spamc causing Duplicate emails
I am seeing duplicate emails when saved off into my Maildirs. My normal mail
application ignores these duplicates, but iOS 8 does not, so I need to figure
out what's going on.
1412808979.M904650P22299.mail.covisp.net,S=65189,W=66526:2,S
1412808979.M904651P22299.mail.covisp.net,S=65197,W=66534:2,S
$ diff 1412808979.M904651P22299.mail.covisp.net\,S\=65197\,W\=66534\:2\,S
1412808979.M904650P22299.mail.covisp.net\,S\=65189\,W\=66526\:2\,S
7c7
RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,URIBL_GREY autolearn=unavailable
---
RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,URIBL_GREY autolearn=ham
9a10,11
* 0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
* [URIs: mailchimp.com]
13,14d14
* 0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
* [URIs: mailchimp.com]
Does this indicate that it's spamassassin that is somehow creating a duplicate?
There are no 'c' flags in my procmailrc:
$ grep :0 .procmailrc
:0
:0fw
:0E
:0
:0
:0
:0 hf
:0 fw
:0
:0
:0
:0
:0
:0
:0
:0
:0
Looking through my mailspool it look like this started Sep 25, but I last
updated SA on 30 August.
my local.cf is (no comments)
allow_user_rules 1
rewrite_header Subject (Spam? _SCORE(0)_)
report_safe 1
add_header all Report _REPORT_
report_contact ad...@covisp.net
trusted_networks 75.148.37.66
trusted_networks 75.148.37.67
trusted_networks 75.148.37.68
trusted_networks 75.148.37.69
lock_method flock
required_score 5.0
use_bayes 1
bayes_auto_learn 1
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:mysql:bayes:localhost:3306
bayes_sql_username bayesuser
bayes_sql_password 1vJWe4ms0a23EGRpM
bayes_sql_override_username bayesuser
score DKIM_ADSP_CUSTOM_HIGH 10
score DKIM_ADSP_DISCARD 5
score DKIM_ADSP_ALL 3
... a bunch of ads overrides ...
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
score HABEAS_ACCREDITED_COI 0.1
score HABEAS_ACCREDITED_SOI 0.5
score HABEAS_CHECKED 0
score BAYES_99 4.0
score BAYES_95 2.5
score BAYES_80 2
score BAYES_60 1.00
score BAYES_50 0.50
score BAYES_40 -0.50
score BAYES_20 -2.50
score BAYES_05 -3.50
score BAYES_00 -4.00
score USER_IN_DEF_DKIM_WL -0.3
score DKIM_VERIFIED -0.1
score DKIM_SIGNED 0.1
score URIBL_DBL_SPAM 3.1
score DCC_CHECK 2.0
rawbody LOCAL_U_UNESCAPE /[+=(]\s*unescape\s*\(\s*[']%(6[1-9A-F]|7[0-9A])/
describe LOCAL_U_UNESCAPE Suspicious use of JS unescape function
score LOCAL_U_UNESCAPE 2.8
rawbody LOCAL_U_STRCONCAT /[+=(]\s*(['])[a-zA-Z0-9\.]{1,16}\1
?\+?\1[a-zA-Z0-9\.]{0,16}\1/
describe LOCAL_U_STRCONCAT Suspicious unnecessary string concatenation
score LOCAL_U_STRCONCAT 2.7
rawbody LOCAL_HIDE_FROMCHARCODE /=\s*String\.fromCharCode\b/
describe LOCAL_HIDE_FROMCHARCODE Obfuscated used of JS fromCharCode function
score LOCAL_HIDE_FROMCHARCODE 0.6
rawbody LOCAL_HIDE_URL /[+=(]\s*(['])(?!http)h(\1 ?\+ ?\1)?t(\1 ?\+?\1)?t(\1
?\+ ?\1)?p(\1 ?\+ ?\1)?(?!:\/\/):(\1 ?\+ ?\1)?\/(\1 ?\+ ?\1)?\//
describe LOCAL_HIDE_URL Obfuscated HTTP link eg. 'ht'+'tp:'+'//'
score LOCAL_HIDE_URL 1.9
rawbody LOCAL_JS_REDIR1
/[Ss][Cc][Rr][Ii][Pp][Tt]\s*(type=[^]+\s*)?\s*(window|self|(var\s+)?([a-z]+)\s*=\s*window\s*;?\s*\4)?\.?(location|\[[']location[']\])(\.href)?\s*[=(]/
describe LOCAL_JS_REDIR1 Code for a JS redirect
score LOCAL_JS_REDIR1 0.5
body LOCAL_FILLER_TEXT /([A-Z][a-z]*(\s[a-z]+){4,6}\.?\s?){18}/
describe LOCAL_FILLER_TEXT Long sequence of 5-7 word sentences with capital
only at start
score LOCAL_FILLER_TEXT 1.4
score RP_MATCHES_RCVD -0.1
score RCVD_IN_BRBL_LASTEXT 2.7
score DCC_CHECK 3.0
report BAYES_HT _HAMMYTOKENS(50)_
report BAYES_ST _SPAMMYTOKENS(50)_
... a bunch of blacklist_from ...
