Hello,
I run an exim4 mailserver on a Debian 8 system.
I use a .forward file for mail filtering, in particular I use spamassassin for filtering SPAM:
I added a header line
warn condition = ${if < {$message_size}{130K}}
spam = Debian-exim:true
add_header = X-Spam-Score: $spam_score ($spam_bar)
add_header = X-Spam-Report: $spam_report
e.g.
X-Spam-Score: 9.5 (+++++++++)
X-Spam-Report: Spam detection software, running on the system
"netcup.bokomoko.de", has identified this incoming email as possible spam. The
original message has been attached to this so you can view it or label similar future
email. If you have any questions, see the administrator of that system for details.
Content preview: It looks absolutely amazing here! We Have a New Pick Coming Soon.
It is now: .25 Company: Envoy Group Corp Trading Date: Dec, 11th Target Price: .80
Sym: E N V_V It Headed for Exponential Growth! Time To Get Back On Track In A Huge
Way! [...] Content analysis details: (9.5 points, 5.0 required) pts rule
name description ---- ----------------------
-------------------------------------------------- 1.3 RCVD_ILLEGAL_IP Received: contains
illegal IP address 0.9 RCVD_NUMERIC_HELO Received: contains an IP address used
for HELO 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[190.141.172.75 listed in zen.spamhaus.org] 0.1 MISSING_MID Missing
Message-Id: header 1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS 1.4 MISSING_DATE Missing Date: header 1.0
FSL_HELO_BARE_IP_2 No description available.
Then my .forward file starts with
if error_message then finish endif
if $h_X-Spam-Score: CONTAINS "++++++" then save Maildir/.SPAM/
finish
elif $h_from: contains
The message with the header lines above did not make it into the SPAM directory,
instead the mainlog shows that it is stored in my standard inbox:
2015-12-11 17:32:05 1a7Qbz-0002FV-RR <= <> H=(190.141.172.75)
[190.141.172.75] P=smtp S=2022
2015-12-11 17:32:05 1a7Qbz-0002FV-RR => rd <metzingen@???>
R=local_user T=maildir_home
What makes the issue even more weired is that it seems only one email address of a
user on that system is affected. I.e. the user has many email aliases via /etc/aliases
and one of them shows the broken behavior.
I do not expect that there is any expert out there who could explain right away what is
going wrong, but does anybody know how to debug such an issue? Can I log which
.forward rule did apply?
Thanks
Rainer
--
Rainer Dorsch
http://bokomoko.de/
