Hello,
A friend of mine got some spam, and I am attempting to track down why
it was let through. While the mail server apparently is directing
the message through to spam-scanned, Spamassassin doesn't appear to be
modifying the headers. I'm using SA 2.20-1woody, and Exim 3.35-1.
> Received: from webslayer.marinar.com by silhouette.net
> with DomainPOP (MDaemon.PRO.v4.0.2.R)
> for <emartin@???>; Fri, 20 Dec 2002 19:37:54 -0500
> Received: from intrepid.marinar.com by webslayer.marinar.com
> (8.9.3/8.9.3)
> id TAA13299; Fri, 20 Dec 2002 19:37:47 -0500
> From: movieatirywwf@???
> Received: from mail by intrepid.marinar.com with spam-scanned (Exim
3.35
> #1 (Debian))
> id 18PXeE-0002kG-00
> for <erica@???>; Fri, 20 Dec 2002 19:37:47 -0500
> Received: from [12.146.162.241] (helo=mail241.mistlebranch.com)
> by intrepid.marinar.com with smtp (Exim 3.35 #1 (Debian))
> id 18PXeD-0002kA-00
> for <erica@???>; Fri, 20 Dec 2002 19:37:46 -0500
> To: erica@???
> Date: Fri, 20 Dec 2002 19:07:16 -0500
> Message-ID: <1040429236.7667@???>
> Reply-To: <moviegjgbgjik@???>
> Subject: See a Horny Teen Girl Do a horse with a 31 inch C*ck it's
> FREE! -lwceavrc
> Status:
Right now the problem would seem to be with Spamassassin's
configuration, since Exim seems to be doing its job. I got a little
curious, though, and wanted to run Exim in debug mode to simulate this
message. Here is a transscript of that conversation, with annotated
comments:
> Exim version 3.35 debug level 10 uid=0 gid=0
> Berkeley DB: Sleepycat Software: Berkeley DB 2.7.7: (08/20/99)
> Unable to create IPv6 socket to find interface addresses:
> error 97 Address family not supported by protocol
> Trying for an IPv4 socket
> Actual local interface address is 127.0.0.1 (lo)
> Actual local interface address is 64.241.86.5 (eth0)
> Caller is an admin user
> Caller is a trusted user
> user name "root" extracted from gecos field "root"
> originator: uid=0 gid=0 login=root name=root
> sender address = root@???
> sender_fullhost = [12.146.162.241]
> sender_rcvhost = [12.146.162.241]
> host in host_lookup? yes (*)
> looking up host name for 12.146.162.241
> IP address lookup failed
> sender_fullhost = [12.146.162.241]
> sender_rcvhost = [12.146.162.241]
> set_process_info: 24242 handling incoming connection from [12.146.162.241]
> host in host_reject? no (end of list)
> host in host_reject_recipients? no (option unset)
> host in rbl_hosts? yes (*)
> checking RBL domain relays.ordb.org/reject
> DNS lookup of 241.162.146.12.relays.ordb.org (A) gave HOST_NOT_FOUND
> returning DNS_NOMATCH
> RBL lookup for 241.162.146.12.relays.ordb.org failed
> => that means it's not black listed at relays.ordb.org
> host in auth_hosts? no (option unset)
> host in sender_unqualified_hosts? no (option unset)
> host in receiver_unqualified_hosts? no (option unset)
> host in helo_verify? no (option unset)
> host in helo_accept_junk_hosts? no (option unset)
> SMTP>> 220 intrepid.marinar.com ESMTP Exim 3.35 #1 Thu, 26 Dec 2002 15:33:46 -0500
> smtp_setup_msg entered
>
> **** SMTP testing session as if from host 12.146.162.241
> **** Not for real!
>
> 220 intrepid.marinar.com ESMTP Exim 3.35 #1 Thu, 26 Dec 2002 15:33:46 -0500
> SMTP<< helo mail241.mistlebranch.com
> mail241.mistlebranch.com in local_domains? no (end of list)
> sender_fullhost = (mail241.mistlebranch.com) [12.146.162.241]
> sender_rcvhost = [12.146.162.241] (helo=mail241.mistlebranch.com)
> set_process_info: 24242 handling incoming connection from (mail241.mistlebranch.com) [12.146.162.241]
> SMTP>> 250 intrepid.marinar.com Hello mail241.mistlebranch.com [12.146.162.241]
> 250 intrepid.marinar.com Hello mail241.mistlebranch.com [12.146.162.241]
> SMTP<< mail from: movieatirywwf@???
