From what I can see, spamdyke should be blocking those messages. This could be
a bug, but first I'd suggest carefully checking your whitelists. In almost
every case I've seen like this where a blacklist simply will not work, it turns
out to be a whitelist entry that's overriding it. You mentioned your email
flows through several different servers before it reaches the user's mailbox...
from the message headers, it looks like ms2 is your edge server, is that where
the blacklist entry is set?
If you can login to ms2 at the command line, you could also try running
spamdyke by hand so you can see more verbose output without flooding your logs.
You don't need to stop your mail server for this; it won't interfere with any
normal operations. First, set an environment variable so spamdyke will think
it's getting a connection from a remote server:
export TCPREMOTEIP=94.143.105.188
Next create a very small spamdyke config file (can be anywhere, doesn't have to
be in /etc) with two options:
log-target=stderr
log-level=excessive
Then find the command line spamdyke is started with (in your "run" file) and
run it the same way, but add another "-f" for the new config file AFTER your
real config file. (If you're curious why, it's because config options are
applied in the order they are read. We want to override those two options for
this run, so they need to be read last.) For example, on my server I would run
this:
spamdyke -f /etc/spamdyke.d/spamdyke.conf -f /tmp/testing.conf --
/var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
You should see the SMTP greeting banner just like a mail client does (possibly
delayed a few seconds by spamdyke) plus debug messages that would normally go
in the logs. Type in these SMTP commands to imitate a client and test the
blacklist:
EHLO cloudtengroup1.mta.dotmailer.com
MAIL FROM:<bo-3ueb-2dqy-yto27-c0...@tooplemail.com>
RCPT TO:<redac...@redacted.tld>
At that point, you should see either a 250 response if the message is accepted
or a 500 response if it is blocked, plus tons of debugging output from spamdyke
to show what it's thinking. You can type QUIT or ctrl-C to exit.
Hopefully that'll show what's happening. If you can't spot the issue or have
trouble deciphering the output, feel free to email it to me privately and I'll
take a look.
-- Sam Clippinger
On Jul 21, 2016, at 6:39 AM, Faris Raouf via spamdyke-users
<spamdyke-users@spamdyke.org> wrote:
> Dear all,
>
> I'm having a bit of an issue trying to block messages based on the envelope
> sender. Basically it doesn't seem to work at all, so I'm obviously doing
> something wrong.
>
> All the other types of blacklists and whitelists seem to work just fine.
>
> I understand the difference between the "From" and the envelope sender, and
> that TLS can be an issue.
>
> But as far as I'm aware it is the envelope sender that I'm targeting, and in
> this case my qmail installation doesn't support TLS so spamdyke is set to
> handle the TLS and should be able to read the contents of the message.
>
> I'm using SpamDyke 5.01
>
> Please could someone kindly take a quick look at my log/config/header of an
> example email, to see what I'm doing wrong?
>
> In the example below, the envelope sender I'm trying to block has
> (some-reference-or-other)@tooplemail.com as the envelope sender so I'm using
> @tooplemail.com in my blacklist_sender file.
>
>
> *******************
>
> Maillog extract:
>
> Jul 21 10:32:55 ms2 spamd[30006]: spamd: checking message
> <2dqy.87yto274c.20160721093145...@tooplemail.com> for qscand:500
>
> Jul 21 10:32:57 ms2 spamd[30006]: spamd: result: Y 4 -
> BAYES_00,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREE_QUOTE_INS
> TANT,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_1
> 00,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS
> scantime=1.9,size=55241,user=qscand,uid=500,required_score=3.0,rhost=localho
> st,raddr=127.0.0.1,rport=53794,mid=<2DQY.87YTO274C.20160721093145243@tooplem
> ail.com>,bayes=0.000000,autolearn=no
>
> Jul 21 10:32:57 ms2 qmail-scanner-queue.pl: qmail-scanner[25272]:
> Clear:RC:0(94.143.105.188):SA:1(4.3/3.0): 2.092064 55184
> bo-3ueb-2dqy-yto27-c0...@tooplemail.com redac...@redacted.tld
> Why_is_Toople.com_different_to_the_rest?
> <2dqy.87yto274c.20160721093145...@tooplemail.com>
> 1469093575.25274-0.ms2.redac...@redacted.tld:3611
> orig-ms2.redacted.tld146909357479725272:55184
> 1469093575.25274-1.ms2.redacted.tld:46150
>
> Jul 21 10:32:57 ms2 spamdyke[25257]: ALLOWED from:
> bo-3ueb-2dqy-yto27-c0...@tooplemail.com to: redac...@redacted.tld origin_ip:
> 94.143.105.188 origin_rdns: cloudtengroup1.mta.dotmailer.com auth: (unknown)
> encryption: TLS reason: 250_ok_1469093577_qp_25272
>
> ******************
>
>
> ******************
> Spamdyke config file:
>
> log-level=verbose
> idle-timeout-secs=60
> greeting-delay-secs=11
> policy-url=http://www.redacted.tld/email.html
>
> graylist-dir=/var/qmail/graylist
> graylist-level=none
> graylist-min-secs=300
> graylist-max-secs=1814400
>
> ip-blacklist-file=/etc/spamdyke.d/blacklist_ip
> sender-blacklist-file=/etc/spamdyke.d/blacklist_sender
> rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns
> recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient
>
> ip-whitelist-file=/etc/spamdyke.d/whitelist_ip
> rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns
> recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient
> sender-whitelist-file=/etc/spamdyke.d/whitelist_sender
>
> tls-certificate-file=/ssl/c1org1516.pem
> tls-level=smtp-no-passthrough
>
> #(Blacklists redacted)
>
> reject-empty-rdns
>
> ******************
>
>
>
> ******************
>
> /etc/spamdyke.d/blacklist_sender contains:
>
> @tooplemail.com
>
> ******************
>
>
>
> ******************
> EXAMPLE EMAIL HEADER
> (Slightly complicated because it goes through two qmail-scanner/spamdyke
> servers,
> ms2.redacted.tld and 147.redacted.tld,
> each with different spamassassin configs (hence the odd subject
> modification!),
> to get to the mailbox)
>
>
> Received: (qmail 25508 invoked by uid 2523); 21 Jul 2016 10:33:11 +0100
> X-Qmail-Scanner-Diagnostics: from ms2.redacted.tld by ip147.redacted.tld
> (envelope-from <bo-3ueb-2dqy-yto27-c0...@tooplemail.com>, uid 2020) with
> qmail-scanner-2.10st
> (clamdscan: 0.99.2/21940. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st.
>
> Clear:RC:0(178.62.199.136):SA:1(3.6/3.0):.
> Processed in 2.510301 secs); 21 Jul 2016 09:33:11 -0000
> X-Spam-Status: Yes, hits=3.6 required=3.0
> X-Spam-Level: +++
> Received: from ms2.redacted.tld (redacted)
> by ip147.redacted.tld with SMTP; 21 Jul 2016 10:33:08 +0100
> Received: (qmail 25293 invoked by uid 500); 21 Jul 2016 09:32:57 -0000
> X-Qmail-Scanner-Diagnostics: from cloudtengroup1.mta.dotmailer.com by
> ms2.redacted.tld (envelope-from <bo-3ueb-2dqy-yto27-c0...@tooplemail.com>,
> uid 496) with qmail-scanner-2.10st
> (clamdscan: 0.99.2/21940. mhr: 1.0. spamassassin: 3.3.2. perlscan: 2.10st.
>
> Clear:RC:0(94.143.105.188):SA:1(4.3/3.0):.
> Processed in 2.094403 secs); 21 Jul 2016 09:32:57 -0000
> X-Qmail-Scanner-MOVED-X-Spam-Status: Yes, hits=4.3 required=3.0
> X-Qmail-Scanner-MOVED-X-Spam-Level: ++++
> Received: from cloudtengroup1.mta.dotmailer.com (94.143.105.188)
> by ms2.redacted.tld with SMTP; 21 Jul 2016 09:32:54 -0000
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim1024;
> d=tooplemail.com;
>
> h=From:To:Subject:MIME-Version:Content-Type:Date:List-Unsubscribe:Reply-To:M
> essage-ID; i=daniel.clem...@tooplemail.com;
> bh=l80qAnWoe07RouX288jDc7eGwnI=;
>
> b=eKFZ6Hdnf2Y6CSyjmyGiZVhZ0sLTRBhdvTW6lTPSBXcSi4sN1cOahISl7yHYH+6e3C5BVWZhZR
> Ac
>
> I8K4/ou8t07mvwjo5l/aHP2GCUZ1+tIw/ApSNwsjep7ZHL2FGV9M/uJKEY+yx/pzIB3QSnJ1cj4v
> RttFGlwSie1pPu7twYA=
> From: "Welcome To Toople.com Newsletter" <daniel.clem...@tooplemail.com>
> To: "redac...@redacted.tld" <redac...@redacted.tld>
> Subject: ****SPAM**** LOW * ****SPAM**** MEDIUM * Why is Toople.com
> different to the rest?
