Hi I use log-watch to summarize my postfix and amavis log on a daily basis. The amavis one is never and issue but the postfix one occasionally triggers spamassassin and so amavis flags it (never higher enough to outright discard it.
For example, this morning.. May 18 06:26:05 mail postfix/qmgr[16337]: 444BDDC6001: from=<[email protected]>, size=17897, nrcpt=1 (queue active) May 18 06:26:05 mail amavisd-new[5033]: (05033-04) ESMTP::10024 /var/lib/amavis/tmp/amavis-20120518T012220-05033: <[email protected]> -> <[email protected]> SIZE=17897 Received: from mail.example.net ([127.0.0.1]) by amavisd.example.net (mail.example.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[email protected]>; Fri, 18 May 2012 06:26:05 +0000 (UTC) May 18 06:26:05 mail amavisd-new[5033]: (05033-04) Checking: 0aob5T07+RH8 <[email protected]> -> <[email protected]> May 18 06:26:05 mail amavisd-new[5033]: (05033-04) p001 1 Content-Type: text/plain, size: 17194 B, name: May 18 06:26:08 mail postfix/pickup[9282]: D6EA2C8C038: uid=0 from=<root> May 18 06:26:08 mail postfix/cleanup[9678]: D6EA2C8C038: message-id=<[email protected]> May 18 06:26:08 mail postfix/qmgr[16337]: D6EA2C8C038: from=<[email protected]>, size=37201, nrcpt=1 (queue active) May 18 06:26:08 mail amavisd-new[5072]: (05072-04) ESMTP::10024 /var/lib/amavis/tmp/amavis-20120518T041218-05072: <[email protected]> -> <[email protected]> SIZE=37201 Received: from mail.example.net ([127.0.0.1]) by amavi sd.example.net (mail.example.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[email protected]>; Fri, 18 May 2012 06:26:08 +0000 (UTC) May 18 06:26:09 mail amavisd-new[5072]: (05072-04) Checking: G0r86MIrPdKg <[email protected]> -> <[email protected]> May 18 06:26:09 mail amavisd-new[5072]: (05072-04) p001 1 Content-Type: text/plain, size: 36093 B, name: May 18 06:26:10 mail amavisd-new[5033]: (05033-04) SPAM-TAG, <[email protected]> -> <[email protected]>, Yes, score=5.365 tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, DRUGS_ERECTILE=1.994, NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, SPOOF_COM2COM=2.048, SPOOF_COM2OTH=2.723, URI_NOVOWEL=0.5] autolearn=no Now, I see nothing in the mail about erectile drugs, so I'm confused why that one is there. Also the spoofing seems strange. Both mails are injected with: cat postfix.logwatch | /usr/sbin/sendmail -t [email protected] So, if that were responsible for the spoofing, I'd expect to see it on both. The spam-tag for the amavis mail for example is: May 18 06:26:12 mail amavisd-new[5072]: (05072-04) SPAM-TAG, <[email protected]> -> <[email protected]>, No, score=-0.777 tagged_above=-9999 required=4 tests=[BAYES_00=-1.9, FILL_THIS_FORM=0.001, NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, URI_HEX=1.122] autolearn=no Why is my very boring log-file analysis triggering SA test for drugs and spoofing? :) Thanks. Simon