> movieatirywwf@??? in sender_reject? no (option unset)
> movieatirywwf@??? in sender_reject_recipients? no (option unset)
> Unable to create IPv6 socket to find interface addresses:
> error 97 Address family not supported by protocol
> Trying for an IPv4 socket
> Actual local interface address is 127.0.0.1 (lo)
> Actual local interface address is 64.241.86.5 (eth0)
> gatekeeper.marinar.com 64.241.86.66 mx=-1
> ponyexpress.marinar.com 209.176.254.216 mx=-1
> webslayer.marinar.com 64.241.86.36 mx=-1
> local host found for non-MX address
> intrepid.marinar.com 64.241.86.5 mx=-1
> host in sender_verify_hosts? yes (*)
> verifying sender movieatirywwf@???
> >>>>>>>>>>>>>>>>>>>>>>>>
> Verifying movieatirywwf@???
> movieatirywwf@??? in *@intrepid.marinar.com? no (end of list)
> mandic.com.br in local_domains? no (end of list)
> address movieatirywwf@???
> local_part=movieatirywwf domain=mandic.com.br
> domain is not local
> >>>>>>>>>>>>>>>>>>>>>>>>
> routing movieatirywwf@???, domain mandic.com.br
> lookuphost router called for movieatirywwf@???
> dns lookup: route_domain = mandic.com.br
> DNS lookup of mandic.com.br (MX) succeeded
> fully qualified name = mandic.com.br
> host_find_bydns yield = HOST_FOUND (2); returned hosts:
> mx.mandic.com.br 200.225.83.2 0 13
> mx.mandic.com.br 200.225.83.8 0 91
> queued for remote_smtp transport: local_part=movieatirywwf domain=mandic.com.br
> errors_to=NULL
> domain_data=NULL local_part_data=NULL
> routed by lookuphost router:
> deliver to movieatirywwf@???
> transport: remote_smtp
> host mx.mandic.com.br [200.225.83.2] MX=0
> host mx.mandic.com.br [200.225.83.8] MX=0
> host in sender_verify_hosts_callback? no (option unset)
> movieatirywwf@??? verified ok as movieatirywwf@???
> SMTP>> 250 <movieatirywwf@???> is syntactically correct
> 250 <movieatirywwf@???> is syntactically correct
> SMTP<< rcpt to: erica@???
> marinar.com in percent_hack_domains? yes (matched *)
> erica@??? in receiver_verify_addresses? yes (*)
> movieatirywwf@??? in receiver_verify_senders? yes (*)
> host in receiver_verify_hosts? yes (*)
> >>>>>>>>>>>>>>>>>>>>>>>>
> Verifying erica@???
> marinar.com in percent_hack_domains? yes (matched *)
> address erica@???
> local_part=erica domain=marinar.com
> domain is local
> >>>>>>>>>>>>>>>>>>>>>>>>
> directing erica@???
> spamcheck_director director skipped: verify 2 0 0
Skipping this director in the verification stage. What does the
string "verify 2 0 0" mean? Note that this is the last occurance of
the "spamcheck_director"--it doesn't appear to be checked again.
> real_local director skipped: prefix mismatch
> virtual_domainforward director skipped: verify 2 0 0
> virtual_userforward director skipped: verify 2 0 0
> procmail director skipped: verify 2 0 0
> calling virtual_alias director
> df_lookup entered: search type = lsearch
> virtual_alias director: lsearch* key=erica
> file="/etc/exim/aliases/marinar.com"
> search_open: lsearch "/etc/exim/aliases/marinar.com"
> search_find: file="/etc/exim/aliases/marinar.com"
> key="erica" partial=1023
> LRU list:
> 7/etc/exim/aliases/marinar.com
> End
> internal_search_find: file="/etc/exim/aliases/marinar.com"
> type=lsearch key="erica"
> file lookup required for erica
> in /etc/exim/aliases/marinar.com
> lookup failed
> trying to match *
> internal_search_find: file="/etc/exim/aliases/marinar.com"
> type=lsearch key="*"
> file lookup required for *
> in /etc/exim/aliases/marinar.com
> lookup failed
> virtual_alias director declined for erica:
> calling virtual_localuser director
> df_lookup entered: search type = lsearch
> virtual_localuser director: lsearch key=erica
> file="/etc/exim/passwd/marinar.com"
> search_open: lsearch "/etc/exim/passwd/marinar.com"
> search_find: file="/etc/exim/passwd/marinar.com"
> key="erica" partial=-1
> LRU list:
> 7/etc/exim/passwd/marinar.com
> 7/etc/exim/aliases/marinar.com
> End
> internal_search_find: file="/etc/exim/passwd/marinar.com"
> type=lsearch key="erica"
> file lookup required for erica
> in /etc/exim/passwd/marinar.com
> lookup failed
> virtual_localuser director declined for erica:
> calling unknown_to_webslayer director
> unknown_to_webslayer director called for erica@???
