Discussion:
Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
(too old to reply)
Jason Granat
2004-03-17 01:28:54 UTC
Permalink
Help!

Watching /var/log/maillog I see everytime a message comes to
***@mydomain.com with relay 127.0.0.1 there is an error: 'reject=451
4.7.1 Please try again later' and MIMEDeFang times out. What causes
this and how do I fix it?

Thanks,

Jason
Paul
2004-03-17 03:05:44 UTC
Permalink
Post by Jason Granat
Watching /var/log/maillog I see everytime a message comes to
4.7.1 Please try again later' and MIMEDeFang times out. What causes
this and how do I fix it?
Check your maillog (/var/log/maillog in my case on FreeBSD) I get them now and then, mostly it means MD has crashed. Stopping it and sendmail, waiting a minute and restarting them generally solves the problem. Not quiet sure what causes the crash, but it's not very often on my box. Generally seems to happen when some ^#%#% tries to deliver a spam that may have very screwed up headers. Haven't been able to intercept one of those though...

Hope this helps


Paul
Jason Granat
2004-03-17 05:32:30 UTC
Permalink
Unfortunately it's happening every few minutes...
Post by Paul
Post by Jason Granat
Watching /var/log/maillog I see everytime a message comes to
4.7.1 Please try again later' and MIMEDeFang times out. What causes
this and how do I fix it?
Check your maillog (/var/log/maillog in my case on FreeBSD) I get them now and then, mostly it means MD has crashed. Stopping it and sendmail, waiting a minute and restarting them generally solves the problem. Not quiet sure what causes the crash, but it's not very often on my box. Generally seems to happen when some ^#%#% tries to deliver a spam that may have very screwed up headers. Haven't been able to intercept one of those though...
Hope this helps
Paul
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Stephen Smoogen
2004-03-17 16:01:27 UTC
Permalink
Post by Jason Granat
Unfortunately it's happening every few minutes...
What version of mimedefang are you running? I am seeing this quite a bit
with 2.40, but havent yet with 2.41 (not a long run though). I have also
not seen it with 2.35 which is what I am still running in production.
Post by Jason Granat
Post by Paul
Post by Jason Granat
Watching /var/log/maillog I see everytime a message comes to
4.7.1 Please try again later' and MIMEDeFang times out. What causes
this and how do I fix it?
Check your maillog (/var/log/maillog in my case on FreeBSD) I get them now and then, mostly it means MD has crashed. Stopping it and sendmail, waiting a minute and restarting them generally solves the problem. Not quiet sure what causes the crash, but it's not very often on my box. Generally seems to happen when some ^#%#% tries to deliver a spam that may have very screwed up headers. Haven't been able to intercept one of those though...
Hope this helps
Paul
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
______________________________________________________________________
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
--
Stephen John Smoogen ***@lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --
Jason Granat
2004-03-17 17:17:29 UTC
Permalink
I am using 2.40. Should I upgrade to 2.41 or fall back to 2.35?

Jason
Post by Stephen Smoogen
What version of mimedefang are you running? I am seeing this quite a bit
with 2.40, but havent yet with 2.41 (not a long run though). I have also
not seen it with 2.35 which is what I am still running in production.
Stephen Smoogen
2004-03-17 17:32:21 UTC
Permalink
Post by Jason Granat
I am using 2.40. Should I upgrade to 2.41 or fall back to 2.35?
I would try 2.41 and see if the problem still occurs. If it does, I
would look at turning on more debugging to help David figure out
what/where/why it is happening. If you can-not get it to work within 24
hours, fall back to 2.38 or so.
Post by Jason Granat
Jason
Post by Stephen Smoogen
What version of mimedefang are you running? I am seeing this quite a bit
with 2.40, but havent yet with 2.41 (not a long run though). I have also
not seen it with 2.35 which is what I am still running in production.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
--
Stephen John Smoogen ***@lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --
Jason Granat
2004-03-17 18:05:04 UTC
Permalink
One thing I noticed. Small root messages get through fine. It looks
like it's only erroring on large messages. The culprit messages are
~17M. I know there was a place for setting max mail message size, but I
can't remember or find where. Can someone point me in the right direction?

