[AMaViS-user] Bounce killer feature

Hi,

when a user sends a message from an external email client to himself then the message is tagged as spam in my setup (score 100). It seems that such a message is treated as "faked" bounce message...

When the user sends a mail to another user in the same domain then all is OK - only when he send to himself the message gets a high score.

What options must be set that this does not happen without to deactivate this feature?

Thanks.


__________________________________________________ ________
Gesendet von Yahoo! Mail.
Dem pfiffigeren Posteingang.
http://de.overview.mail.yahoo.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

A. Always include the mail headers because they show why the score is
high.

100 is very high and being non-fractional it looks to me like a
blacklist entry by the user for his own e-mail...

On May 22, 2008, at 12:30 PM, Seba Mueld wrote:

> Hi,
>
> when a user sends a message from an external email client to himself
> then the message is tagged as spam in my setup (score 100). It seems
> that such a message is treated as "faked" bounce message...
>
> When the user sends a mail to another user in the same domain then
> all is OK - only when he send to himself the message gets a high
> score.
>
> What options must be set that this does not happen without to
> deactivate this feature?
>
> Thanks.
>
>
> __________________________________________________ ________
> Gesendet von Yahoo! Mail.
> Dem pfiffigeren Posteingang.
> http://de.overview.mail.yahoo.com
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...fo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Seba,

> when a user sends a message from an external email client to himself then
> the message is tagged as spam in my setup (score 100). It seems that such a
> message is treated as "faked" bounce message...

So it seems. The $bounce_killer_score is typically set to 100;

> When the user sends a mail to another user in the same domain then all is
> OK - only when he send to himself the message gets a high score.
>
> What options must be set that this does not happen without to deactivate
> this feature?

A quick fix is to disable the feature (remove the: $bounce_killer_score=100).

A true fix would be to see what makes amavisd believe the message is a
bounce of a foreign message, then fix the logic. Can you get hold of
a sample, with intact mail header and MIME structure? Or at least
provide a MIME structure as logged by amavisd at log level 2, e.g.:

p006 1 Content-Type: multipart/mixed
p007 1/1 Content-Type: multipart/alternative
p001 1/1/1 Content-Type: text/plain, size: 370 B, name:
p002 1/1/2 Content-Type: text/html, size: 533 B, name:
p003 1/2 Content-Type: image/jpeg, size: 1369605 B, name: IMG_1478.jpg
p004 1/3 Content-Type: image/jpeg, size: 1330702 B, name: IMG_1479.jpg
p005 1/4 Content-Type: image/jpeg, size: 1630623 B, name: IMG_1460.jpg

I know of one case where a multipart/mixed message with a first part
in plain text and with an attached third-party mail as message/rfc822
causes a false positive. Here is a fix for that particular case:

--- amavisd.orig 2008-04-23 20:50:05.000000000 +0200
+++ amavisd 2008-05-23 15:22:39.000000000 +0200
@@ -10939,5 +10939,8 @@
} elsif (@parts >= 3 && @parts <= 5 &&
$t[0] eq 'multipart/mixed' &&
- ( $t[-1] eq 'text/rfc822-headers' || $t[-1] eq 'message/rfc822' )) {
+ ( $t[-1] eq 'text/rfc822-headers' || $t[-1] eq 'message/rfc822' ) &&
+ ( $sender eq '' ||
+ $sender =~/^(?:postmaster|mailer-daemon)(?:\@|\z)/si ||
+ $rfc2822_from[0]=~/^(?:postmaster|mailer-daemon)(?:\@|\z)/si ) ) {
# qmail, msn?
$fname_ind = -1; $structure_type = 'multipart/mixed with attached msg';



Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Hi,

for teh first time in years, I have had a problem with amavisd, which may
well be my fault to begin with.

A customer received a mail from a colleague in the Ukraine, who sent the
mail in CC to two more recipients. The mail was categorized as Spam, got 5
points and thus was marked as ****SPAM**** in the Subject line, and
delivered to the recipient.

However the two people who were supposed to get the mail in CC, did not.