> parse_extract_addresses: "erica%marinar.com"@???
> extract item: "erica%marinar.com"@???
> unknown_to_webslayer director generated "erica%marinar.com"@???
> errors_to=NULL transport=NULL
> uid=unset gid=unset home=NULL
> unknown_to_webslayer director succeeded for erica
> webslayer.marinar.com in local_domains? no (end of list)
> address "erica%marinar.com"@???
> local_part="erica%marinar.com" domain=webslayer.marinar.com
> domain is not local
> >>>>>>>>>>>>>>>>>>>>>>>>
> routing "erica%marinar.com"@???, domain webslayer.marinar.com
> lookuphost router called for "erica%marinar.com"@???
> dns lookup: route_domain = webslayer.marinar.com
> DNS lookup of webslayer.marinar.com (MX) gave NO_DATA
> returning DNS_NOMATCH
> DNS lookup of webslayer.marinar.com (A) succeeded
> fully qualified name = webslayer.marinar.com
> webslayer.marinar.com 64.241.86.36 mx=-1 sort=-10
> webslayer.marinar.com in local_domains? no (end of list)
> queued for remote_smtp transport: local_part="erica%marinar.com" domain=webslayer.marinar.com
> errors_to=NULL
> domain_data=NULL local_part_data=NULL
> routed by lookuphost router:
> deliver to "erica%marinar.com"@???
> transport: remote_smtp
> host webslayer.marinar.com [64.241.86.36]
> SMTP>> 250 <erica@???> verified
> 250 <erica@???> verified
> SMTP<< data
> SMTP>> 354 Enter message, ending with "." on a line by itself
> search_tidyup called
> 354 Enter message, ending with "." on a line by itself
> >>Original headers (size=-1):
>
> rewrite_one_header: type=F:
> From: movieatirywwf@???
> movieatirywwf@??? in *@intrepid.marinar.com? no (end of list)
> >>Final headers:
> P Received: from [12.146.162.241] (helo=mail241.mistlebranch.com)
> by intrepid.marinar.com with smtp (Exim 3.35 #1 (Debian))
> id 18Reht-0006J0-00
> for <erica@???>; Thu, 26 Dec 2002 15:34:18 -0500
> I Message-Id: <E18Reht-0006J0-00@???>
> F From: movieatirywwf@???
> B Bcc:
> Date: Thu, 26 Dec 2002 15:34:18 -0500
>
> search_tidyup called
> verifying header address movieatirywwf@???
> same as sender
> LOG: 0 MAIN
> <= movieatirywwf@??? H=(mail241.mistlebranch.com) [12.146.162.241] P=smtp S=202
> SMTP>> 250 OK id=18Reht-0006J0-00
> smtp_setup_msg entered
> 250 OK id=18Reht-0006J0-00
>
> **** SMTP testing: that is not a real message id!
>
> SMTP<< quit
> SMTP>> 221 intrepid.marinar.com closing connection
> search_tidyup called
> 221 intrepid.marinar.com closing connection
Ultimately, the message should be delivered to spam-scanned before it
is routed to the smarthost. That is how the headers are introduced
into the message. My question is, where in the above log is
demonstration of this?
If I run 'exim -d10 -bt erica@???', I get this:
> Exim version 3.35 debug level 10 uid=0 gid=0
> Berkeley DB: Sleepycat Software: Berkeley DB 2.7.7: (08/20/99)
> Unable to create IPv6 socket to find interface addresses:
> error 97 Address family not supported by protocol
> Trying for an IPv4 socket
> Actual local interface address is 127.0.0.1 (lo)
> Actual local interface address is 64.241.86.5 (eth0)
> Caller is an admin user
> Caller is a trusted user
> user name "root" extracted from gecos field "root"
> originator: uid=0 gid=0 login=root name=root
> sender address = root@???
> Address testing: uid=0 gid=0 euid=8 egid=8
> >>>>>>>>>>>>>>>>>>>>>>>>
> Testing erica@???
> marinar.com in percent_hack_domains? yes (matched *)
> address erica@???
> local_part=erica domain=marinar.com
> domain is local
> >>>>>>>>>>>>>>>>>>>>>>>>
> directing erica@???
> calling spamcheck_director director
Notice that spamcheck_director is called, and its file checks are
made. Why don't I see this in the output from running with '-bh'?
