One of my users just received some spam that made it past amavisd/SpamAssassin; The message was your average text formatted "mortgage" spam.
This message has been blocked by amavisd/SpamAssassin in the past so I did some checking and found the envelope sender on this message was different. The envelope sender's address contains a space; the original message has an envelope sender of: MAIL FROM: <"[EMAIL PROTECTED] "> When this message passes through my setup, the amavisd log shows that the sender is white-listed. I have checked my white-list file and also deleted the /var/amavisd/.spamassassin/auto-whitelist.db file and the message is always passed with the same result. If I remove the space from the envelope sender making it: MAIL FROM: <"[EMAIL PROTECTED]"> then amavisd/SpamAssassin correctly identifies and quarantines the message; I would appreciate any ideas on how to fix this. I am running the following software versions: OpenBSD 3.6 Postfix 2.10 amavisd-new-2.2.0 (20041102) Spamassassin 3.0.1 Here are the relevant log entries: ---------------- Begin Original Message -------------------- Feb 7 16:13:00 mta1 postfix/smtpd[3729]: connect from localhost[127.0.0.1] Feb 7 16:13:00 mta1 postfix/smtpd[3729]: NOQUEUE: client=localhost[127.0.0.1] Feb 7 16:13:00 mta1 amavis[32152]: (32152-02) ESMTP::10024 /var/amavisd/tmp/amavis-20060207T160942-32152: <[EMAIL PROTECTED] > -> <[EMAIL PROTECTED]> Received: BODY=8BITMIME from mta1.markmansdiamonds.com ([127.0.0.1]) by localhost (mta1.markmansdiamonds.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32152-02 for <[EMAIL PROTECTED]>; Tue, 7 Feb 2006 16:13:00 -0500 (EST) Feb 7 16:13:00 mta1 amavis[32152]: (32152-02) Checking: [127.0.0.1] <"[EMAIL PROTECTED] "> -> <[EMAIL PROTECTED]> Feb 7 16:13:00 mta1 amavis[32152]: (32152-02) p001 1 Content-Type: text/html, size: 622 B, name: Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) wbl: whitelisted sender <[EMAIL PROTECTED] > Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) SPAM-TAG, <"[EMAIL PROTECTED] "> -> <[EMAIL PROTECTED]>, No, hits=x tagged_above=-50 required=3.75 WHITELISTED Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) FWD via SMTP: [127.0.0.1]:10025 <[EMAIL PROTECTED] > -> <[EMAIL PROTECTED]> Feb 7 16:13:01 mta1 postfix/smtpd[19530]: connect from localhost[127.0.0.1] Feb 7 16:13:01 mta1 postfix/smtpd[19530]: 1E0EE91EF1: client=localhost[127.0.0.1] Feb 7 16:13:01 mta1 postfix/cleanup[30349]: 1E0EE91EF1: message-id=<[EMAIL PROTECTED]> Feb 7 16:13:01 mta1 postfix/qmgr[3198]: 1E0EE91EF1: from=<[EMAIL PROTECTED]>, size=2460, nrcpt=1 (queue active) Feb 7 16:13:01 mta1 postfix/smtpd[19530]: disconnect from localhost[127.0.0.1] Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) Passed, <[EMAIL PROTECTED] > -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: - Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) Passed CLEAN, <[EMAIL PROTECTED] > -> <[EMAIL PROTECTED]>, Hits: -, tag=-50, tag2=3.75, kill=3.75, L/Y/0/0 Feb 7 16:13:01 mta1 amavis[32152]: (32152-02) TIMING [total 471 ms] - SMTP EHLO: 6 (1%), SMTP pre-MAIL: 2 (0%), SMTP pre-DATA-flush: 10 (2%), SMTP DATA: 1 (0%), body_hash: 1 (0%), mime_decode: 41 (9%), get-file-type1: 