mailscanner double-checking

dory36

Well-Known Member
Aug 30, 2003
179
0
166
I seem to be getting every message double scanned, as I see a header on each message like the following:

X-Mailscanner:found to be clean at myserver, found to be clean at myserver

Any ideas where to look?

Thanks -- Bill
 

Sash

Well-Known Member
Feb 18, 2003
252
0
166
Ditto....

We experience the same behavior on our servers. Unfortunately we've not been able to find a solution.

Mike
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
What do you have set in your MailScanner.conf for these directives:

Clean Header Value =
Information Header Value =
Multiple Headers =
Sign Messages Already Processed =

Remember that if you have MailScanner enabled for incoming+outgoing scanning and send an email on-server (i.e. from one domain on the server to another) it will get scanned twice (ougoing then incoming).
 

dory36

Well-Known Member
Aug 30, 2003
179
0
166
Clean Header Value = Tested at (my server) and believed to be clean
Information Header = X-MailScanner-Information:
Multiple Headers = append
Sign Messages Already Processed = no

The headers on a message sent from a different server to my server show:

X-MailScanner-(my server): Tested at (my server) and believed to be clean, Tested at (my server) and believed to be clean


Bill
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
Certainly looks like it should be fine. Are you running a recent version of MailScanner, or the original from layer1?
 

dory36

Well-Known Member
Aug 30, 2003
179
0
166
I'm running the one from layer1, pretty much "out of the box".

Bill
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
You might want to consider upgrading to the latest version to rule out bugs in MailScanner. I've got a HOWTO for upgrading on this forum
:)
 

dory36

Well-Known Member
Aug 30, 2003
179
0
166
This continues to puzzle me.

A test message from a webmail account at postmark.net to a test address on my server still gets double-checked.

Here are the headers:

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Fri, 21 May 2004 08:40:08 -0500
Received: from test by server.domain.com with local-bsmtp (Exim 4.30)
id 1BRAFd-0004fu-Br
for [email protected]; Fri, 21 May 2004 08:40:03 -0500
Received: from [199.227.76.13] (helo=mail.postmark.net)
by server.domain.com with esmtp (Exim 4.30)
id 1BRAFb-0004fi-Vb
for [email protected]; Fri, 21 May 2004 08:39:52 -0500
Received: by mail.postmark.net (Postfix, from userid 500)
id 944C01436C7; Fri, 21 May 2004 09:35:17 -0400 (EDT)
Received: from 67.97.96.232 by www.postmark.net with HTTP;
21 May 2004 13:35:17 -0000
Mime-Version: 1.0
From: myacct <[email protected]>
To: [email protected]
Subject: 00.00 -- test message
Date: Fri, 21 May 2004 13:35:17 +0000
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <[email protected]>
X-MailScanner-domain: Tested at domain.com and believed to be clean, Tested at domain.com and believed to be clean
X-Spam-Flag: YES
X-Spam-Report:
X-Spam-Level:
X-Spam-Status: Yes, hits=0.0 required=0.0 tests=none autolearn=no version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on server.domain.com
X-MailScanner-Information: Please contact support at domain.com for more information
X-MailScanner-From: [email protected]

(spamassassin at zero for a different test...)

Any suggestions on where to look?

Bill
 

dory36

Well-Known Member
Aug 30, 2003
179
0
166
Thanks to chirpy for figuring this out.

The answer:
I'm running SpamAssassin from cpanel, not from MailScanner.

Essentially this means MailScanner sees the message twice - once on the way in, and again between SpamAssassin and the mailbox.

Quick solution: change Multiple Headers = append to Multiple Headers = replace in the mailscanner config file.

At this point I am not too worried about MailScanner running twice, due to my light server load. But figuring out how to avoid scanning twice goes on the list of things to do once I get the other high priorities taken care of.

Bill
 

myrem

Well-Known Member
Jul 14, 2002
93
0
156
dory36 said:
The answer:
I'm running SpamAssassin from cpanel, not from MailScanner.

Essentially this means MailScanner sees the message twice - once on the way in, and again between SpamAssassin and the mailbox.

Quick solution: change Multiple Headers = append to Multiple Headers = replace in the mailscanner config file.
Bill
Since I am running MailScanner with SpamAssassin server-wide, I disabled the SpamAssassin Cpanel option for my members.

