Exim config whether that header is being
inserted correctly when you receive Emails?
(and I'll assume that you're not trying to retreive mails with fetchmail
and feed the back to smtp over localhost)

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
Marcin Krol
2008-11-25 11:04:36 UTC
Permalink
Hello Marc,

Thanks for answer!
Post by Marc MERLIN
I should have put a die in there, but basically it says that it can't find a
X-SA-Exim-Connect-IP header in there (or more specifically I think it means
it got an empty one).
Can you check in your Exim / Sa-Exim config whether that header is being
inserted correctly when you receive Emails?
(and I'll assume that you're not trying to retreive mails with fetchmail
and feed the back to smtp over localhost)
It seems that a header does get inserted, here's excerpt from mail in
SAtemprejectsave folder:

X-SA-Exim-Connect-IP: 87.204.147.140
X-SA-Exim-Rcpt-To: ***@btw2.pl
X-SA-Exim-Mail-From: ***@trashmail.net
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
fidkar.wbp.krakow.pl
X-Spam-Level: ***************
[...]
X-Spam-Status: Yes, score=15.4 required=15.0 tests=DRUGS_ANXIETY,
Subject: *****SPAM***** [score: 15.4] test
X-Spam-Prev-Subject: test
X-SA-Exim-Version: 4.2.1 (built Tue, 09 Jan 2007 17:23:22 +0000)
X-SA-Exim-Scanned: Yes (on fidkar.wbp.krakow.pl)

However, it seems that some info may be missing:

***@fidkar:/var/spool/sa-exim/tuplets/87/204/147# ls -l
razem 4
drwxrwx--- 2 Debian-exim Debian-exim 4096 2008-11-24 20:02
***@agenturaspa.cz/

The mails that are temprejected sometimes are saved here and sometimes
they aren't, I have no idea under what is the dependency here. For
instance, the above mail that was temprejected did not get any info
saved under /var/spool/sa-exim/tuplets (I grepped all the files there).

I also get mails from "nobody"'s cron complaining that
/usr/share/sa-exim/greylistclean cannot access /var/spool/sa-exim/tuplets.

I tweaked with (relaxing) rights but it seems to have no effect.

***@fidkar:/var/spool/sa-exim# ls -ld tuplets
drwxrwxr-x 6 nobody Debian-exim 4096 2008-11-24 20:30 tuplets/




Regards,
Marcin Krol
Marc MERLIN
2008-11-26 16:20:10 UTC
Permalink
Post by Marcin Krol
Hello Marc,
Thanks for answer!
Sorry, I've been a bit passed out, battling a virus :-/
Post by Marcin Krol
Post by Marc MERLIN
I should have put a die in there, but basically it says that it can't find a
X-SA-Exim-Connect-IP header in there (or more specifically I think it means
it got an empty one).
Can you check in your Exim / Sa-Exim config whether that header is being
inserted correctly when you receive Emails?
(and I'll assume that you're not trying to retreive mails with fetchmail
and feed the back to smtp over localhost)
It seems that a header does get inserted, here's excerpt from mail in
X-SA-Exim-Connect-IP: 87.204.147.140
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
fidkar.wbp.krakow.pl
X-Spam-Level: ***************
[...]
X-Spam-Status: Yes, score=15.4 required=15.0 tests=DRUGS_ANXIETY,
Subject: *****SPAM***** [score: 15.4] test
X-Spam-Prev-Subject: test
X-SA-Exim-Version: 4.2.1 (built Tue, 09 Jan 2007 17:23:22 +0000)
X-SA-Exim-Scanned: Yes (on fidkar.wbp.krakow.pl)
razem 4
drwxrwx--- 2 Debian-exim Debian-exim 4096 2008-11-24 20:02
The mails that are temprejected sometimes are saved here and sometimes
they aren't, I have no idea under what is the dependency here. For
instance, the above mail that was temprejected did not get any info
saved under /var/spool/sa-exim/tuplets (I grepped all the files there).
Ok, I apologize for my brain not working too well. I can't think of what may
not be working too well right now, but you can do this to debug and know for
sure what on earth is happening:
spamassassin -t -D < /tmp/message
(pick a message that relates to undefined vars error in the exim logs)
Post by Marcin Krol
I also get mails from "nobody"'s cron complaining that
/usr/share/sa-exim/greylistclean cannot access /var/spool/sa-exim/tuplets.
I tweaked with (relaxing) rights but it seems to have no effect.
drwxrwxr-x 6 nobody Debian-exim 4096 2008-11-24 20:30 tuplets/
That's usually set by the package you install, here is what I have on my
machine:

