Mailing List Archive: SpamAssassin: users

Mail not scanned

Index | Next | Previous | View Threaded

lars.ebeling at leopg9

Oct 21, 2009, 8:40 AM

Post #1 of 9 (544 views)
Permalink

Mail not scanned

Why aren't mail from "United Parcel Service" scanned?

The last 24 hours have i got about 20 of them and none scanned.

--
Regards
Lars Ebeling

http://leopg9.no-ip.org
Hobbithobbyist

"I am not young enough to know everything."
-- Oscar Wilde

KPARRIS at ed

Oct 21, 2009, 8:46 AM

Post #2 of 9 (516 views)
Permalink

Re: Mail not scanned [In reply to]

In this situation I believe Spock would say "Insufficient Data" . . .

What o/s are you running? What is your mail handling software? How does that mail handling software interface to SpamAssassin? Are you sure the items were not scanned, or are you simply bothered that they were not marked as spam by the scan? Have you placed a complete sample with all headers on pastebin and given us the link to that so we can evaluate the message?

>>> "Lars Ebeling" <lars.ebeling [at] leopg9> 10/21/09 11:40 AM >>>
Why aren't mail from "United Parcel Service" scanned?

The last 24 hours have i got about 20 of them and none scanned.

--
Regards
Lars Ebeling

http://leopg9.no-ip.org
Hobbithobbyist

"I am not young enough to know everything."
-- Oscar Wilde

Ralf.Hildebrandt at charite

Oct 21, 2009, 8:59 AM

Post #3 of 9 (515 views)
Permalink

Re: Mail not scanned [In reply to]

* Lars Ebeling <lars.ebeling [at] leopg9>:
> Why aren't mail from "United Parcel Service" scanned?

What makes you think so?

> The last 24 hours have i got about 20 of them and none scanned.

Maybe they got scanned and just went through.
Scanned for what, anyway?

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebrandt [at] charite | http://www.charite.de

Dan.McDonald at austinenergy

Oct 21, 2009, 9:07 AM

Post #4 of 9 (507 views)
Permalink

Re: Mail not scanned [In reply to]

On Wed, 2009-10-21 at 17:40 +0200, Lars Ebeling wrote:
> Why aren't mail from "United Parcel Service" scanned?
>
> The last 24 hours have i got about 20 of them and none scanned.
>
>

check the size of the messages, see if the embedded images make it
larger than your cutoff...

But a pastebin example would be helpful in any case, plus your
environment. Don't you run HPUX or something like that?

--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Attachments:

signature.asc (0.19 KB)

lars.ebeling at leopg9

Oct 21, 2009, 9:59 AM

Post #5 of 9 (508 views)
Permalink

Re: Mail not scanned [In reply to]

I am running SA 3.2.5 on HP-UX 11.11. I am using postfix as MTA.

http://pastebin.com/m612529a7

The interface is configured in master.cf

Regards

Lars

----- Original Message -----
From: "Kevin Parris" <KPARRIS [at] ed>
To: <users [at] spamassassin>
Sent: Wednesday, October 21, 2009 5:46 PM
Subject: Re: Mail not scanned

In this situation I believe Spock would say "Insufficient Data" . . .

What o/s are you running? What is your mail handling software? How does
that mail handling software interface to SpamAssassin? Are you sure the
items were not scanned, or are you simply bothered that they were not marked
as spam by the scan? Have you placed a complete sample with all headers on
pastebin and given us the link to that so we can evaluate the message?

>>> "Lars Ebeling" <lars.ebeling [at] leopg9> 10/21/09 11:40 AM >>>
Why aren't mail from "United Parcel Service" scanned?

The last 24 hours have i got about 20 of them and none scanned.

--
Regards
Lars Ebeling

http://leopg9.no-ip.org
Hobbithobbyist

"I am not young enough to know everything."
-- Oscar Wilde

lars.ebeling at leopg9

Oct 21, 2009, 10:16 AM

Post #6 of 9 (511 views)
Permalink

Re: Mail not scanned [In reply to]

From: "Ralf Hildebrandt" <Ralf.Hildebrandt [at] charite>
To: <users [at] spamassassin>
Sent: Wednesday, October 21, 2009 5:59 PM
Subject: Re: Mail not scanned

>* Lars Ebeling <lars.ebeling [at] leopg9>:
>> Why aren't mail from "United Parcel Service" scanned?
>
> What makes you think so?
Since I don't get any :

X-Spam-Virus: No
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on leopg9.no-ip.org
X-Spam-Level:
X-Spam-Status: No, score=-5.6