Thanks,

Jason
Post by Stephen Smoogen
Post by Jason Granat
I am using 2.40. Should I upgrade to 2.41 or fall back to 2.35?
I would try 2.41 and see if the problem still occurs. If it does, I
would look at turning on more debugging to help David figure out
what/where/why it is happening. If you can-not get it to work within 24
hours, fall back to 2.38 or so.
Post by Jason Granat
Jason
Post by Stephen Smoogen
What version of mimedefang are you running? I am seeing this quite a bit
with 2.40, but havent yet with 2.41 (not a long run though). I have also
not seen it with 2.35 which is what I am still running in production.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Chris Myers
2004-03-17 18:51:58 UTC
Permalink
----- Original Message -----
From: "Jason Granat" <***@akota.com>
To: <***@lists.roaringpenguin.com>
Sent: Wednesday, March 17, 2004 11:04 AM
Subject: Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please
try again later'
Post by Jason Granat
One thing I noticed. Small root messages get through fine. It looks
like it's only erroring on large messages. The culprit messages are
~17M. I know there was a place for setting max mail message size, but I
can't remember or find where. Can someone point me in the right direction?
Is there any chance that you're running SpamAssassin on those large
messages? That could cause the problems you're seeing.

***

You can set the maximum mail message size in the sendmail configuration
file.

The variable you need to define is confMAX_MESSAGE_SIZE.

confMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of
messages that will be accepted (in bytes).

The exact line you would put in your sendmail.mc file is:

define(`confMAX_MESSAGE_SIZE', `10000000')dnl

How you turn your .mc file into a .cf file is system dependent. I leave
that as an exercise for the reader.

Chris Myers
Networks By Design
Kris Deugau
2004-03-17 19:36:45 UTC
Permalink
Post by Jason Granat
One thing I noticed. Small root messages get through fine. It looks
like it's only erroring on large messages. The culprit messages are
~17M. I know there was a place for setting max mail message size,
but I can't remember or find where. Can someone point me in the
right direction?
For a 10M limit, add:

define(`confMAX_MESSAGE_SIZE',`10485760')dnl

to your sendmail.mc

-kgd
--
"Sendmail administration is not black magic. There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
- Unknown
Jason Granat
2004-03-17 19:53:54 UTC
Permalink
Thanks!
Post by Kris Deugau
Post by Jason Granat
One thing I noticed. Small root messages get through fine. It looks
like it's only erroring on large messages. The culprit messages are
~17M. I know there was a place for setting max mail message size,
but I can't remember or find where. Can someone point me in the
right direction?
define(`confMAX_MESSAGE_SIZE',`10485760')dnl
to your sendmail.mc
-kgd
David F. Skoll
2004-03-17 18:15:07 UTC
Permalink
Post by Stephen Smoogen
I would try 2.41 and see if the problem still occurs. If it does, I
would look at turning on more debugging to help David figure out
what/where/why it is happening. If you can-not get it to work within 24
hours, fall back to 2.38 or so.
The C code has changed very little from 2.39 - 2.41. There is not enough
info to determine the problem; it could be load, or it could be a filter
problem.

Regards,

David.
Jason Granat
2004-03-17 18:24:57 UTC
Permalink
I have found that it appears to only happen when processing a large
message. I had 2 messages in /var/spool/clientmqueue ~17M each. These
were killing the milter. After clearing those out the system was able
to processes root messages from localhost no problem. I thought there
was a place to set max message size, but for the life of me I can't find
where... Any help?
Post by David F. Skoll
Post by Stephen Smoogen
I would try 2.41 and see if the problem still occurs. If it does, I
would look at turning on more debugging to help David figure out
what/where/why it is happening. If you can-not get it to work within 24
hours, fall back to 2.38 or so.
The C code has changed very little from 2.39 - 2.41. There is not enough
info to determine the problem; it could be load, or it could be a filter
problem.
Regards,
David.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Michael Sims
2004-03-17 16:02:56 UTC
Permalink
Post by Jason Granat
Watching /var/log/maillog I see everytime a message comes to
'reject=451
4.7.1 Please try again later' and MIMEDeFang times out. What
causes this and how do I fix it?
Can you post a link to your current mimedefang-filter?

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
Jason Granat
2004-03-17 19:53:02 UTC
Permalink
Here it is Michael.

# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
# Suggested minimum-protection filter for Microsoft Windows clients, plus
# SpamAssassin checks if SpamAssassin is installed.
#
# Copyright (C) 2002 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id: suggested-minimum-filter-for-windows-clients,v 1.79 2004/03/04
01:23:11 dfs Exp $
#***********************************************************************

#***********************************************************************
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be 'defang-***@mydomain.com'
#***********************************************************************
$AdminAddress = '***@mydomain.com';
$AdminName = "MIMEDefang Admin";

#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# '***@mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = '***@mydomain.com';

#***********************************************************************
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part. If the message
# has no text or html part, then a separate MIME part is still used.
#***********************************************************************
$AddWarningsInline = 0;

#***********************************************************************
# To enable syslogging of virus and spam activity, add the following
# to the filter:
# md_graphdefang_log_enable();
# You may optionally provide a syslogging facility by passing an
# argument such as: md_graphdefang_log_enable('local4'); If you do
this, be
# sure to setup the new syslog facility (probably in /etc/syslog.conf).
# An optional second argument causes a line of output to be produced
# for each recipient (if it is 1), or only a single summary line
# for all recipients (if it is 0.) The default is 1.
# Comment this line out to disable logging.
#***********************************************************************
md_graphdefang_log_enable('mail', 1);

#***********************************************************************
# Uncomment this to block messages with more than 50 parts. This will
# *NOT* work unless you're using Roaring Penguin's patched version
# of MIME tools, version MIME-tools-5.411a-RP-Patched-02 or later.
#
# WARNING: DO NOT SET THIS VARIABLE unless you're using at least
# MIME-tools-5.411a-RP-Patched-02; otherwise, your filter will fail.
#***********************************************************************
# $MaxMIMEParts = 50;

#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************

# Set the next one if your mail client cannot handle nested multipart
# messages. DO NOT set this lightly; it will cause action_add_part to
# work rather strangely. Leave it at zero, even for MS Outlook, unless
# you have serious problems.
$Stupidity{"flatten"} = 0;

# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 0;

# The next lines force SpamAssassin modules to be loaded and rules
# to be compiled immediately. This may improve performance on busy
# mail servers. Comment the lines out if you don't like them.
if ($Features{"SpamAssassin"}) {
spam_assassin_init()->compile_now(1) if defined(spam_assassin_init());

# If you want to use auto-whitelisting:
# if (defined($SASpamTester)) {
# use Mail::SpamAssassin::DBBasedAddrList;
# my $awl = Mail::SpamAssassin::DBBasedAddrList->new();
# $SASpamTester->set_persistent_address_list_factory($awl) if
defined($awl);
# }
}

# This procedure returns true for entities with bad filenames.
sub filter_bad_filename ($) {
my($entity) = @_;
my($bad_exts, $re);

# Bad extensions
$bad_exts =
'(ade|adp|app|asd|asf|asx|bas|chm|cmd|com|cpl|crt|dll|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|prg|reg|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';

# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';

return 1 if (re_match($entity, $re));

# Look inside ZIP files
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
}

#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin () {
# ALWAYS drop messages with suspicious chars in headers
if ($SuspiciousCharsInHeaders) {
md_graphdefang_log('suspicious_chars');
# action_quarantine_entire_message("Message quarantined because of
suspicious characters in headers");
# Do NOT allow message to reach recipient(s)
return action_discard();
}

# Scan for viruses if any virus-scanners are installed
my($code, $category, $action) = message_contains_virus();

# Lower level of paranoia - only looks for actual viruses
$FoundVirus = ($category eq "virus");

# Higher level of paranoia - takes care of "suspicious" objects
# $FoundVirus = ($action eq "quarantine");

if ($FoundVirus) {
md_graphdefang_log('virus', $VirusName, $RelayAddr);
md_syslog('warning', "Discarding because of virus $VirusName");
return action_discard();
}

if ($action eq "tempfail") {
action_tempfail("Problem running virus-scanner");
md_syslog('warning', "Problem running virus scanner: code=$code,
category=$category, action=$action");
}
}

#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for
usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# There are many action_*() routines which can decide the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter ($$$$) {
my($entity, $fname, $ext, $type) = @_;

return if message_rejected(); # Avoid unnecessary work

# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return action_discard();
}

# Discard nasty attachments
if (lc($ext) eq ".bat" || lc($ext) eq ".exe" || lc($ext) eq ".pif"
|| lc($ext) eq ".scr") {
action_bounce("Message rejected due to unsafe attachment.
Please resend without attachment.");
}

if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_drop_with_warning("An attachment named $fname was
removed from this document as it\nconstituted a security hazard. If you
require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
}

# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
md_graphdefang_log('non_multipart');
return action_drop_with_warning("A non-multipart attachment named
$fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# Clean up HTML if Anomy::HTMLCleaner is installed.
if ($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}

return action_accept();
}

#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such as message/rfc822.
# You cannot replace the body (because multipart parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart ($$$$) {
my($entity, $fname, $ext, $type) = @_;

return if message_rejected(); # Avoid unnecessary work

if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
action_notify_administrator("A MULTIPART attachment of type $type,
named $fname was dropped.\n");
return action_drop_with_warning("An attachment of type $type, named
$fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}

# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
md_graphdefang_log('non_rfc822',$fname);
return action_drop_with_warning("A non-message/rfc822 attachment
named $fname was removed from this document as it\nconstituted a
security hazard. If you require this document, please contact\nthe
sender and arrange an alternate means of receiving it.\n");
}

# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return;
}

return action_accept();
}


#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning ($$) {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save As\n" .
"'$oldfname'\n";
}

# If SpamAssassin found SPAM, append report. We do it as a separate
# attachment of type text/plain
sub filter_end ($) {
my($entity) = @_;

# If you want quarantine reports, uncomment next line
# send_quarantine_notifications();

# IMPORTANT NOTE: YOU MUST CALL send_quarantine_notifications() AFTER
# ANY PARTS HAVE BEEN QUARANTINED. SO IF YOU MODIFY THIS FILTER TO
# QUARANTINE SPAM, REWORK THE LOGIC TO CALL
send_quarantine_notifications()
# AT THE END!!!

# No sense doing any extra work
return if message_rejected();

# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
# We add a header which looks like this:
# X-Spam-Score: 6.8 (******) NAME_OF_TEST,NAME_OF_TEST
# The number of asterisks in parens is the integer part
# of the spam score clamped to a maximum of 40.
# MUA filters can easily be written to trigger on a
# minimum number of asterisks...
if ($hits >= $req) {
action_change_header("X-Spam-Score", "$hits ($score) $names");
md_graphdefang_log('spam', $hits, $RelayAddr);

# If you find the SA report useful, add it, I guess...
action_add_part($entity, "text/plain", "-suggest",
"$report\n",
"SpamAssassinReport.txt", "inline");
} else {
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");
}
}
}

# Do Spam Header and Redirect
if (spam_assassin_is_spam()) {
# Change Subject: header
action_change_header("Subject", "*****SPAM***** $Subject");
}

if (spam_assassin_is_spam()) {
# Add a header with original recipients, just for info
action_add_header("X-Orig-Rcpts", join(", ", @Recipients));

# Remove original recipients
foreach $recip (@Recipients) {
delete_recipient($recip);
}

# Send to spam address
add_recipient('***@mydomain.com');
}


# I HATE HTML MAIL! If there's a multipart/alternative with both
# text/plain and text/html parts, nuke the text/html. Thanks for
# wasting our disk space and bandwidth...

# If you want to strip out HTML parts if there is a corresponding
# plain-text part, uncomment the next line.
# remove_redundant_html_parts($entity);

md_graphdefang_log('mail_in');

# Deal with malformed MIME.
# Some viruses produce malformed MIME messages that are misinterpreted
# by mail clients. They also might slip under the radar of MIMEDefang.
# If you are worried about this, you should canonicalize all
# e-mail by uncommenting the action_rebuild() line. This will
# force _all_ messages to be reconstructed as valid MIME. It will
# increase the load on your server, and might break messages produced
# by marginal software. Your call.

