Hi All,
I've tried posting this question to the exim-users list but received no replies
at all. Sorry for the duplicate posting but I'm hoping that perhaps someone
here might be able to help. Currently this issue is stopping us deploying as
we don't have any ideas as to why this might have happened or how to make sure
that it doesn't re-occur.
First of all, I'm sorry if this issue has already been addressed but a large
amount of searching didn't find anything.
I've recently installed a new machine to act as a hub for the institution and
have been hit by something that I just can't explain. I thought I'd post here
to see if anyone has experienced this or has any ideas. After staring at it
for nearly three days, I'm still no further on to understanding what happened.
We're using spam assassin 3.2.3 and exim 4.68 and have had a large number of
messages reported as clean by spam assassin but tagged as spam by exim.
I have a solid example of a message with the additional spam headers that I can
track down in the spam assassin logs to a "clean message" response.
Here's the relevant snippet of ACL from the configuration:
# Put headers in all messages (no matter if spam or not)
warn spam = nobody:true
add_header = X-Spam-Score: $spam_score ($spam_bar)
warn spam = nobody:true
add_header = X-Spam-Report: $spam_report
# Add X-Spam-Flag and a *SPAM* marker in the Subject header when message is
over threshold
warn spam = nobody
add_header = X-ISS-Subject: *ISS-Detected SPAM* $h_Subject
warn spam = nobody
add_header = X-ISS-Detected-SPAM: YES
# Reject spam at high scores - value is an INTEGER!!!!
deny message = This message scored $spam_score spam points.
log_message = exceeded spam threshold with $spam_score points.
spam = nobody:true
condition = ${if >{$spam_score_int}{250}{1}{0}}
We're using the system filter to rewrite the subject line to the contents of
the X-ISS-Subject header if it's set.
This is all well and good and seems to work fine when we did assorted testing,
however we then started to see messages that were matching rules three and four
above even when spam assassin logs them as clean. The affected messages all
have the X-Spam-Score header set to
"X-Spam-Score: ()" but the report header is fine.
I then noticed that messages being rejected by rule five had the same problem,
the X-Spam-Score header was effectively blank, but rule five shows the spam
score in the log message.
Here's a sample of a rejected header (with addresses removed and report
trimmed):
2007-11-26 00:00:21 1IwROY-00065M-1Y H=(sloanled.com) [88.238.64.178] F=<[EMAIL
PROTECTED]> rejected after DATA: exceeded spam threshold with 27.6 points.
Envelope-from: <[EMAIL PROTECTED]>
Envelope-to: <[EMAIL PROTECTED]> P Received: from [88.238.64.178]
(helo=sloanled.com)
by whobblebury.lancs.ac.uk with smtp (Exim 4.68)
(envelope-from <[EMAIL PROTECTED]>)
id 1IwROY-00065M-1Y
for [EMAIL PROTECTED]; Mon, 26 Nov 2007 00:00:15 +0000
* Return-Path: <[EMAIL PROTECTED]>
P Received: from 161.58.18.5 (HELO mail-fwd.sbc-webhosting.com)
by lancaster.ac.uk with esmtp (XPYOHBGAWDO JFZGWY)
id NFeim9-s06iU2-iG
for [EMAIL PROTECTED]; Mon, 26 Nov 2007 02:00:20 +0200 I Message-ID:
<[EMAIL PROTECTED]>
F From: "Gay D. Mcnally" <[EMAIL PROTECTED]>
T To: "A Person" <[EMAIL PROTECTED]>
Subject: Witness a miracle of pen!s enlargement with your own eyes!
Date: Mon, 26 Nov 2007 02:00:20 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_16863_4249_01C82FD0.194A4560"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Score: ()
X-Spam-Report: Spam detection software, running on the system
"whobblebury.lancs.ac.uk", has processed this message.
The results are shown below.
Content analysis details: (27.6 points, 4.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
X-ISS-Subject: *ISS-Detected SPAM* Witness a miracle of pen!s enlargement
with your own eyes!
X-ISS-Detected-SPAM: YES
As you can see, the very first line of the log states "exceeded spam threshold
with 27.6 points" so how can the X-Spam-Score be blank in rule one but not when
the same variable is used in the log line of rule five?
I've checked over my ACL lines several times now and other than the redundancy
of specifying rules one and two and then three and four as separate calls to
the spam check, I can't see anything obviously wrong.
I'm unable to duplicate the problem on demand and I haven't been able to
replicate it since we pulled the machine from service on Monday afternoon.
At this point I'm happy to hear any suggestions!
Thanks in advance, Ian.
--
Ian Norton
Postmaster & Systems Support
University of Lancaster
--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details
at http://www.exim.org/ ##