magic:~# l -ld /var/spool/sa-exim/tuplets
drwxrwx--x 71 nobody Debian-exim 4096 2008-11-26 05:33 /var/spool/sa-exim/tuplets/
and:
-rw-rw---- 1 nobody nogroup 134 2008-11-21 20:47 /var/spool/sa-exim/tuplets/90/183/38/***@centrum.cz/***@merlins.org

magic:~# cat /etc/cron.d/greylistclean
# If you don't run spamd as nobody (you should), change the user below
# be smart and don't run this as root, it doesn't need those perms
33 * * * * nobody [ -x /usr/share/sa-exim/greylistclean ] && /usr/share/sa-exim/greylistclean

My guess is that nobody can't traverse /var/spool or /var/spool/sa-exim on
your machine.

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
Marcin Krol
2008-12-01 11:53:30 UTC
Permalink
(shortened this a bit due to mailing list 40KB limit)
Post by Marc MERLIN
Ok, I apologize for my brain not working too well. I can't think of what may
not be working too well right now, but you can do this to debug and know for
spamassassin -t -D < /tmp/message
(pick a message that relates to undefined vars error in the exim logs)
What's strange is that now all of a sudden temp rejecting stopped
working. Anyway, here's output, there's a lot of it:

[1885] dbg: logger: adding facilities: all
[1885] dbg: logger: logging level is DBG
[1885] dbg: generic: SpamAssassin version 3.2.3
[1885] dbg: config: score set 0 chosen.
[1885] dbg: util: running in taint mode? yes
[1885] dbg: util: taint mode: deleting unsafe environment variables,
resetting PATH
[1885] dbg: util: PATH included '/usr/local/sbin', keeping
[1885] dbg: util: PATH included '/usr/local/bin', keeping
[1885] dbg: util: PATH included '/usr/sbin', keeping
[1885] dbg: util: PATH included '/usr/bin', keeping
[1885] dbg: util: PATH included '/sbin', keeping
[1885] dbg: util: PATH included '/bin', keeping
[1885] dbg: util: PATH included '.', which is not absolute, dropping
[1885] dbg: util: PATH included
[...]
[1885] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf
[1885] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf
[1885] dbg: config: read file /usr/share/spamassassin/20_compensate.cf
[1885] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
[1885] dbg: config: read file /usr/share/spamassassin/20_drugs.cf
[1885] dbg: config: read file /usr/share/spamassassin/20_dynrdns.cf
[1885] dbg: config: read file /usr/share/spamassassin/72_active.cf
[...]
[1885] dbg: config: using "/etc/spamassassin" for site rules dir
[1885] dbg: config: read file /etc/spamassassin/65_debian.cf
[1885] dbg: config: read file /etc/spamassassin/Botnet.cf
[1885] dbg: config: read file /etc/spamassassin/local.cf
[1885] dbg: config: using "/root/.spamassassin" for user state dir
[1885] dbg: config: using "/root/.spamassassin/user_prefs" for user
prefs file
[1885] dbg: config: read file /root/.spamassassin/user_prefs
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from
/etc/spamassassin/Botnet.pm
[1885] dbg: Botnet: version 0.8
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC
[1885] dbg: pyzor: network tests on, attempting Pyzor
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
[1885] dbg: razor2: razor2 is not available
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
[1885] dbg: reporter: network tests on, attempting SpamCop
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC
[1885] dbg: plugin: loading
Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject
from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from
@INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch
from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC
[1885] dbg: config: fixed relative path: /etc/spamassassin/Botnet.pm
[1885] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from
/etc/spamassassin/Botnet.pm
[1885] dbg: Botnet: version 0.8

