I've just realised how hard it can be to establish the "received"
sequence on a message flagged by SA. This could probably go to the
postfix, SA and/or amavis lists but I'll start here. If I've looked
through things that would have answered this, I apologise in advance
and will do penance by writing an FAQ on the topic!
What triggered this was that I got a rather weird spam detection from
SA this morning. When I looked at it, it seemed to be a McAfee virus
report but I think that was a total fake. There was no nasty payload
and it was just a short ASCII message. However, the headers and top
of the body were:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
by www.psyctc.org (Postfix) with ESMTP
id F2F61777AB; Fri, 6 Feb 2004 06:14:17 +0000 (GMT)
Received: from www.psyctc.org ([127.0.0.1])
by localhost (www [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 08132-07; Fri, 6 Feb 2004 06:14:17 +0000 (GMT)
Received: by www.psyctc.org (Postfix, from userid 1012)
id 34421777A8; Fri, 6 Feb 2004 06:14:17 +0000 (GMT)
Received: from localhost [127.0.0.1] by www
with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
Fri, 06 Feb 2004 06:14:17 +0000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Notification of PayPal Limited Account Access
Date: 6 Feb 2004 06:11:06 -0000
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=6.2 required=5.0
tests=BAYES_30,CLICK_BELOW,HTML_70_80,HTML_LINK_CLICK_HERE,
HTML_TAG_EXISTS_TBODY,HTML_WEB_BUGS,HTTP_CTRL_CHARS_HOST,
HTTP_ESCAPED_HOST,HTTP_USERNAME_USED,MIME_HTML_ONLY,
NO_REAL_NAME,USERPASS
version=2.55
X-Spam-Level: ******
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_402330B9.D706FFA6"
X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at psyctc.org
Status:
X-PMFLAGS: 570949760 0 1 P8P90219.CNM
This is a multi-part message in MIME format.
------------=_402330B9.D706FFA6
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
That really only shows a localhost to local received trail which I
guess is true for all SA detects (seems to be on my system anyway) as
they're really new messages from SA to me.
The message was an odd one so I wanted to sort out its route into my
system. As far as I can see, the only way I can do that is to turn
to the postfix mail.log and there I found:
Feb 6 06:14:02 www postfix/smtpd[9136]: connect from
mail5.hostingexpress.com[66.96.128.19]
Feb 6 06:14:02 www postfix/smtpd[9136]: A6EB8777A8:
client=mail5.hostingexpress.com[66.96.128.19]
Feb 6 06:14:03 www postfix/cleanup[9137]: A6EB8777A8: message-id=<[EMAIL
PROTECTED]>
Feb 6 06:14:03 www spamd[24663]: connection from localhost [127.0.0.1] at port
4871
Feb 6 06:14:03 www spamd[9143]: info: setuid to filter succeeded
Feb 6 06:14:04 www spamd[9143]: processing message <[EMAIL PROTECTED]> for
filter:1012.
Feb 6 06:14:08 www postfix/smtpd[9136]: disconnect from
mail5.hostingexpress.com[66.96.128.19]
Am I right that this suggests (confirms?) a transfer of an incoming
message from mail5.hostingexpress.com[66.96.128.19] on process 9136
being passed to amavis/SA on process 9137? Is the sequential process
ID the only way of telling this? If so, is it likely to fail when a
system is heavily loaded with incoming messages and the sequence then
be likely not to be sequential in process number?
Would be very keen to hear some definitive advice or pointers to
documentation or tools I've overlooked.
Setup is Debian stable up to date behind a firewall, running postfix
1.1.11, amavis-postfix Debian package ((0.3.12pre5.20020310-5?) and
SA 2.55.
TIA,
Chris
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: [EMAIL PROTECTED]
