i hope re-asking is ok - i'm still having trouble figuring this out.
On 2014.07.23 10.52, btb wrote:
certain [but not all] messages detected to be spam are being both quarantined and relayed, and generating a notification message. i'm having trouble understanding/figuring out what particular characteristics result in this outcome, and what setting[s] relate to it. details: == notification message == Return-Path: [email protected] Received: from msa.example.com (LHLO msa.example.com) (10.3.70.10) by mda.example.com with LMTP; Wed, 23 Jul 2014 10:14:44 -0400 (EDT) Received: from localhost (mfa.example.com [10.3.70.9]) by msa.example.com (Postfix) with ESMTP id 3hJJb84pQBzJnJR for <[email protected]>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT) Content-Type: multipart/mixed; boundary="----------=_1406124884-4231-0" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 From: "Content-filter at mfa.example.com" <[email protected]> Date: Wed, 23 Jul 2014 10:14:44 -0400 (EDT) Subject: Spam FROM [173.227.222.9]:14538 <[email protected]> To: <[email protected]> Message-ID: <[email protected]> This is a multi-part message in MIME format... ------------=_1406124884-4231-0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit Content type: Spam Internal reference code for the message is 04231-08-2/SeHI_Po1JO9s First upstream SMTP client IP address: [173.227.222.9] mx9.mailzeen.net According to a 'Received:' trace, the message apparently originated at: [173.227.222.9], mx9.maileen.net mx9.mailzeen.net [173.227.222.9] Return-Path: <[email protected]> From: "Magna Publications" <[email protected]> Subject: Six reasons to attend The Teaching Professor Technology Conference The message has been quarantined as: S/spam-SeHI_Po1JO9s.gz The message WILL BE relayed to: <[email protected]> Spam scanner report: ------------=_1406124884-4231-0 Content-Type: text/rfc822-headers; name="header" Content-Disposition: inline; filename="header" Content-Transfer-Encoding: 7bit Content-Description: Message header section Return-Path: <[email protected]> Received: from mx9.maileen.net (mx9.mailzeen.net [173.227.222.9]) by mta1.example.com (Postfix) with ESMTP id 3hJJb83WGszJmxp for <[email protected]>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; d=p.magnapubs.com;s=magnapubs; c=relaxed/relaxed; q=dns/txt; t=1406124885; h=date:to:from:subject:content-transfer-encoding:list-unsubscribe:mime-version:content-type:content-length; bh=s+XgjWNhjyLTXD/LSSDtpYypBYk=; b=qzg0jsWumlBXUoSEYZMfHnVGGIUlDWjl6pNQRWWyKQudbFXgQhczg4HWthw+R+PoRgRnGJXgNwCbK9g2uvVnE30sLk58RViciN7CVzgRBohN/Vb8FgS+jvUygCm9AJkOQv+f2H4mIBdHGAzNQsTB3W/peNrRfJMt2NC159S2usI= X-MailzeenID: magnapubs,148 X-IPRO:BLK, magnapubs, 857779, 119, 148 Date: Wed, 23 Jul 2014 07:02:02 -0500 (CDT) To: [email protected] From: "Magna Publications" <[email protected]> Subject: Six reasons to attend The Teaching Professor Technology Conference Importance: Normal Content-Transfer-Encoding: 8bit List-Unsubscribe: <http://ww1.magnapubs.com/unsub/119/857779X> MIME-version: 1.0 Content-type: multipart/alternative; boundary="BoUnDaRyCmagnapubsM148D072314T" ------------=_1406124884-4231-0-- == amavis logs == Jul 23 10:14:44 mfa amavis[4231]: (04231-08-2) Passed SPAM {RelayedTaggedInbound,Quarantined}, external [173.227.222.9]:14538 [173.227.222.9] <[email protected]> -> <[email protected]>, quarantine: S/spam-SeHI_Po1JO9s.gz, Queue-ID: 3hJJb83WGszJmxp, mail_id: SeHI_Po1JO9s, Hits: -, size: 9196, queued_as: 250 2.1.5 Delivery OK, 187 ms == headers from the actual message == Return-Path: [email protected] Received: from mfa.example.com (LHLO localhost) (10.3.70.9) by mda.example.com with LMTP; Wed, 23 Jul 2014 10:14:44 -0400 (EDT) X-Quarantine-ID: <SeHI_Po1JO9s> X-Virus-Scanned: amavisd-new at example.com X-Spam-Flag: YES X-Spam-Score: 64 X-Spam-Level: **************************************************************** X-Spam-Status: Yes, score=x required=5 BLACKLISTED tests=[] autolearn=unavailable Authentication-Results: mfa.example.