[Mimedefang] Help with header checking
Bill Cole
mdlist-20140424 at billmail.scconsult.com
Thu Nov 26 12:47:56 EST 2020
On 26 Nov 2020, at 11:55, Andrea Venturoli wrote:
[...]
>> Anyway... you need to capture the message (or at least the headers)
>> so we can analyze what's going on.
>
> Here's a sample:
>> Return-Path: <pagina at poeconomico.casa>
>> Received: from soth.netfence.it ([unix socket])
>> by mailserver.netfence.it (Cyrus 3.0.14) with LMTPA;
>> Wed, 25 Nov 2020 03:45:44 +0100
That Received header is added by Cyrus during delivery, so obviously
it's not present when MD sees the message.
>> X-Cyrus-Session-Id:
>> mailserver.netfence.it-557-1606272344-1-3657946293514545252
>> X-Sieve: CMU Sieve 3.0
>> Received: from poeconomico.casa (vds74451.mgn-host.ru
>> [89.191.230.250] (may be forged))
>> by soth.netfence.it (8.16.1/8.16.1) with ESMTPS id 0AP2jef2000844
>> (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
>> verify=NO)
>> for <andrea at netfence.it>; Wed, 25 Nov 2020 03:45:43 +0100 (CET)
>> (envelope-from pagina at poeconomico.casa)
That Received header is added by Sendmail *AFTER* all milters have done
their end-of-data work. It is not present when MD sees the message.
>> Authentication-Results: soth.netfence.it;
>> dkim=pass (2048-bit key) header.d=poeconomico.casa
>> header.i=pagina at poeconomico.casa header.b=cGnTmyJh
>> X-Authentication-Warning: soth.netfence.it: Host vds74451.mgn-host.ru
>> [89.191.230.250] (may be forged) claimed to be poeconomico.casa
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=key1;
>> d=poeconomico.casa;
>> h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type;
>> i=pagina at poeconomico.casa;
>> bh=xbJLlOE1CWUnav77hJisuzISPwtefQrfatVm8E+8Sow=;
>> b=cGnTmyJh1B9VDyiBCFcRI2pVOQqJ+fw65kJL6vCU15L3GTJXXNxpgd0HHyeFDlXYj/1o+HHX3mkt
>> m1YEVxiN/83OcZzQGMRhFLk6rVtoTMARuN/uO1fYAaxcCLqpsM5YLyU6NPIwsYsCkZx0pz4vCtMo
>> Scl4h3E9zx52tto+NClcudYfpP+NW8QkC1J3Wu3ZkwGcBE2HkxsX7TOkR0OAk8ottDAu3OThcvCL
>> SCuDoaaZxBxok24KZUJ663tjzPFMPih+Lna0Gx7bmYi//3mvI+7vkwQNMztima+51SQiI+UI77Ro
>> H/M9ke7T0CNZfImI7dd+x4KluyNSe4dyH83DKQ==
>> Message-ID: <2a3970dc95e4cec62a2f9935fd496366a1ebc7 at poeconomico.casa>
>> From: accountant <pagina at poeconomico.casa>
>> To: xxxxxx at netfence.it
>> Subject: Ho trovata la tua email attraverso il servizio di
>> appuntamenti "meetic.it".
>> Date: Wed, 25 Nov 2020 02:44:07 +0100
>> MIME-Version: 1.0
>> Content-Type: multipart/related;
>> boundary="2bd19889d80c22e13d3871e175a182d1cd7a"
>> X-Scanned-By: MIMEDefang 2.83
>
> As you can see:
> _ there's no X-Spam-Score header: either SpamAssassin didn't detect
> this or it wasn't even launched;
> _ if it ran, it should have added 100 points alone since "*.casa" is
> blacklisted; that alone should have been enough;
A common reason for SA not being called by MD is a size limit. The
example mimedefang-filter script includes a limit that made more sense
15 years ago than it does today, when spammers routinely send huge
garbage. Somewhere in the filter() or filter_end() subroutine in your
mimedefang-filter there's a conditional code structure that governs
whether SA is called, and that is where to look for the failure. If your
code has retained the check from the distribution example, it will look
something like this:
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
Note also that the comment is a bit outdated. We've done a LOT of
improvement in SA's performance with large messages, mostly by
eliminating the use of ".*" in rules except when absolutely necessary.
> _ also 89.191.230.250 range is in my personal DNSBL and again this
> alone should have been enough.
If that DNSBL is being used directly from Sendmail, that's a different
failure. If it's being used via SpamAssassin, it's also due to not
calling SA from MD.
> N.B.
> Running spamassassin on the command line effectively gives the score I
> expect, so I just *think* it's not called. What in the end I'm trying
> to see is why.
> Calling spamassassin and the code I posted are two different things:
> but I see the latter is also failing and I thought that might give
> some hint.
> If there's a better way to see why spamassassin fails it would
> probably enough (although curiosity... :).
Look for the call to "spam_assassin_check()" in mimedefang-filter and
work backwards.
--
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
More information about the MIMEDefang
mailing list