Plus: No double load on the server for each message
Minus: Users can't control the Spam disposition at the server level.

It's a small trade-off as most users don't use SpamAssassin on their account and/or they don't know how to properly use it anyway. The server-wide Bayes database (set for db size of 1,000,000 tokens max) seems to be much more effective than individual account Bayes databases, and since I'm running SA with DCC, Pyzor, Razor, and RBLs, very little spam gets through without being flagged. (subject modifed). And high-scoring spam (>=16), I just have MailScanner discard.
 
Last edited:

dory36

Well-Known Member
Aug 30, 2003
179
0
166
Hmm -- I am tempted to switch. Very few of my users are doing anything other than vanilla SpamAssassin. Only a few are doing any whitelisting, as far as I can tell.

I guess I can handle the few wghitelist/blacklist exceptions manually, and just tell people to send me trouble tickets.

Any other implications of dropping the cpanel version and just using the mailscanner version?

Any hints on making the switch clean and simple?

Thanks - Bill
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
Bill,

There are a few things ro make it smooth:

1. Enable global bayesian filtering:
Make sure that the following lines in /usr/mailscanner/etc/spam.assassin.prefs.conf are set:
Code:
bayes_path                 /var/spool/spamassassin/bayes
bayes_file_mode            0600
Then make sure that the directory mentioned is created and has the correct permissions:
Code:
cd /var/spool
mkdir spamassassin
chmod 750 spamassassin/
chown -R mailnull:mail spamassassin/
This will take some time to populate (depending on the amount of ham/spam you get).

2. Obviously, switch it on in MailScanner.conf, and disable it in WHM > Tweak Settings, and uncheck spamd in WHM > Service Manager. Kill spamd

3. Something that I've discovered is that if you once used SA through cPanel, users may have the cPanel SA configuration files setup. The stuff that cPanel have integrated into Exim doesn't actually check whether you have SA en/disabled in Tweak Settings :rolleyes:. If the user SA files exist, it still tries to scan them using the spamd process which is no longer running and delays email. To get around this you need to remove all the user SA files:
Code:
find /home/ -name .spam* -maxdepth 2 | xargs rm -Rfv
NB: Please be very careful how you type that last command in!

4. Lastly, restart MailScanner and you're away

As an added boost for SpamAssassin I would also recommend using a good set of the SARE rules:
http://www.rulesemporium.com/
I'm finding them very effective at bumping up likely spam scores.

Any problems, my POP3 account is always open ;)
 

dory36

Well-Known Member
Aug 30, 2003
179
0
166
Just made the switch, and it SEEMS ok - just waiting for enough spam to show up to test.

One bummer -- cpanel _HITS_ in spamassassin is ##.## so you can rewrite subject lines and then sort a spam mailbox by subject to look at low-scoring for false positives. But MailScanner's implementation doesn't use leading zeros, so a score of 6 will sort after a score of 59.

I have to do some homework to figure out where to move all my rules, as well...

Thanks for the step-by-step!

Bill
 

myrem

Well-Known Member
Jul 14, 2002
93
0
156
dory36 said:
One bummer -- cpanel _HITS_ in spamassassin is ##.## so you can rewrite subject lines and then sort a spam mailbox by subject to look at low-scoring for false positives. But MailScanner's implementation doesn't use leading zeros, so a score of 6 will sort after a score of 59.
Good thought, Bill.
Email the MailScanner team
with the enhancement suggestion: mailscanner /at/ ecs.soton.ac.uk
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
Actually, you can go part-way and set the following in MailScanner.conf:

Spam Subject Text = {Spam?}
High Scoring Spam Subject Text = {Definitely Spam?}

This way, any spam over your high scoring spam limit (usually 20) will be tagged with the alternative text, making it easier to sort. This is what I do to list one then the other more easily (though these days I just have rules setup to delete high scoring spam ;) )
 

dory36

Well-Known Member
Aug 30, 2003
179
0
166
What syntax can I use in spam.whitelist.rules to allow incoming messages that were sent to a list to which I belong, without enabling each member?

In cpanel/SA, whitelist_to listaddress worked.

In the MS/SA's spam.whitelist.rules, I thought To: listaddress yes would be OK, but MailScanner (properly) looks beyond the purported sender to the "real" sender, which is any of the members of the list.

Thanks - Bill