# action_rebuild();
}

# DO NOT delete the next line, or Perl will complain.
1;
Post by Michael Sims
Post by Jason Granat
Watching /var/log/maillog I see everytime a message comes to
'reject=451
4.7.1 Please try again later' and MIMEDeFang times out. What
causes this and how do I fix it?
Can you post a link to your current mimedefang-filter?
___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
John Mason
2004-03-17 18:25:14 UTC
Permalink
-----Original Message-----
Sent: Wednesday, March 17, 2004 12:05 PM
Subject: Re: [Mimedefang]Localhost Messages Cause 'reject=451
4.7.1 Please try again later'
One thing I noticed. Small root messages get through fine. It looks
like it's only erroring on large messages. The culprit messages are
~17M. I know there was a place for setting max mail message
size, but I
can't remember or find where. Can someone point me in the
right direction?
Thanks,
Jason
Are they getting scanned by antivirus, or a zip being opened and scanned


John
Jason Granat
2004-03-17 18:37:26 UTC
Permalink
No AV installed yet. Not a zip, just plain text (from a long cron job).
Post by John Mason
-----Original Message-----
Sent: Wednesday, March 17, 2004 12:05 PM
Subject: Re: [Mimedefang]Localhost Messages Cause 'reject=451
4.7.1 Please try again later'
One thing I noticed. Small root messages get through fine. It looks
like it's only erroring on large messages. The culprit messages are
~17M. I know there was a place for setting max mail message
size, but I
can't remember or find where. Can someone point me in the
right direction?
Thanks,
Jason
Are they getting scanned by antivirus, or a zip being opened and scanned
John
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Michael Sims
2004-03-17 20:24:36 UTC
Permalink
Post by Jason Granat
Here it is Michael.
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 100*1024) {
[snip]
Post by Jason Granat
}
}
# Do Spam Header and Redirect
if (spam_assassin_is_spam()) {
# Change Subject: header
action_change_header("Subject", "*****SPAM***** $Subject");
}
if (spam_assassin_is_spam()) {
[snip]

You have the standard size check on INPUTMSG, but then you are later calling
spam_assassin_is_spam() outside of that check. That sub calls
spam_assassin_check() internally, and you are calling it on ALL messages
that make it to filter_end() without being rejected for some other reason.
This means that you are running SpamAssassin on your 17MB messages, which
could easily cause the slave to timeout. Additionally, I don't believe that
spam_assassin_check() does any kind of caching of its results, so when you
call spam_assassin_is_spam() twice, you are scanning the message twice,
which needless to say isn't very efficient. (Someone correct me if I'm wrong
about that.)

It would be better to move all of the code you have to change headers and
add recipients inside the original block that runs the spam assassin check,
so that you only run the check once, and you avoid running it at all on
messages that are over 100k.

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
Jason Granat
2004-03-17 20:51:17 UTC
Permalink
Michael,

Ok. So as this is very deep for me, how can I quit calling SpamAssassin
the second time, yet be able to rewrite the headers? Should I do the
rewrite in sub defang_warning after INPUTMSG?

Thanks a ton!

Jason
Michael Sims
2004-03-17 21:19:19 UTC
Permalink
Post by Jason Granat
Michael,
Ok. So as this is very deep for me, how can I quit calling
SpamAssassin the second time, yet be able to rewrite the headers?
Should I do the rewrite in sub defang_warning after INPUTMSG?
No, just change filter_end. Take all of these lines:

------------------------------------------------------------------
action_change_header("Subject", "*****SPAM***** $Subject");
action_add_header("X-Orig-Rcpts", join(", ", @Recipients));
foreach $recip (@Recipients) {
delete_recipient($recip);
}
add_recipient('spambucket at mydomain.com');
------------------------------------------------------------------

And put them inside the ($hits >= $req) block, so it looks like this:

------------------------------------------------------------------
if ($hits >= $req) {
action_change_header("X-Spam-Score", "$hits ($score) $names");
md_graphdefang_log('spam', $hits, $RelayAddr);

# Change Subject: header
action_change_header("Subject", "*****SPAM***** $Subject");

# Add a header with original recipients, just for info
action_add_header("X-Orig-Rcpts", join(", ", @Recipients));

# Remove original recipients
foreach $recip (@Recipients) {
delete_recipient($recip);
}

# Send to spam address
add_recipient('spambucket at mydomain.com');

# If you find the SA report useful, add it, I guess...
action_add_part($entity, "text/plain", "-suggest",
"$report\n", "SpamAssassinReport.txt", "inline");
} else {
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");
}
------------------------------------------------------------------

Then delete the two blocks you have that check spam_assassin_is_spam(). It
looks to me that it will do exactly what you were doing, except that it will
only call SpamAssassin once, and it won't call it at all on messages larger
than 100k...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________

Continue reading on narkive:
Loading...