In the headers

>
>> The last 24 hours have i got about 20 of them and none scanned.
>
> Maybe they got scanned and just went through.
> Scanned for what, anyway?
>
> --
> Ralf Hildebrandt
> Geschäftsbereich IT | Abteilung Netzwerk
> Charité - Universitätsmedizin Berlin
> Campus Benjamin Franklin
> Hindenburgdamm 30 | D-12203 Berlin
> Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
> ralf.hildebrandt [at] charite | http://www.charite.de
>
>

jarif at iki

Oct 21, 2009, 11:12 AM

Post #7 of 9 (504 views)
Permalink

Re: Mail not scanned [In reply to]

21.10.2009 18:40, Lars Ebeling kirjoitti:
> Why aren't mail from "United Parcel Service" scanned?
>
> The last 24 hours have i got about 20 of them and none scanned.
>
>

Those are not scanned in *my* system just because they are scanned by
amavisd-new before they will be scanned by SA. As they contain malware,
amavisd quarantines them, and they never get examined by SA.

It all depends on your setup.

--
http://www.iki.fi/jarif/

Q: Minnesotans ask, "Why aren't there more pharmacists from Alabama?"
A: Easy. It's because they can't figure out how to get the little
bottles into the typewriter.

Attachments:

signature.asc (0.25 KB)

dan.mcdonald at austinenergy

Oct 21, 2009, 12:21 PM

Post #8 of 9 (502 views)
Permalink

Re: Mail not scanned [In reply to]

On Wed, 2009-10-21 at 18:59 +0200, Lars Ebeling wrote:
> I am running SA 3.2.5 on HP-UX 11.11. I am using postfix as MTA.
>
> http://pastebin.com/m612529a7
>
> The interface is configured in master.cf

It's 42K, so check that you don't have a size limit.

When I scan it I get:

X-Spam-Report:
* 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?75.209.5.48>]
* 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [75.209.5.48 listed in zen.spamhaus.org]
* 2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* 2.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
* Barracuda
* [75.209.5.48 listed in b.barracudacentral.org]
* 4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
* IP)
* 3.7 FH_HELO_ALMOST_IP Helo is almost an IP addr.
* 0.0 RELAY_US Relayed through United States
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 1.3 RAZOR2_CF_RANGE_E4_100 Razor2 gives engine 4 confidence level of
* 100%
* [cf: 100]
* 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
* above 50%
* [cf: 100]
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
* dynamic-looking rDNS
* 1.5 JM_SOUGHT_3 Body contains frequently-spammed text patterns
* 0.5 BOTNET_OTHER BOTNET_OTHER

And it also is caught by clamav:
$ clamscan lars.vir
lars.vir: Sanesecurity.Malware.8825.UNOFFICIAL FOUND

>
>
> Regards
>
> Lars
>
> ----- Original Message -----
> From: "Kevin Parris" <KPARRIS [at] ed>
> To: <users [at] spamassassin>
> Sent: Wednesday, October 21, 2009 5:46 PM
> Subject: Re: Mail not scanned
>
>
> In this situation I believe Spock would say "Insufficient Data" . . .
>
> What o/s are you running? What is your mail handling software? How does
> that mail handling software interface to SpamAssassin? Are you sure the
> items were not scanned, or are you simply bothered that they were not marked
> as spam by the scan? Have you placed a complete sample with all headers on
> pastebin and given us the link to that so we can evaluate the message?
>
> >>> "Lars Ebeling" <lars.ebeling [at] leopg9> 10/21/09 11:40 AM >>>
> Why aren't mail from "United Parcel Service" scanned?
>
> The last 24 hours have i got about 20 of them and none scanned.
>
>

lars.ebeling at leopg9

Oct 21, 2009, 12:32 PM

Post #9 of 9 (499 views)
Permalink

Re: Mail not scanned [In reply to]

----- Original Message -----
From: "Daniel J McDonald" <dan.mcdonald [at] austinenergy>
To: <users [at] spamassassin>
Sent: Wednesday, October 21, 2009 9:21 PM
Subject: Re: Mail not scanned

> On Wed, 2009-10-21 at 18:59 +0200, Lars Ebeling wrote:
>> I am running SA 3.2.5 on HP-UX 11.11. I am using postfix as MTA.
>>
>> http://pastebin.com/m612529a7
>>
>> The interface is configured in master.cf
>
>
> It's 42K, so check that you don't have a size limit.
>
where is this configured?

regards
Lars

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads