Hi,
our exim 4.50 is confused by a mail comming in from an authenticated
client. Its autogenerated by a business-software which uses outlook as a
frontend.
I thought my exim configuration inhibits handover to SA for messages
comming from authenticated users. But this big mail doesn't accept my
rules and is scanned by SA. Worse, the client sending this odd stuff
yesterday, now bombarded exim with ten identical mails (14 MB in size)
and every one is scanned by SA! I had to block the user completely
What puzzles me: Why does this kind of mails are scanned by SA? Where is
my configuration error?
Thanks for any helpful advice
Peter
-------------------- details --------------------
Relevant (I hope so) parts of my config:
----8<----
> acl_smtp_rcpt = acl_check_rcpt
> acl_smtp_data = acl_check_content
> spamd_address = 127.0.0.1 783
>
> begin acl
>
> acl_check_rcpt:
>
> warn
> set acl_c9 = sa-eval-yes
>
> accept
> hosts = :
> set acl_c9 = sa-eval-no
> accept
> local_parts = abuse:postmaster
> domains = +local_domains
> set acl_c9 = sa-eval-no
> accept
> authenticated = *
> set acl_c9 = sa-eval-no
> accept
> domains = +local_domains
> endpass
> verify = recipient
> deny
> message = no relay
>
> acl_check_content:
>
> # throw it to SA, but only if flag acl_c9 says yes
> # spam is evaluated later in appr. router
>
> warn
> message = X-Spam-Score: $spam_score ($spam_bar)
> spam = vmail:true
> condition = ${if eq {$acl_c9}{sa-eval-yes} {yes}{no} }
>
> # finally accept all the rest
>
> accept
---->8----
Mail with header (size approx. 11 MB):
----8<----
> Received: from [217.2.120.33] (helo=eschwege)
> by vaubox.mydomain.tld with esmtpa (Exim 4.50)
> id 1DGcDz-00067r-A0
> for oktarget@???; Wed, 30 Mar 2005 14:41:55 +0200
> From: "oksource" <oksource@???>
> To: <oktarget@???>
> Subject: Fax Gemm
> Date: Wed, 30 Mar 2005 14:23:27 +0200
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> Thread-Index: AcU1IkPfBseWvOIpTf2ETmIrbqkYrA==
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>
> ...
>
> begin 666 Fax DAK Gemm.pdf
> M)5!$1BTQ+C0-)>+CS],-"CD@,"!O8FH-/#P@#2],:6YE87)I>F5D(#$@#2]/
> ..............
> M92 Y#2])1%L\.6$Y-F$S930X8S4R,#4Q-F4R8C0V.#1F-&(P.3$U-F,^/#5F
> M,F5C9&8S.#,R96,W8C9D,F1C.64P.6,S8C<X8C<Y/ET-/CX-<W1A<G1X<F5F
> +#3$W,PTE)45/1@T`
> `
> end
---->8----
Though I configured exim/SA not to throw mails from an authenticated
client to SA, the message is scanned by SA:
----8<----
> Mar 30 14:37:15 vaubox spamd[10810]: connection from localhost [127.0.0.1] at port 37205
> Mar 30 14:37:15 vaubox spamd[10810]: info: setuid to vmail succeeded
> Mar 30 14:37:17 vaubox spamd[10810]: checking message (unknown) for vmail:99.
> Mar 30 14:41:54 vaubox spamd[10810]: identified spam (6.5/5.0) for vmail:99 in 279.5 seconds, 11491028 bytes.
> Mar 30 14:41:54 vaubox spamd[10810]: result: Y 6 - AWL,DISGUISE_PORN,DRUGS_MUSCLE, ... scantime=279.5,size=11491028,mid=(unknown),autolearn=disabled
---->8----
SA chews 280 seconds on this monster and gives 6.5 points - message is
placed via spam-router/smap-transport into quarantine-folder:
----8<----
> 2005-03-30 14:41:55 +0200 1DGcDz-00067r-A0 <= oksource@??? H=(eschwege) [217.2.120.33] P=esmtpa A=fixed_login:oksource@??? S=11491028 from <oksource@???> for oktarget@???
> 2005-03-30 14:41:56 +0200 1DGcDz-00067r-A0 => oktarget <oktarget@???> F=<oksource@???> P=<oksource@???> R=rr_spam T=tt_spam S=11491155 DT=1s
> 2005-03-30 14:41:56 +0200 1DGcDz-00067r-A0 Completed QT=18m49s
---->8----
