Re[2]: [qmailtoaster] spam wild turkey chase
Greetings, Quinn. 1 декабря 2006 г., 5:24:10 you have wrote: Thanks Jake That's a pretty good way to do it. That is, until the sender is from aol.com or [name other really bit network] and you get a message from their network every few seconds. Oh well, if that's the best we can do. Q On Thu, 30 Nov 2006 20:32:42 -0500, Jake Vickers wrote: Now you can see that they both came in at 19:51:36. That's the only way I know of to correlate the two. Hope that helps some. This might be more helpfull: # cd /var/log/qmail # cat ./smtp/* ./spamd/* | tai64nlocal | sort | less This will mix the logs from qmail-smtpd and spamd, and sort them out so the times will appear in the order it was on the timeline. -- Best Regards, Alexey Loukianov mailto:[EMAIL PROTECTED] Software Development Department, Lavtech Corp http://mnogo.ru, http://lavtech.ru - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[qmailtoaster] spam wild turkey chase
Hi y'all I got a pickle for ya: How can messages be connected between the smtp and spamd logs? I have someone unable to send mail to our server because simscan/spamassassin is blocking them with a 554 Your email is considered spam (19.00 spam-hits) message. I can find her messages coming in the smtp log with the simscan error that indicates the blocked message. But how can I find which message this relates to in the spamd log? I can't see any info that correlates, not a message ID, process ID, or anything. Spamassassin logs a MID like [EMAIL PROTECTED] but that doesn't show up in the smtp log. The sender address isn't logged. The recipient address receives a lot of spam, so it is pretty hard to wade through. Any ideas? Another question (probably better to ask the simscan list): would it be possible to return the full Spamassassin X-Spam-Report output with the 554 error? That would make this a lot easier, and possibly allow the message sender to correct *their* problem (gz, can you believe it? Attaching .gif images to an email??? What were they thinking!? ;-) Well, I guess it would be bad to give too many details to the *real* spammers! Thanks fellas, Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410 - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] spam wild turkey chase
Quinn Comendant wrote: Hi y'all I got a pickle for ya: How can messages be connected between the smtp and spamd logs? I have someone unable to send mail to our server because simscan/spamassassin is blocking them with a 554 Your email is considered spam (19.00 spam-hits) message. I can find her messages coming in the smtp log with the simscan error that indicates the blocked message. But how can I find which message this relates to in the spamd log? I can't see any info that correlates, not a message ID, process ID, or anything. Spamassassin logs a MID like [EMAIL PROTECTED] but that doesn't show up in the smtp log. The sender address isn't logged. The recipient address receives a lot of spam, so it is pretty hard to wade through. Any ideas? Another question (probably better to ask the simscan list): would it be possible to return the full Spamassassin X-Spam-Report output with the 554 error? That would make this a lot easier, and possibly allow the message sender to correct *their* problem (gz, can you believe it? Attaching .gif images to an email??? What were they thinking!? ;-) Well, I guess it would be bad to give too many details to the *real* spammers! Sort of, and it's not the easiest thing to make sense of. Here's the tail of my spamd current log, piped through tai64nlocal: 2006-11-30 19:51:36.471267500 [26724] info: spamd: connection from localhost.localdomain [127.0.0.1] at port 54938 2006-11-30 19:51:36.482990500 [26724] info: spamd: processing message [EMAIL PROTECTED] for clamav:89 2006-11-30 19:51:37.592527500 [26724] info: spamd: clean message (2.1/5.0) for clamav:89 in 1.1 seconds, 4684 bytes. 2006-11-30 19:51:37.592531500 [26724] info: spamd: result: . 2 - AWL,BAYES_50,HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_BOUND_NEXTPART scantime=1.1,size=4684,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54938,mid=[EMAIL PROTECTED],bayes=0.467931767082011,autolearn=no Notice that it's from lakeshorelearning.com. Now here's how *I* find the messages: [EMAIL PROTECTED] spamd]# cat ../smtp/current | tai64nlocal | grep lakeshorelearning.com 2006-11-30 19:51:36.226835500 CHKUSER accepted sender: from [EMAIL PROTECTED]:: remote llmis.com:unknown:216.34.194.117 rcpt : sender accepted 2006-11-30 19:51:36.249829500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote llmis.com:unknown:216.34.194.117 rcpt [EMAIL PROTECTED] : found existing recipient 2006-11-30 19:51:37.600534500 simscan:[19405]:CLEAN (2.10/10.00):1.3202s:Great Gifts at Great Prices!:216.34.194.117:[EMAIL PROTECTED]:[EMAIL PROTECTED] Now you can see that they both came in at 19:51:36. That's the only way I know of to correlate the two. Hope that helps some. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] spam wild turkey chase
Thanks Jake That's a pretty good way to do it. That is, until the sender is from aol.com or [name other really bit network] and you get a message from their network every few seconds. Oh well, if that's the best we can do. Q On Thu, 30 Nov 2006 20:32:42 -0500, Jake Vickers wrote: Now you can see that they both came in at 19:51:36. That's the only way I know of to correlate the two. Hope that helps some. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]