I am wondering if that is normal behaviour, and if so, if thereis anything
I can do to change this. I would rather have the mail delivered to all the
recipients. Using amavisd-new-2.6.0 and amavisd-milter-1.3.1


Logs below (email addresse changed):





I found this in the logfile:

May 22 17:20:43 adamas sendmail[30031]: m4MFKfIj030031:
from=<address@of.sender>, size=276585, class=0, nrcpts=3,
msgid=<STLP1789767@steelpro.com.ua>, proto=ESMTP, daemon=MTA,
relay=relay01.kiev.sovam.com [62.64.120.200]

May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter delete:
rcpt <cc@recipient1.com>
May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter delete:
rcpt <cc2@recipient2.com>


May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter change:
header subject: from invoice for shipment on board of barge 545, ex 20012
to
****SPAM****invoice for shipment on board of barge 545, ex 20012


May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
header: X-Amavis-PenPals: age 2 9:08:27
May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
header: X-Spam-Status: No, score=5.109 tagged_above=3 required=6
tests=[AWL=-4.229,\n\tBAYES_50=0.001, DRUGS_STOCK_MIMEOLE=3.496,
FUZZY_OCR=10.000,\n\tHTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
header: X-Spam-Level: *****
May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
header: X-Spam-Score: 5.109
May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
header: X-Spam-Flag: NO
May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
header: X-Virus-Scanned: amavisd-new at exterstahl.com
May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
header: X-Quarantine-ID: <dgoT8Kh49ZB9>



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Peter,

> A customer received a mail from a colleague in the Ukraine, who sent the
> mail in CC to two more recipients. The mail was categorized as Spam, got 5
> points and thus was marked as ****SPAM**** in the Subject line, and
> delivered to the recipient.
>
> However the two people who were supposed to get the mail in CC, did not.
>
> I am wondering if that is normal behaviour, and if so, if thereis anything
> I can do to change this. I would rather have the mail delivered to all the
> recipients. Using amavisd-new-2.6.0 and amavisd-milter-1.3.1
>
> May 22 17:20:43 adamas sendmail[30031]: m4MFKfIj030031:
> from=<address@of.sender>, size=276585, class=0, nrcpts=3,
> msgid=<STLP1789767@steelpro.com.ua>, proto=ESMTP, daemon=MTA,
> relay=relay01.kiev.sovam.com [62.64.120.200]
>
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter delete:
> rcpt <cc@recipient1.com>
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter delete:
> rcpt <cc2@recipient2.com>
>
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter change:
> header subject: from invoice for shipment on board of barge 545, ex 20012
> to ****SPAM****invoice for shipment on board of barge 545, ex 20012
>
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
> header: X-Amavis-PenPals: age 2 9:08:27
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
> header: X-Spam-Status: No, score=5.109 tagged_above=3 required=6
> tests=[AWL=-4.229,\n\tBAYES_50=0.001, DRUGS_STOCK_MIMEOLE=3.496,
> FUZZY_OCR=10.000,\n\tHTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
> header: X-Spam-Level: *****
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
> header: X-Spam-Score: 5.109
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
> header: X-Spam-Flag: NO
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
> header: X-Virus-Scanned: amavisd-new at exterstahl.com
> May 22 17:20:50 adamas sendmail[30031]: m4MFKfIj030031: Milter insert (0):
> header: X-Quarantine-ID: <dgoT8Kh49ZB9>

This could be explained by having different kill levels for the three
recipients, of having the one which received the message being a 'spam lover'
but the other two not. Seems the 5.1 spam score points blocked the message
for both Cc recipient but not for the first recipient.

To confirm what happened you should examine amavisd log.

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Peter,

> That is excactly the problem. I do not have different levels set for
> different users. They are all the same, getting their seetings from a
> mysql db as described in the READMEs.
>
> I just looked a the amavisd log, as you suggested. The problem seems to be
> the penpal function I introduced, when I needed it for the bounce-kill
> feature. The one who did get the mail had earlier written a
> mail to the originator of the mail, that was unfortunately declared spam.
> Thus the person, who got the mail resulted in fewer points (5.1), but
> that only counted for him and not the other two, their rating created
> (8.269)

Ah, yes, that explains it.

> What is weird though, is that it gives the same number of points for both
> cases (bottom of the lof excerpt, where it says "Passed SPAM" and "Blocked
> SPAM".
>
> I guess this is just an unfortunate event, or is there something I can do
> about this? I have in the meantime thrown out the FUZZY_OCR check, because
> it doesn't seem to make much difference at the moment, and I might have
> had the score set too high.