31 (7%), decompose_part: 3 (1%), parts_decode: 0 (0%), AV-scan-1: 18 (4%), spam-wb-list: 5 (1%), update_cache: 1 (0%), fwd-connect: 50 (11%), fwd-xforward: 1 (0%), fwd-mail-from: 4 (1%), fwd-rcpt-to: 46 (10%), write-header: 9 (2%), fwd-data: 1 (0%), fwd-data-end: 195 (41%), fwd-rundown: 5 (1%), main_log_entry: 30 (6%), update_snmp: 0 (0%), unlink-1-files: 7 (1%), rundown: 1 (0%)Feb 7 16:13:01 mta1 postfix/cleanup[30349]: 61B4B91EF2: message-id=<[EMAIL PROTECTED]> ---------------- End Original Message -------------------- ---------------- Begin Modified Message -------------------- Feb 7 16:14:45 mta1 postfix/smtpd[32575]: connect from localhost[127.0.0.1] Feb 7 16:14:45 mta1 postfix/smtpd[32575]: NOQUEUE: client=localhost[127.0.0.1] Feb 7 16:14:45 mta1 amavis[928]: (00928-02) ESMTP::10024 /var/amavisd/tmp/amavis-20060207T160948-00928: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Received: BODY=8BITMIME from mta1.markmansdiamonds.com ([127.0.0.1]) by localhost (mta1.markmansdiamonds.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00928-02 for <[EMAIL PROTECTED]>; Tue, 7 Feb 2006 16:14:45 -0500 (EST) Feb 7 16:14:45 mta1 amavis[928]: (00928-02) Checking: [127.0.0.1] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Feb 7 16:14:45 mta1 amavis[928]: (00928-02) p001 1 Content-Type: text/html, size: 622 B, name: Feb 7 16:14:48 mta1 amavis[928]: (00928-02) SEND via BSMTP: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, file /var/amavisd/quarantine/spam-f5d923c4438a27b7f9569b1853564b55-20060207-161445-00928-02.bsmtp Feb 7 16:14:48 mta1 amavis[928]: (00928-02) SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, hits=10.566 tag=-50 tag2=3.75 kill=3.75 tests=BAYES_99, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY, NO_OBLIGATION, RCVD_IN_XBL, quarantine /var/amavisd/quarantine/spam-f5d923c4438a27b7f9569b1853564b55-20060207-161445-00928-02.bsmtp ([EMAIL PROTECTED]) Feb 7 16:14:48 mta1 amavis[928]: (00928-02) Not-Delivered, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine /var/amavisd/quarantine/spam-f5d923c4438a27b7f9569b1853564b55-20060207-161445-00928-02.bsmtp, Message-ID: <[EMAIL PROTECTED]>, Hits: 10.566 Feb 7 16:14:48 mta1 amavis[928]: (00928-02) Blocked SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Hits: 10.566, tag=-50, tag2=3.75, kill=3.75, L/Y/Y/Y Feb 7 16:14:48 mta1 amavis[928]: (00928-02) TIMING [total 3136 ms] - SMTP EHLO: 6 (0%), SMTP pre-MAIL: 2 (0%), SMTP pre-DATA-flush: 10 (0%), SMTP DATA: 1 (0%), body_hash: 1 (0%), mime_decode: 44 (1%), get-file-type1: 30 (1%), decompose_part: 3 (0%), parts_decode: 0 (0%), AV-scan-1: 19 (1%), spam-wb-list: 4 (0%), SA msg read: 1 (0%), SA parse: 6 (0%), SA check: 2958 (94%), update_cache: 3 (0%), write-header: 16 (0%), fwd-bsmtp: 3 (0%), post-do_spam: 3 (0%), main_log_entry: 23 (1%), update_snmp: 0 (0%), unlink-1-files: 3 (0%), rundown: 1 (0%) Feb 7 16:14:48 mta1 postfix/smtpd[32575]: disconnect from localhost[127.0.0.1] ---------------- End Modified Message -------------------- Thank You Les Ault Systems Administrator Markman's Diamonds and Fine Jewelry [EMAIL PROTECTED] P: 865-558-8429 x3104 F: 865-584-2919 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