> search_open: lsearch "/etc/exim/sa_to_whitelist"
> search_find: file="/etc/exim/sa_to_whitelist"
> key="erica@???" partial=3071
> LRU list:
> 7/etc/exim/sa_to_whitelist
> End
> internal_search_find: file="/etc/exim/sa_to_whitelist"
> type=lsearch key="erica@???"
> file lookup required for erica@???
> in /etc/exim/sa_to_whitelist
> lookup failed
> trying default match *@marinar.com
> internal_search_find: file="/etc/exim/sa_to_whitelist"
> type=lsearch key="*@marinar.com"
> file lookup required for *@marinar.com
> in /etc/exim/sa_to_whitelist
> lookup failed
> trying to match *
> internal_search_find: file="/etc/exim/sa_to_whitelist"
> type=lsearch key="*"
> file lookup required for *
> in /etc/exim/sa_to_whitelist
> lookup failed
> search_open: lsearch "/etc/exim/sa_from_domains_whitelist"
> search_find: file="/etc/exim/sa_from_domains_whitelist"
> key="root@???" partial=3071
> LRU list:
> 7/etc/exim/sa_from_domains_whitelist
> 7/etc/exim/sa_to_whitelist
> End
> internal_search_find: file="/etc/exim/sa_from_domains_whitelist"
> type=lsearch key="root@???"
> file lookup required for root@???
> in /etc/exim/sa_from_domains_whitelist
> lookup failed
> trying default match *@intrepid.marinar.com
> internal_search_find: file="/etc/exim/sa_from_domains_whitelist"
> type=lsearch key="*@intrepid.marinar.com"
> file lookup required for *@intrepid.marinar.com
> in /etc/exim/sa_from_domains_whitelist
> lookup failed
> trying to match *
> internal_search_find: file="/etc/exim/sa_from_domains_whitelist"
> type=lsearch key="*"
> file lookup required for *
> in /etc/exim/sa_from_domains_whitelist
> lookup failed
> search_open: lsearch "/etc/exim/sa_from_hosts_whitelist"
> search_find: file="/etc/exim/sa_from_hosts_whitelist"
> key="" partial=-1
> LRU list:
> 7/etc/exim/sa_from_hosts_whitelist
> 7/etc/exim/sa_from_domains_whitelist
> 7/etc/exim/sa_to_whitelist
> End
> internal_search_find: file="/etc/exim/sa_from_hosts_whitelist"
> type=lsearch key=""
> search_open: lsearch "/etc/exim/access/mailservers"
> search_find: file="/etc/exim/access/mailservers"
> key="" partial=-1
> LRU list:
> 7/etc/exim/access/mailservers
> 7/etc/exim/sa_from_hosts_whitelist
> 7/etc/exim/sa_from_domains_whitelist
> 7/etc/exim/sa_to_whitelist
> End
> internal_search_find: file="/etc/exim/access/mailservers"
> type=lsearch key=""
> spamcheck_director director called for erica@???
> queued for spamcheck transport: local_part=erica domain=marinar.com
> errors_to=NULL
> domain_data=NULL local_part_data=NULL
> spamcheck_director director succeeded for erica
> search_tidyup called
> erica@???
> deliver to erica in domain marinar.com
> director = spamcheck_director, transport = spamcheck
Here is the contents of the spamcheck transport:
> spamcheck:
> driver = pipe
> command = /usr/sbin/exim -oMr spam-scanned -bS
> transport_filter = /usr/bin/spamc
> bsmtp = all
> home_directory = "/tmp"
> current_directory = "/tmp"
> # must use a privileged user to set $received_protocol on the way
> # back in!
> user = mail
> group = mail
> return_path_add = false
> log_output = true
> envelope_to_add = true
> return_fail_output = true
> prefix =
> suffix =
>
> end
Here is the contents of spamcheck_director:
> spamcheck_director:
>
> no_verify
>
> condition = "${if and { \
> {!def:h_X-Spam-Flag:} \
> {!eq {$received_protocol}{spam-scanned}} \
> {!eq {$received_protocol}{local}} \
> {!eq {${lookup {$local_part@$domain} lsearch*@ \
> {/etc/exim/sa_to_whitelist}{1}{0}}}{1} \
> } \
> {!eq {${lookup {$sender_address} lsearch*@ \
> {/etc/exim/sa_from_domains_whitelist}{1}{0}}}{1}\ } \
> {!eq {${lookup {$sender_host_address} lsearch \
> {/etc/exim/sa_from_hosts_whitelist}{1}{0}}}{1} \
> } \
> {!eq {${lookup {$sender_host_address} lsearch \
> {/etc/exim/access/mailservers}{1}{0}}}{1} \
> } \
> } {1}{0} }"
>
> driver = smartuser
> transport = spamcheck
thanks for any input,
hank