spamassasin -D --lint it very long
--
ALL WORK AND NO PLAY MAKES BART A DULL BOY ALL WORK AND NO PLAY MAKES
BART A DULL BOY ALL WORK AND NO PLAY MAKES BART A DULL BOY Bart
chalkboard Ep. 1F07
Re: spamc causing Duplicate emails
On Wed, 22 Oct 2014, LuKreme wrote: I am seeing duplicate emails when saved off into my Maildirs. My normal mail application ignores these duplicates, but iOS 8 does not, so I need to figure out what's going on. 1412808979.M904650P22299.mail.covisp.net,S=65189,W=66526:2,S 1412808979.M904651P22299.mail.covisp.net,S=65197,W=66534:2,S How separated in time are the two message files? Do you have any kind of procmail logging turned on? Are all messages duplicated, or only some? Is the message addressed to you and also to an alias that also resolves to you, or something else that would cause the system to duplicate the message upstream of procmail? Does this indicate that it's spamassassin that is somehow creating a duplicate? Doubtful. SA only scores and may rewrite the headers a bit. It's vaguely possible that the glue is doing it somehow. Is procmail your glue, or something else upstream (a milter or some such)? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...in the 2nd amendment the right to arms clause means you have the right to choose how many arms you want, and the militia clause means that Congress can punish you if the answer is none. -- David Hardy, 2nd Amendment scholar --- 874 days since the first successful private support mission to ISS (SpaceX)
Re: spamc causing Duplicate emails
On 22 Oct 2014, at 19:38 , John Hardin jhar...@impsec.org wrote: On Wed, 22 Oct 2014, LuKreme wrote: I am seeing duplicate emails when saved off into my Maildirs. My normal mail application ignores these duplicates, but iOS 8 does not, so I need to figure out what's going on. 1412808979.M904650P22299.mail.covisp.net,S=65189,W=66526:2,S 1412808979.M904651P22299.mail.covisp.net,S=65197,W=66534:2,S How separated in time are the two message files? They aren't. the first blog is the ephod time stamp, so they are in the same second. Do you have any kind of procmail logging turned on? Yes. All I see is that when the message comes in to my procmailrc, it comes in twice, so the duplication is happening up stream (which probably means dovecot, but It looked like spamc initially, so I posted here first). Are all messages duplicated, or only some? All of them across multiple accounts. Is the message addressed to you and also to an alias that also resolves to you, or something else that would cause the system to duplicate the message upstream of procmail? Does this indicate that it's spamassassin that is somehow creating a duplicate? Doubtful. SA only scores and may rewrite the headers a bit. It's vaguely possible that the glue is doing it somehow. Is procmail your glue, or something else upstream (a milter or some such)? The more I look at it, the more it looks like it must be dovecot somehow. Thanks, the questions help me focus on what is really happening. -- Let the Wookiee win.
Re: spamc causing Duplicate emails
On Wed, 22 Oct 2014, LuKreme wrote: Thanks, the questions help me focus on what is really happening. Happy to help. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- 874 days since the first successful private support mission to ISS (SpaceX)
Re: spamc causing Duplicate emails
On 22 Oct 2014, at 20:39 , John Hardin jhar...@impsec.org wrote: On Wed, 22 Oct 2014, LuKreme wrote: Thanks, the questions help me focus on what is really happening. Happy to help. Aha. It was procmail. but it was /usr/local/etc/procmailrc :0c /backups/imap.backups if that FAILS, the duplicate message falls through, and that folder was moved but procmailrc was not updated. doh! -- ...but the senator, while insisting he was not intoxicated, could not explain his nudity.