[...]
[1885] dbg: Botnet: adding (\b|\d)exch(ange)?(\b|\d) to botnet_serverwords
[1885] dbg: plugin: loading Greylisting from
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
[1885] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA
[1885] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E
[1885] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E
__MO_OL_F3B05
[1885] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340
__XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF
__XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01
[1885] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA
[1885] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates:
HS_SUBJ_NEW_SOFTWARE
[1885] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI
[1885] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A
[1885] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1
__MO_OL_CF0C0
[1885] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15
KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6
[1885] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C
__XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1
__XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8
[1885] dbg: rules: __XM_OL_5E7ED merged duplicates: __XM_OL_D03AB
[1885] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240
__MO_OL_ADFF7
[1885] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6
[1885] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB
__MO_OL_7533E
[1885] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40
[1885] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI
[1885] dbg: rules: __XM_OL_C7C33 merged duplicates: __XM_OL_C9068
__XM_OL_EF20B
[1885] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E
[1885] dbg: rules: __MO_OL_5E7ED merged duplicates: __MO_OL_C7C33
[1885] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8
[1885] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01
[1885] dbg: conf: finish parsing
[1885] dbg: plugin:
Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x90df96c) implements
'finish_parsing_end', priority 0
[1885] dbg: replacetags: replacing tags
[1885] dbg: replacetags: done replacing tags
[1885] dbg: config: using "/root/.spamassassin" for user state dir
[1885] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks
[1885] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen
[1885] dbg: bayes: found bayes db version 3
[1885] dbg: bayes: DB journal sync: last sync: 0
[1885] dbg: config: using "/root/.spamassassin" for user state dir
[1885] dbg: bayes: not available for scanning, only 1 spam(s) in bayes
DB < 200
[1885] dbg: bayes: untie-ing
[1885] dbg: config: score set 1 chosen.
[1885] dbg: message: main message type: text/plain
[1885] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x9175620)
implements 'check_start', priority 0
[1885] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks
[1885] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen
[1885] dbg: bayes: found bayes db version 3
[1885] dbg: bayes: DB journal sync: last sync: 0
[1885] dbg: bayes: not available for scanning, only 1 spam(s) in bayes
DB < 200
[1885] dbg: bayes: untie-ing
[1885] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x912ac00)
implements 'check_main', priority 0
[1885] dbg: conf: internal_networks not configured, using
trusted_networks configuration for internal_networks; if you really want
internal_networks to only contain the required 127/8 add
'internal_networks !0/0' to your configuration
[1885] dbg: received-header: parsed as [ ip=87.204.147.140
rdns=da2.domeny.com helo=da2.domeny.com by=fidkar.wbp.krakow.pl ident=
envfrom=***@trashmail.net intl=0 id=1L4e1c-00040d-H4 auth= msa=0 ]
[1885] dbg: received-header: relay 87.204.147.140 trusted? no internal?
no msa? no
[1885] dbg: metadata: X-Spam-Relays-Trusted:
[1885] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=87.204.147.140
rdns=da2.domeny.com helo=da2.domeny.com by=fidkar.wbp.krakow.pl ident=
envfrom=***@trashmail.net intl=0 id=1L4e1c-00040d-H4 auth= msa=0 ]
[1885] dbg: metadata: X-Spam-Relays-Internal:
[1885] dbg: metadata: X-Spam-Relays-External: [ ip=87.204.147.140
rdns=da2.domeny.com helo=da2.domeny.com by=fidkar.wbp.krakow.pl ident=
