The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mailscanner double-checking

Discussion in 'E-mail Discussions' started by dory36, May 6, 2004.

  1. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    I seem to be getting every message double scanned, as I see a header on each message like the following:

    X-Mailscanner:found to be clean at myserver, found to be clean at myserver

    Any ideas where to look?

    Thanks -- Bill
     
  2. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Is everyone getting this behavior, or is it just me?
     
  3. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Ditto....

    We experience the same behavior on our servers. Unfortunately we've not been able to find a solution.

    Mike
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What do you have set in your MailScanner.conf for these directives:

    Clean Header Value =
    Information Header Value =
    Multiple Headers =
    Sign Messages Already Processed =

    Remember that if you have MailScanner enabled for incoming+outgoing scanning and send an email on-server (i.e. from one domain on the server to another) it will get scanned twice (ougoing then incoming).
     
  5. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Clean Header Value = Tested at (my server) and believed to be clean
    Information Header = X-MailScanner-Information:
    Multiple Headers = append
    Sign Messages Already Processed = no

    The headers on a message sent from a different server to my server show:

    X-MailScanner-(my server): Tested at (my server) and believed to be clean, Tested at (my server) and believed to be clean


    Bill
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Certainly looks like it should be fine. Are you running a recent version of MailScanner, or the original from layer1?
     
  7. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    I'm running the one from layer1, pretty much "out of the box".

    Bill
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You might want to consider upgrading to the latest version to rule out bugs in MailScanner. I've got a HOWTO for upgrading on this forum
    :)
     
  9. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Chirpy - please check your private messages...

    Bill
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Got it and replied ;)
     
  11. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    This continues to puzzle me.

    A test message from a webmail account at postmark.net to a test address on my server still gets double-checked.

    Here are the headers:

    Return-path: <test@server.domain.com>
    Envelope-to: bill@test.com
    Delivery-date: Fri, 21 May 2004 08:40:08 -0500
    Received: from test by server.domain.com with local-bsmtp (Exim 4.30)
    id 1BRAFd-0004fu-Br
    for bill@test.com; Fri, 21 May 2004 08:40:03 -0500
    Received: from [199.227.76.13] (helo=mail.postmark.net)
    by server.domain.com with esmtp (Exim 4.30)
    id 1BRAFb-0004fi-Vb
    for bill@test.com; Fri, 21 May 2004 08:39:52 -0500
    Received: by mail.postmark.net (Postfix, from userid 500)
    id 944C01436C7; Fri, 21 May 2004 09:35:17 -0400 (EDT)
    Received: from 67.97.96.232 by www.postmark.net with HTTP;
    21 May 2004 13:35:17 -0000
    Mime-Version: 1.0
    From: myacct <myacct@postmark.net>
    To: bill@test.com
    Subject: 00.00 -- test message
    Date: Fri, 21 May 2004 13:35:17 +0000
    Content-Type: text/plain; charset="iso-8859-1"
    Message-Id: <20040521133517.944C01436C7@mail.postmark.net>
    X-MailScanner-domain: Tested at domain.com and believed to be clean, Tested at domain.com and believed to be clean
    X-Spam-Flag: YES
    X-Spam-Report:
    X-Spam-Level:
    X-Spam-Status: Yes, hits=0.0 required=0.0 tests=none autolearn=no version=2.63
    X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on server.domain.com
    X-MailScanner-Information: Please contact support at domain.com for more information
    X-MailScanner-From: testbs@server.domain.com

    (spamassassin at zero for a different test...)

    Any suggestions on where to look?

    Bill
     
  12. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Thanks to chirpy for figuring this out.

    The answer:
    I'm running SpamAssassin from cpanel, not from MailScanner.

    Essentially this means MailScanner sees the message twice - once on the way in, and again between SpamAssassin and the mailbox.

    Quick solution: change Multiple Headers = append to Multiple Headers = replace in the mailscanner config file.

    At this point I am not too worried about MailScanner running twice, due to my light server load. But figuring out how to avoid scanning twice goes on the list of things to do once I get the other high priorities taken care of.

    Bill
     
  13. myrem

    myrem Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Since I am running MailScanner with SpamAssassin server-wide, I disabled the SpamAssassin Cpanel option for my members.