PenPalsSavedFromKill 8.269-3.160,
<ulyanov@steelpro.com.ua> -> <recipient1@recipientdomain.com>

[...]
Passed SPAM, AM.PDP-SOCK [62.64.120.200] [85.223.218.20]
<sender@senderdomain.com> -> <recipient1@recipientdomain.com>,
... Hits: 5.109, ...

Blocked SPAM, AM.PDP-SOCK [62.64.120.200] [85.223.218.20]
<sender@senderdomain.com> ->
<recipient3@recipientdomain.com>,<recipient2@recip ientdomain.com>,
... Hits: 5.109, ...

The only problem here is a misleading log entry, claiming 'Hits: 5.109'
for the 'Blocked SPAM' entry for two recipients, even though the
actual score for those two (no pen pals match) was 8.269.

If you would use per-recipient log (keeping $log_recip_templ at
its defaut value, not setting it to undef), you would receive
three log entries, one for each recipient, and the scores would
be logged individually per recipient.

The more usual $log_templ top-level log entry tries to summarize
results (e.g. score in this case) across all recipients, and in
this case reported a minimal score value for all three recipients.
Admittedly the 'Blocked SPAM' could do better and only summarize
the score across the two blocked recipients. It seems more work
than it is worth to get a small improvement there (it would still
be wrong/misleading if the two recipients obtained different scores
for some other reasons (soft-whitelisting, their own pen-pals hit, etc).

If per-recipient scores in the log are essential, keep the
$log_recip_templ enabled, and perhaps disable the $log_templ.

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

OK Thanks, I will check this out.

Thanks again,

..peter


On Tue, 3 Jun 2008, Mark Martinec wrote:

> Peter,
>
>> That is excactly the problem. I do not have different levels set for
>> different users. They are all the same, getting their seetings from a
>> mysql db as described in the READMEs.
>>
>> I just looked a the amavisd log, as you suggested. The problem seems to be
>> the penpal function I introduced, when I needed it for the bounce-kill
>> feature. The one who did get the mail had earlier written a
>> mail to the originator of the mail, that was unfortunately declared spam.
>> Thus the person, who got the mail resulted in fewer points (5.1), but
>> that only counted for him and not the other two, their rating created
>> (8.269)
>
> Ah, yes, that explains it.
>
>> What is weird though, is that it gives the same number of points for both
>> cases (bottom of the lof excerpt, where it says "Passed SPAM" and "Blocked
>> SPAM".
>>
>> I guess this is just an unfortunate event, or is there something I can do
>> about this? I have in the meantime thrown out the FUZZY_OCR check, because
>> it doesn't seem to make much difference at the moment, and I might have
>> had the score set too high.
>
> PenPalsSavedFromKill 8.269-3.160,
> <ulyanov@steelpro.com.ua> -> <recipient1@recipientdomain.com>
>
> [...]
> Passed SPAM, AM.PDP-SOCK [62.64.120.200] [85.223.218.20]
> <sender@senderdomain.com> -> <recipient1@recipientdomain.com>,
> ... Hits: 5.109, ...
>
> Blocked SPAM, AM.PDP-SOCK [62.64.120.200] [85.223.218.20]
> <sender@senderdomain.com> ->
> <recipient3@recipientdomain.com>,<recipient2@recip ientdomain.com>,
> ... Hits: 5.109, ...
>
> The only problem here is a misleading log entry, claiming 'Hits: 5.109'
> for the 'Blocked SPAM' entry for two recipients, even though the
> actual score for those two (no pen pals match) was 8.269.
>
> If you would use per-recipient log (keeping $log_recip_templ at
> its defaut value, not setting it to undef), you would receive
> three log entries, one for each recipient, and the scores would
> be logged individually per recipient.
>
> The more usual $log_templ top-level log entry tries to summarize
> results (e.g. score in this case) across all recipients, and in
> this case reported a minimal score value for all three recipients.
> Admittedly the 'Blocked SPAM' could do better and only summarize
> the score across the two blocked recipients. It seems more work
> than it is worth to get a small improvement there (it would still
> be wrong/misleading if the two recipients obtained different scores
> for some other reasons (soft-whitelisting, their own pen-pals hit, etc).
>
> If per-recipient scores in the log are essential, keep the
> $log_recip_templ enabled, and perhaps disable the $log_templ.
>
> Mark
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...fo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/