It appears the cuprit is the auto whitelist (AWL):
Feb 19 01:37:04 linux postfix/smtpd[567]: connect from
anna.int.kiev.ua[194.242.60.75]
Feb 19 01:37:05 linux postfix/smtpd[567]: 516D1404B4:
client=anna.int.kiev.ua[194.242.60.75]
Feb 19 01:37:06 linux postfix/cleanup[667]: 516D1404B4:
message-id=<[EMAIL PROTECTED]>
Feb 19 01:37:06 linux postfix/qmgr[32311]: 516D1404B4:
from=<[EMAIL PROTECTED]>, size=6724, nrcpt=1 (queue active)
Feb 19 01:37:06 linux amavis[32325]: (32325-08) process_request: fileno
sock=12, STDIN=0, STDOUT=1
Feb 19 01:37:06 linux amavis[32325]: (32325-09) ESMTP::10024
/var/spool/amavis/tmp/amavis-20080219T010829-32325:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> SIZE=6724 Received:
from linux.shaker-net.com ([127.0.0.1]) by localhost
(linux.shaker-net.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
for <[EMAIL PROTECTED]>; Tue, 19 Feb 2008 01:37:06 -0800 (PST)
Feb 19 01:37:06 linux amavis[32325]: (32325-09) body hash:
521b19d4698d37a4f109534fb83cbcf3
Feb 19 01:37:06 linux amavis[32325]: (32325-09) Checking: nHrkh2qSatmQ
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Feb 19 01:37:06 linux amavis[32325]: (32325-09) 2822.From:
<[EMAIL PROTECTED]>, 2821.Mail_From: <[EMAIL PROTECTED]>
Feb 19 01:37:06 linux amavis[32325]: (32325-09) p001 1 Content-Type:
text/html, size: 5950 B, name:
Feb 19 01:37:06 linux amavis[32325]: (32325-09) Checking for banned
types and filenames
Feb 19 01:37:06 linux amavis[32325]: (32325-09) collect banned table[0]:
[EMAIL PROTECTED], tables:
DEFAULT=>Amavis::Lookup::RE=ARRAY(0x8a43c18)
Feb 19 01:37:06 linux amavis[32325]: (32325-09) p.path
[EMAIL PROTECTED]: "P=p001,L=1,M=text/html,T=html"
Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using ClamAV-clamd:
(built-in interface)
Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using (ClamAV-clamd) on
dir: CONTSCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n
Feb 19 01:37:06 linux amavis[32325]: (32325-09) ClamAV-clamd: Connecting
to socket /var/lib/clamav/clamd-socket
Feb 19 01:37:06 linux amavis[32325]: (32325-09) ClamAV-clamd: Sending
CONTSCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n to
UNIX socket /var/lib/clamav/clamd-socket
Feb 19 01:37:06 linux amavis[32325]: (32325-09) ask_av (ClamAV-clamd):
/var/spool/amavis/tmp/amavis-20080219T010829-32325/parts CLEAN
Feb 19 01:37:06 linux amavis[32325]: (32325-09) ClamAV-clamd result: clean
Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using AVG Anti-Virus:
(built-in interface)
Feb 19 01:37:06 linux amavis[32325]: (32325-09) Using (AVG Anti-Virus)
on dir: SCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n
Feb 19 01:37:06 linux amavis[32325]: (32325-09) AVG Anti-Virus:
Connecting to socket 127.0.0.1:55555
Feb 19 01:37:06 linux amavis[32325]: (32325-09) AVG Anti-Virus: Sending
SCAN /var/spool/amavis/tmp/amavis-20080219T010829-32325/parts\n to INET
socket 127.0.0.1:55555
Feb 19 01:37:06 linux amavis[32325]: (32325-09) ask_av (AVG Anti-Virus):
/var/spool/amavis/tmp/amavis-20080219T010829-32325/parts CLEAN
Feb 19 01:37:06 linux amavis[32325]: (32325-09) AVG Anti-Virus result: clean
Feb 19 01:37:07 linux postfix/smtpd[567]: disconnect from
anna.int.kiev.ua[194.242.60.75]
Feb 19 01:37:34 linux amavis[32325]: (32325-09) spam_scan:
score=-109.401 autolearn=no
tests=[AWL=-135.491,BAYES_80=2,CONTENT_RETURN=2.9,FAKE_MSN=3.9,FREE=1.9,GIF=2.9,HTML_MESSAGE=0.2,MIME_HTML_ONLY=0.9,URIBL_AB_SURBL=1.86,URIBL_BLACK=1.955,URIBL_JP_SURBL=1.501,URIBL_OB_SURBL=1.5,URIBL_SC_SURBL=0.474,URIBL_WS_SURBL=2.9,VIRUS_CLEAN=0.3,WORD_HAS_PIPE=0.9]
Feb 19 01:37:34 linux amavis[32325]: (32325-09) do_notify_and_quar:
ccat=Clean (1,0) ("1":Clean, "0":CatchAll) ccat_block=(), q_mth=, qar_mth=
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp creating socket by
IO::Socket::INET: 127.0.0.1
Feb 19 01:37:34 linux postfix/smtpd[672]: connect from
localhost.shaker-net.com[127.0.0.1]
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to greeting:
220 linux.shaker-net.com ESMTP Spamkiller on SuSE Linux 7.3 (i686)
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd> EHLO localhost
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to EHLO: 250
linux.shaker-net.com\nPIPELINING\nSIZE 1073741824\nETRN\n8BITMIME
Feb 19 01:37:34 linux amavis[32325]: (32325-09) AUTH not needed,
user='', MTA offers ''
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd> MAIL
FROM:<[EMAIL PROTECTED]>
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd> RCPT
TO:<[EMAIL PROTECTED]>
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd> DATA