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=p.magnapubs.com Received: from mta1.example.com ([10.3.70.5]) by localhost (mfa.example.com [10.3.70.9]) (amavisd-new, port 11024) with LMTP id SeHI_Po1JO9s for <[email protected]>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT) Received: from mx9.maileen.net (mx9.mailzeen.net [173.227.222.9]) by mta1.example.com (Postfix) with ESMTP id 3hJJb83WGszJmxp for <[email protected]>; Wed, 23 Jul 2014 10:14:44 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; d=p.magnapubs.com;s=magnapubs; c=relaxed/relaxed; q=dns/txt; t=1406124885; h=date:to:from:subject:content-transfer-encoding:list-unsubscribe:mime-version:content-type:content-length; bh=s+XgjWNhjyLTXD/LSSDtpYypBYk=; b=qzg0jsWumlBXUoSEYZMfHnVGGIUlDWjl6pNQRWWyKQudbFXgQhczg4HWthw+R+PoRgRnGJXgNwCbK9g2uvVnE30sLk58RViciN7CVzgRBohN/Vb8FgS+jvUygCm9AJkOQv+f2H4mIBdHGAzNQsTB3W/peNrRfJMt2NC159S2usI= X-MailzeenID: magnapubs,148 X-IPRO:BLK, magnapubs, 857779, 119, 148 Date: Wed, 23 Jul 2014 07:02:02 -0500 (CDT) To: [email protected] From: "Magna Publications" <[email protected]> Subject: ***SPAM*** Six reasons to attend The Teaching Professor Technology Conference Importance: Normal Content-Transfer-Encoding: 8bit List-Unsubscribe: <http://ww1.magnapubs.com/unsub/119/857779X> MIME-version: 1.0 Content-type: multipart/alternative; boundary="BoUnDaRyCmagnapubsM148D072314T" == some hopefully relevant bits from the amavis config == $mydomain = 'example.com'; $myhostname = "mfa.$mydomain"; my $mda_host = "mda.$mydomain"; my $msa_host = "msa.$mydomain"; my $external_port = '11024'; my $internal_port = '11026'; my $mda_lmtp_port = '7025'; my $internal_reinject_port = '11027'; my $p0f_analyzer_port = '10032'; my($default_recipient) = "postmaster\@$mydomain"; my($default_sender) = "amavis\@$mydomain"; $inet_socket_port = undef; @listen_sockets=(":$external_port", ":$internal_port"); $forward_method = "lmtp:[$mda_host]:$mda_lmtp_port"; $notify_method = "smtp:[$msa_host]:$internal_reinject_port"; $requeue_method = "lmtp:[localhost]:$external_port"; $enable_dkim_verification = 1; $sa_tag_level_deflt = undef; $sa_tag2_level_deflt = 5.0; $sa_kill_level_deflt = 100; $sa_dsn_cutoff_level = 10; $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_DISCARD; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; $virus_admin = $default_recipient; $spam_admin = $default_recipient; $warnbannedsender = undef; $warnbadhsender = undef; $mailfrom_notify_admin = $default_sender; $mailfrom_notify_spamadmin = $default_sender; $mailfrom_notify_recip = $default_sender; $mailfrom_to_quarantine = $default_sender; $interface_policy{$external_port} = 'external'; $policy_bank{'external'} = { os_fingerprint_method => "p0f:*:$p0f_analyzer_port", }; $interface_policy{$internal_port} = 'internal'; $policy_bank{'internal'} = { inet_acl => [ '127.0.0.0/8', '[::1]', '10.3.70.10/32', '10.3.70.11/32', '10.68.0.0/16' ], forward_method => "smtp:[$msa_host]:$internal_reinject_port", requeue_method => "lmtp:[localhost]:$internal_port", final_spam_destiny => D_DISCARD, final_bad_header_destiny => D_DISCARD, }; thanks -ben