    Plus: No double load on the server for each message
    Minus: Users can't control the Spam disposition at the server level.

    It's a small trade-off as most users don't use SpamAssassin on their account and/or they don't know how to properly use it anyway. The server-wide Bayes database (set for db size of 1,000,000 tokens max) seems to be much more effective than individual account Bayes databases, and since I'm running SA with DCC, Pyzor, Razor, and RBLs, very little spam gets through without being flagged. (subject modifed). And high-scoring spam (>=16), I just have MailScanner discard.
     
    #13 myrem, Jul 16, 2004
    Last edited: Jul 16, 2004
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I certainly agree that that configuration is the most effective way of stopping spam.
     
  15. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Hmm -- I am tempted to switch. Very few of my users are doing anything other than vanilla SpamAssassin. Only a few are doing any whitelisting, as far as I can tell.

    I guess I can handle the few wghitelist/blacklist exceptions manually, and just tell people to send me trouble tickets.

    Any other implications of dropping the cpanel version and just using the mailscanner version?

    Any hints on making the switch clean and simple?

    Thanks - Bill
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Bill,

    There are a few things ro make it smooth:

    1. Enable global bayesian filtering:
    Make sure that the following lines in /usr/mailscanner/etc/spam.assassin.prefs.conf are set:
    Code:
    bayes_path                 /var/spool/spamassassin/bayes
    bayes_file_mode            0600
    Then make sure that the directory mentioned is created and has the correct permissions:
    Code:
    cd /var/spool
    mkdir spamassassin
    chmod 750 spamassassin/
    chown -R mailnull:mail spamassassin/
    This will take some time to populate (depending on the amount of ham/spam you get).

    2. Obviously, switch it on in MailScanner.conf, and disable it in WHM > Tweak Settings, and uncheck spamd in WHM > Service Manager. Kill spamd

    3. Something that I've discovered is that if you once used SA through cPanel, users may have the cPanel SA configuration files setup. The stuff that cPanel have integrated into Exim doesn't actually check whether you have SA en/disabled in Tweak Settings :rolleyes:. If the user SA files exist, it still tries to scan them using the spamd process which is no longer running and delays email. To get around this you need to remove all the user SA files:
    Code:
    find /home/ -name .spam* -maxdepth 2 | xargs rm -Rfv
    NB: Please be very careful how you type that last command in!

    4. Lastly, restart MailScanner and you're away

    As an added boost for SpamAssassin I would also recommend using a good set of the SARE rules:
    http://www.rulesemporium.com/
    I'm finding them very effective at bumping up likely spam scores.

    Any problems, my POP3 account is always open ;)
     
  17. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Just made the switch, and it SEEMS ok - just waiting for enough spam to show up to test.

    One bummer -- cpanel _HITS_ in spamassassin is ##.## so you can rewrite subject lines and then sort a spam mailbox by subject to look at low-scoring for false positives. But MailScanner's implementation doesn't use leading zeros, so a score of 6 will sort after a score of 59.

    I have to do some homework to figure out where to move all my rules, as well...

    Thanks for the step-by-step!

    Bill
     
  18. myrem

    myrem Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Good thought, Bill.
    Email the MailScanner team
    with the enhancement suggestion: mailscanner /at/ ecs.soton.ac.uk
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Actually, you can go part-way and set the following in MailScanner.conf:

    Spam Subject Text = {Spam?}
    High Scoring Spam Subject Text = {Definitely Spam?}

    This way, any spam over your high scoring spam limit (usually 20) will be tagged with the alternative text, making it easier to sort. This is what I do to list one then the other more easily (though these days I just have rules setup to delete high scoring spam ;) )
     
  20. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    What syntax can I use in spam.whitelist.rules to allow incoming messages that were sent to a list to which I belong, without enabling each member?

    In cpanel/SA, whitelist_to listaddress worked.

    In the MS/SA's spam.whitelist.rules, I thought To: listaddress yes would be OK, but MailScanner (properly) looks beyond the purported sender to the "real" sender, which is any of the members of the list.

    Thanks - Bill
     
Loading...

Share This Page