Feb 19 01:37:34 linux postfix/smtpd[672]: 6E8F1404B6:
client=localhost.shaker-net.com[127.0.0.1]
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to MAIL (pip):
250 Ok
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to RCPT (pip)
(<[EMAIL PROTECTED]>): 250 2.1.0 Ok, id=32325-09, from
MTA([127.0.0.1]:10025): 250 Ok
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to DATA: 354
End data with <CR><LF>.<CR><LF>
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp cmd> QUIT
Feb 19 01:37:34 linux postfix/cleanup[667]: 6E8F1404B6:
message-id=<[EMAIL PROTECTED]>
Feb 19 01:37:34 linux postfix/smtpd[672]: disconnect from
localhost.shaker-net.com[127.0.0.1]
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to data-dot
(<[EMAIL PROTECTED]>): 250 Ok: queued as 6E8F1404B6
Feb 19 01:37:34 linux postfix/qmgr[32311]: 6E8F1404B6:
from=<[EMAIL PROTECTED]>, size=7176, nrcpt=1 (queue active)
Feb 19 01:37:34 linux amavis[32325]: (32325-09) smtp resp to QUIT: 221 Bye
Feb 19 01:37:34 linux postfix/local[673]: 6E8F1404B6:
to=<[EMAIL PROTECTED]>, relay=local, delay=0, status=sent
(delivered to maildir)
Feb 19 01:37:34 linux amavis[32325]: (32325-09) FWD via SMTP:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, 250 2.6.0 Ok,
id=32325-09, from MTA([127.0.0.1]:10025): 250 Ok: queued as 6E8F1404B6
Feb 19 01:37:34 linux postfix/qmgr[32311]: 6E8F1404B6: removed
Feb 19 01:37:34 linux amavis[32325]: (32325-09) Passed CLEAN,
[194.242.60.75] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,
Message-ID: <[EMAIL PROTECTED]>, mail_id:
nHrkh2qSatmQ, Hits: -109.401, size: 6709, queued_as: 6E8F1404B6, 28328 ms
Feb 19 01:37:34 linux amavis[32325]: (32325-09) TIMING [total 28367 ms]
- SMTP greeting: 2 (0%)0, SMTP EHLO: 1 (0%)0, SMTP pre-MAIL: 0 (0%)0,
SMTP pre-DATA-flush: 2 (0%)0, SMTP DATA: 78 (0%)0, check_init: 1 (0%)0,
digest_hdr: 0 (0%)0, digest_body: 0 (0%)0, gen_mail_id: 1 (0%)0,
mime_decode: 7 (0%)0, get-file-type1: 18 (0%)0, parts_decode: 0 (0%)0,
check_header: 1 (0%)0, AV-scan-1: 53 (0%)1, AV-scan-2: 326 (1%)2,
spam-wb-list: 2 (0%)2, SA parse: 3 (0%)2, SA check: 27464 (97%)99,
update_cache: 7 (0%)99, decide_mail_destiny: 1 (0%)99, fwd-connect: 26
(0%)99, fwd-mail-pip: 3 (0%)99, fwd-rcpt-pip: 0 (0%)99, fwd-data-chkpnt:
0 (0%)99, write-header: 1 (0%)99, fwd-data-contents: 0 (0%)99,
fwd-end-chkpnt: 324 (1%)100, prepare-dsn: 1 (0%)100, main_log_entry: 43
(0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 0 (0%)100, SMTP
response: 0 (0%)100, unlink-1-files: 0 (0%)100, rundown: 0 (0%)100
Feb 19 01:37:34 linux postfix/smtp[668]: 516D1404B4:
to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1], delay=29,
status=sent (250 Ok: queued as 6E8F1404B6)
Feb 19 01:37:34 linux amavis[32325]: (32325-09) load: 8 %, total idle
1605.757 s, busy 139.642 s
Feb 19 01:37:34 linux postfix/qmgr[32311]: 516D1404B4: removed
Thank you,
Chris Shaker
MrC wrote:
> Christopher J Shaker wrote:
>
>> Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN,
>> [121.27.33.247] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,
>> Message-ID: <[EMAIL PROTECTED]>, mail_id:
>> If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms
>>
>>
>> Looks to me like it is getting a '-300' score from some rule that I
>> can't find. The email comes
>> in forged to look as if I had sent it, from '[EMAIL PROTECTED]'.
>> That email address is *not*
>> in the whitelist in /etc/mail/spamassassin/local.cf
>>
>
> When you run the messages through spamassassin only, amavis-specific
> score adjustments will not occur, so the scores will differ.
>
> Increase amavis' $log_level to 3, and look for the tests and scores in
> the log lines:
>
> ... tests=
>
> See which tests and scores are present.
>
> MrC
>
>
>> When I run the leaking email message through spamassassin manually, it
>> comes up with a score
>> of 58.4, quite different from what amavis-new reported above!
>>
>>
>
>
>> Subject: *****SPAM***** February 73% OFF
>> Date: Mon, 18 Feb 2008 15:07:11 -0800 (PST)
>> Message-Id: <[EMAIL PROTECTED]>
>> X-Spam-Flag: YES
>> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
>> linux.shaker-net.com
>> X-Spam-Level: **************************************************
>> X-Spam-Status: Yes, hits=58.4 required=5.0 tests=AWL,BAYES_95,FAKE_MSN,GIF,
>> HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,OFF,PERCENT,
>> RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE,UNKNOWN,URIBL_AB_SURBL,
>> URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,
>> URIBL_WS_SURBL,VIRUS_CLEAN autolearn=unavailable version=3.2.4
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