envfrom=***@trashmail.net intl=0 id=1L4e1c-00040d-H4 auth= msa=0 ]
[1885] dbg: message: ---- MIME PARSER START ----
[1885] dbg: message: parsing normal part
[1885] dbg: message: ---- MIME PARSER END ----
[1885] dbg: message: no encoding detected
[1885] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8cfe938)
implements 'parsed_metadata', priority 0
[1885] dbg: dns: is_dns_available() last checked 1227892224 seconds ago;
re-checking
[1885] dbg: dns: name server: 192.168.50.1, LocalAddr: 0.0.0.0
[1885] dbg: dns: testing resolver nameservers: 192.168.50.1
[1885] dbg: dns: trying (3) intel.com...
[1885] dbg: dns: looking up NS for 'intel.com'
[1885] dbg: dns: NS lookup of intel.com using 192.168.50.1 succeeded =>
DNS available (set dns_available to override)
[1885] dbg: dns: is DNS available? 1
[1885] dbg: uridnsbl: domains to query:
[1885] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs:
[1885] dbg: dns: checking RBL combined.njabl.org., set njabl
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.combined.njabl.org. in background
[1885] dbg: dns: checking RBL bl.spamcop.net., set spamcop
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS TXT query for
140.147.204.87.bl.spamcop.net. in background
[1885] dbg: dns: _check_rbl_addresses RBL blackhole.securitysage.com.,
set securitysage
[1885] dbg: dns: launching DNS A query for
trashmail.net.blackhole.securitysage.com. in background
[1885] dbg: dns: _check_rbl_addresses RBL rhsbl.ahbl.org., set ahbl
[1885] dbg: dns: launching DNS A query for trashmail.net.rhsbl.ahbl.org.
in background
[1885] dbg: dns: checking RBL dob.sibl.support-intelligence.net., set dob
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.dob.sibl.support-intelligence.net. in background
[1885] dbg: dns: checking A and MX for host trashmail.net
[1885] dbg: dns: launching DNS A query for trashmail.net in background
[1885] dbg: dns: launching DNS MX query for trashmail.net in background
[1885] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.zen.spamhaus.org. in background
[1885] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.dnsbl.sorbs.net. in background
[1885] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: _check_rbl_addresses RBL
dob.sibl.support-intelligence.net., set dob
[1885] dbg: dns: launching DNS A query for
trashmail.net.dob.sibl.support-intelligence.net. in background
[1885] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: checking RBL list.dnswl.org., set dnswl-firsttrusted
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.list.dnswl.org. in background
[1885] dbg: dns: checking RBL sa-accredit.habeas.com., set
habeas-firsttrusted
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.sa-accredit.habeas.com. in background
[1885] dbg: dns: checking RBL
combined-HIB.dnsiplists.completewhois.com., set whois
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.combined-HIB.dnsiplists.completewhois.com. in background
[1885] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS TXT query for
140.147.204.87.list.dsbl.org. in background
[1885] dbg: dns: checking RBL sa-trusted.bondedsender.org., set
bsp-firsttrusted
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS TXT query for
140.147.204.87.sa-trusted.bondedsender.org. in background
[1885] dbg: dns: checking RBL
combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: checking RBL zen.spamhaus.org., set zen
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: _check_rbl_addresses RBL bl.open-whois.org., set openwhois
[1885] dbg: dns: launching DNS A query for
trashmail.net.bl.open-whois.org. in background
[1885] dbg: dns: _check_rbl_addresses RBL fulldom.rfc-ignorant.org., set
rfci_envfrom
[1885] dbg: dns: launching DNS A query for
trashmail.net.fulldom.rfc-ignorant.org. in background
[1885] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted
[1885] dbg: dns: IPs found: full-external: 87.204.147.140 untrusted:
87.204.147.140 originating:
[1885] dbg: dns: only inspecting the following IPs: 87.204.147.140
[1885] dbg: dns: launching DNS A query for
140.147.204.87.iadb.isipp.com. in background
[1885] dbg: check: running tests for priority: -1000
[1885] dbg: rules: running head tests; score so far=0