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="87YTO274C:20160721093145243"
> X-Mailer: dmDroid
> Date: Thu, 21 Jul 2016 10:31:45 +0100
> X-CampaignID: GIKG
> X-dmid: 3UEB-2DQY-YTO27
> Feedback-ID: 3UEB:2DQY:20160721:DDGESP
> List-Unsubscribe: <http://tooplemail.com/3UEB-2DQY-87YTO274C/uauto.aspx>
> Bounces-to: bo-3ueb-2dqy-yto27-c0...@tooplemail.com
> Return-Path: bo-3ueb-2dqy-yto27-c0...@tooplemail.com
> Reply-To: "Welcome To Toople.com Newsletter"
> <re-3ueb-2dqy-yto27-c0...@tooplemail.com>
> Message-ID: <2dqy.87yto274c.20160721093145...@tooplemail.com>
>
> **************
>
>
> **************
> Config test (run as root, but should be valid enough):
>
> # /usr/local/bin/spamdyke --config-test -f /etc/spamdyke.d/spamdyke.conf
> /var/qmail/bin/qmail-smtpd
> spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG (C)2015 Sam Clippinger, samc (at)
> silence (dot) org
> http://www.spamdyke.org/
>
> Use --help for an option summary, --more-help for option details or see
> README.html for complete documentation.
>
> Testing configuration...
> WARNING: Running tests as superuser root(0), group root(0). These test
> results may not be valid if the mail server runs as another user.
> SUCCESS: spamdyke binary (/usr/local/bin/spamdyke) is not owned by root
> and/or is not marked setuid.
> INFO: Running command to test capabilities: /var/qmail/bin/qmail-smtpd
> SUCCESS: /var/qmail/bin/qmail-smtpd does not appear to offer TLS support.
> spamdyke will offer, intercept and decrypt TLS traffic.
> SUCCESS: /var/qmail/bin/qmail-smtpd appears to offer SMTP AUTH support.
> spamdyke will observe any authentication and trust its response.
> INFO(config-dir): Testing configuration directory: /etc/spamdyke.d/configdir
> SUCCESS(config-dir): Configuration directory tests succeeded:
> /etc/spamdyke.d/configdir
> INFO(config-dir): Testing configuration directory:
> /etc/spamdyke.d/individuals
> SUCCESS(config-dir): Configuration directory tests succeeded:
> /etc/spamdyke.d/individuals
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(config-file): Opened for reading: /etc/spamdyke.d/spamdyke.conf
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(dns-resolv-conf): Opened for reading: /etc/resolv.conf
> ERROR(graylist-level): The "graylist-level" option is "none" but other
> graylist options were given. They will all be ignored.
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(ip-blacklist-file): Opened for reading: /etc/spamdyke.d/blacklist_ip
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(ip-whitelist-file): Opened for reading: /etc/spamdyke.d/whitelist_ip
> SUCCESS(qmail-rcpthosts-file): Opened for reading:
> /var/qmail/control/rcpthosts
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(rdns-blacklist-file): Opened for reading:
> /etc/spamdyke.d/blacklist_rdns
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(rdns-whitelist-file): Opened for reading:
> /etc/spamdyke.d/whitelist_rdns
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(recipient-blacklist-file): Opened for reading:
> /etc/spamdyke.d/blacklist_recipient
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(recipient-whitelist-file): Opened for reading:
> /etc/spamdyke.d/whitelist_recipient
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(sender-blacklist-file): Opened for reading:
> /etc/spamdyke.d/blacklist_sender
> INFO(config_test_file_read): Testing file read: config_test.c
> SUCCESS(sender-whitelist-file): Opened for reading:
> /etc/spamdyke.d/whitelist_sender
> INFO(tls-certificate-file): Testing TLS by initializing SSL/TLS library with
> certificate and key
> SUCCESS(tls-certificate-file): Opened for reading: /ssl/c1org1516.pem
> SUCCESS(tls-certificate-file): Certificate and key loaded; SSL/TLS library
> successfully initialized
> ERROR: Tests complete. Errors detected.
>
>
> ***********************
>
> _______________________________________________
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