[1885] dbg: rules: compiled head tests
[1885] dbg: eval: all '*From' addrs: ***@trashmail.net
[1885] dbg: eval: all '*To' addrs: ***@btw2.pl
[1885] dbg: rules: running body tests; score so far=0
[1885] dbg: rules: compiled body tests
[1885] dbg: rules: running uri tests; score so far=0
[1885] dbg: rules: compiled uri tests
[1885] dbg: rules: running rawbody tests; score so far=0
[1885] dbg: rules: compiled rawbody tests
[1885] dbg: rules: running full tests; score so far=0
[1885] dbg: rules: compiled full tests
[1885] dbg: rules: running meta tests; score so far=0
[1885] dbg: rules: compiled meta tests
[1885] dbg: check: running tests for priority: -950
[1885] dbg: rules: running head tests; score so far=0
[1885] dbg: rules: compiled head tests
[1885] dbg: rules: running body tests; score so far=0
[1885] dbg: rules: compiled body tests
[1885] dbg: rules: running uri tests; score so far=0
[1885] dbg: rules: compiled uri tests
[1885] dbg: rules: running rawbody tests; score so far=0
[1885] dbg: rules: compiled rawbody tests
[1885] dbg: rules: running full tests; score so far=0
[1885] dbg: rules: compiled full tests
[1885] dbg: rules: running meta tests; score so far=0
[1885] dbg: rules: compiled meta tests
[1885] dbg: check: running tests for priority: -900
[1885] dbg: rules: running head tests; score so far=0
[1885] dbg: rules: compiled head tests
[1885] dbg: rules: running body tests; score so far=0
[1885] dbg: rules: compiled body tests
[1885] dbg: rules: running uri tests; score so far=0
[1885] dbg: rules: compiled uri tests
[1885] dbg: rules: running rawbody tests; score so far=0
[1885] dbg: rules: compiled rawbody tests
[1885] dbg: rules: running full tests; score so far=0
[1885] dbg: rules: compiled full tests
[1885] dbg: rules: running meta tests; score so far=0
[1885] dbg: rules: compiled meta tests
[1885] dbg: check: running tests for priority: -400
[1885] dbg: rules: running head tests; score so far=0
[1885] dbg: rules: compiled head tests
[1885] dbg: rules: running body tests; score so far=0
[1885] dbg: rules: compiled body tests
[1885] dbg: rules: running uri tests; score so far=0
[1885] dbg: rules: compiled uri tests
[1885] dbg: rules: running rawbody tests; score so far=0
[1885] dbg: rules: compiled rawbody tests
[1885] dbg: rules: running full tests; score so far=0
[1885] dbg: rules: compiled full tests
[1885] dbg: rules: running meta tests; score so far=0
[1885] dbg: rules: compiled meta tests
[1885] dbg: check: running tests for priority: 0
[1885] dbg: rules: running head tests; score so far=0
[1885] dbg: rules: compiled head tests
[1885] dbg: rules: ran header rule MISSING_MID ======> got hit: "UNSET"
[1885] dbg: rules: ran header rule __LAST_UNTRUSTED_RELAY_NO_AUTH
======> got hit: "[ ip=87.204.147.140 rdns=da2.domeny.com
helo=da2.domeny.com by=fidkar.wbp.krakow.pl ident=
envfrom=***@trashmail.net intl=0 id=1L4e1c-00040d-H4 auth= "
[1885] dbg: rules: ran header rule __BOTNET_NOTRUST ======> got hit:
"negative match"
[1885] dbg: rules: ran header rule __DOS_SINGLE_EXT_RELAY ======> got
hit: "[ ip=87.204.147.140 rdns=da2.domeny.com helo=da2.domeny.com
by=fidkar.wbp.krakow.pl ident= envfrom=***@trashmail.net intl=0
id=1L4e1c-00040d-H4 auth= msa=0 ]"
[1885] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET"
[1885] dbg: rules: ran header rule __HAS_RCVD ======> got hit: "f"
[1885] dbg: rules: ran header rule __DOS_RCVD_MON ======> got hit: " Mon, "
[1885] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET"
[1885] dbg: rules: ran header rule __HAS_SUBJECT ======> got hit: "*"
[1885] dbg: spf: checking to see if the message has a Received-SPF
header that we can use
[1885] dbg: spf: cannot load Mail::SPF module or create
Mail::SPF::Server object: Can't locate Mail/SPF.pm in @INC (@INC
contains: /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.8
/usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/lib/perl/5.8
/usr/share/perl/5.8 /usr/local/lib/site_perl) at
/usr/share/perl5/Mail/SpamAssassin/Plugin/SPF.pm line 390.
[1885] dbg: spf: attempting to use legacy Mail::SPF::Query module instead
[1885] dbg: spf: cannot load Mail::SPF::Query module: Can't locate
Mail/SPF/Query.pm in @INC (@INC contains: /usr/share/perl5 /etc/perl
/usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5
/usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at
/usr/share/perl5/Mail/SpamAssassin/Plugin/SPF.pm line 414.
[1885] dbg: spf: one of Mail::SPF or Mail::SPF::Query is required for
SPF checks, SPF checks disabled
[1885] dbg: Botnet: checking BADDNS
[1885] dbg: Botnet: no trusted relays
[1885] dbg: Botnet: get_relay good RDNS
[1885] dbg: Botnet: IP is '87.204.147.140'
[1885] dbg: Botnet: RDNS is 'da2.domeny.com'
[1885] dbg: Botnet: HELO is 'da2.domeny.com'
[1885] dbg: Botnet: BADDNS miss
[1885] dbg: spf: already checked for Received-SPF headers, proceeding
with DNS based checks
[1885] dbg: spf: already checked for Received-SPF headers, proceeding
with DNS based checks
[1885] dbg: Botnet: checking CLIENTWORDS
[1885] dbg: Botnet: client words regexp
is((\b|\d).*dsl.*(\b|\d))|((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b|\d))|((\b|\d)dial(-?up)?(\b|\d))|((\b|\d)dip(\b|\d))|((\b|\d)docsis(\b|\d))|((\b|\d)dyn(amic)?(ip)?(\b|\d))|((\b|\d)modem(\b|\d))|((\b|\d)ppp(oe)?(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|((\b|\d)bredband(\b|\d))|((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|((\b|\d)ip(\b|\d))|((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d))
[1885] dbg: Botnet: no trusted relays
[1885] dbg: Botnet: get_relay good RDNS
[1885] dbg: Botnet: IP is '87.204.147.140'
[1885] dbg: Botnet: RDNS is 'da2.domeny.com'
[1885] dbg: Botnet: HELO is 'da2.domeny.com'
[1885] dbg: Botnet: CLIENTWORDS miss
[1885] dbg: spf: already checked for Received-SPF headers, proceeding
with DNS based checks
[1885] dbg: Botnet: checking SERVERWORDS
[1885] dbg: Botnet: server words list
is((\b|\d)e?mail(out)?(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(pool)?(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d))|((\b|\d)exch(ange)?(\b|\d))
[1885] dbg: Botnet: no trusted relays
[1885] dbg: Botnet: get_relay good RDNS
[1885] dbg: Botnet: IP is '87.204.147.140'
[1885] dbg: Botnet: RDNS is 'da2.domeny.com'
[1885] dbg: Botnet: HELO is 'da2.domeny.com'
[1885] dbg: Botnet: SERVERWORDS miss
[1885] dbg: Botnet: starting
[1885] dbg: Botnet: no trusted relays
[1885] dbg: Botnet: get_relay good RDNS
[1885] dbg: Botnet: IP is '87.204.147.140'
[1885] dbg: Botnet: RDNS is 'da2.domeny.com'
[1885] dbg: Botnet: HELO is 'da2.domeny.com'
[1885] dbg: Botnet: sender '***@trashmail.net'
[1885] dbg: Botnet: miss (none)
[1885] dbg: spf: already checked for Received-SPF headers, proceeding
with DNS based checks
[1885] dbg: Botnet: checking IPINHOSTNAME
[1885] dbg: Botnet: no trusted relays
[1885] dbg: Botnet: get_relay good RDNS
[1885] dbg: Botnet: IP is '87.204.147.140'
[1885] dbg: Botnet: RDNS is 'da2.domeny.com'
[1885] dbg: Botnet: HELO is 'da2.domeny.com'
[1885] dbg: Botnet: IPINHOSTNAME miss
[1885] dbg: Botnet: checking for CLIENT
[1885] dbg: Botnet: no trusted relays
[1885] dbg: Botnet: get_relay good RDNS
[1885] dbg: Botnet: IP is '87.204.147.140'
[1885] dbg: Botnet: RDNS is 'da2.domeny.com'
[1885] dbg: Botnet: HELO is 'da2.domeny.com'
[1885] dbg: Botnet: CLIENT miss (none)
[1885] dbg: Botnet: checking for SOHO server
[1885] dbg: Botnet: no trusted relays
[1885] dbg: Botnet: get_relay good RDNS
[1885] dbg: Botnet: IP is '87.204.147.140'
[1885] dbg: Botnet: RDNS is 'da2.domeny.com'
[1885] dbg: Botnet: HELO is 'da2.domeny.com'
[1885] dbg: Botnet: Envelope
Marc MERLIN
2008-12-02 16:46:55 UTC
Permalink
Post by Marcin Krol
(shortened this a bit due to mailing list 40KB limit)
Post by Marc MERLIN
Ok, I apologize for my brain not working too well. I can't think of what may
not be working too well right now, but you can do this to debug and know for
spamassassin -t -D < /tmp/message
(pick a message that relates to undefined vars error in the exim logs)
What's strange is that now all of a sudden temp rejecting stopped
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
(...)
Post by Marcin Krol
[1885] dbg: GREYLISTING: called function
[1885] dbg: GREYLISTING: skipping greylisting on , since score is
already 15.409 and you configured greylisting not to bother with
anything above 15
try this again, and it should tell you what's happening :)

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
Marcin Krol
2008-12-03 16:32:32 UTC
Permalink
Hello Marc,

First of all, thanks a lot for patience and sticking out with me on this.
Post by Marc MERLIN
Post by Marcin Krol
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
(...)
Post by Marcin Krol
[1885] dbg: GREYLISTING: called function
[1885] dbg: GREYLISTING: skipping greylisting on , since score is
already 15.409 and you configured greylisting not to bother with
anything above 15
try this again, and it should tell you what's happening :)
Hmm I tried running spamassassin -t -D on that message again and I got
exactly the same output:

[25955] dbg: GREYLISTING: called function
[25955] dbg: GREYLISTING: skipping greylisting on , since score is
already 15.409 and you configured
greylisting not to bother with anything above 15

I ran that on another message and got this again:

[11418] dbg: GREYLISTING: called function
[11418] dbg: GREYLISTING: skipping greylisting on , since score is
already 36.326 and you configured
greylisting not to bother with anything above 15

This is so much weirder due to fact that I configured SApermreject: 20.0
(at some time for testing purposes I reconfigured it for SApermreject:
30.0, but that was it).

I don't want to sound daft, but I have no idea what's going on with this.

Perhaps this has to do with the fact that I configured required_score
15.0 in local.cf and SAtempreject: 15 in sa-exim.conf?

Thanks again,
Marcin Krol
Marc MERLIN
2008-12-03 16:54:07 UTC
Permalink
Post by Marcin Krol
Post by Marc MERLIN
Post by Marcin Krol
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
(...)
Post by Marcin Krol
[1885] dbg: GREYLISTING: called function
[1885] dbg: GREYLISTING: skipping greylisting on , since score is
already 15.409 and you configured greylisting not to bother with
anything above 15
try this again, and it should tell you what's happening :)
Hmm I tried running spamassassin -t -D on that message again and I got
Sorry, by "try this again", I meant 'by reading the documentation"

/etc/spamassassin/local.cf:header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )")

'dontgreylistthreshold' => 11 says greylisting won't happen for spam scores
over 11, 15 in your case.

Make sure you re-read /usr/share/doc/sa-exim/README.greylisting.gz
and that you understand how scores are changed on both sides. If it's
confusing, just leave the default numbers I gave, they work :)
Post by Marcin Krol
[11418] dbg: GREYLISTING: called function
[11418] dbg: GREYLISTING: skipping greylisting on , since score is
already 36.326 and you configured
greylisting not to bother with anything above 15
This is so much weirder due to fact that I configured SApermreject: 20.0
The setting you care about it dontgreylistthreshold, but you really need
to re-read the documentation.

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
Continue reading on narkive:
Loading...