Mailing List Archive

Interpreting SA/amavis/postfix headers and logs: difficult to trace
I've just realised how hard it can be to establish the "received"
sequence on a message flagged by SA. This could probably go to the
postfix, SA and/or amavis lists but I'll start here. If I've looked
through things that would have answered this, I apologise in advance
and will do penance by writing an FAQ on the topic!

What triggered this was that I got a rather weird spam detection from
SA this morning. When I looked at it, it seemed to be a McAfee virus
report but I think that was a total fake. There was no nasty payload
and it was just a short ASCII message. However, the headers and top
of the body were:

Return-Path: <service@paypal.com>
Delivered-To: chris@psyctc.org
Received: from localhost (localhost [127.0.0.1])
by www.psyctc.org (Postfix) with ESMTP
id F2F61777AB; Fri, 6 Feb 2004 06:14:17 +0000 (GMT)
Received: from www.psyctc.org ([127.0.0.1])
by localhost (www [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 08132-07; Fri, 6 Feb 2004 06:14:17 +0000 (GMT)
Received: by www.psyctc.org (Postfix, from userid 1012)
id 34421777A8; Fri, 6 Feb 2004 06:14:17 +0000 (GMT)
Received: from localhost [127.0.0.1] by www
with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
Fri, 06 Feb 2004 06:14:17 +0000
From: service@paypal.com
To: chris@psyctc.org
Subject: Notification of PayPal Limited Account Access
Date: 6 Feb 2004 06:11:06 -0000
Message-Id: <20040206061106.29880.qmail@www36.networkshosting.com>
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=6.2 required=5.0
tests=BAYES_30,CLICK_BELOW,HTML_70_80,HTML_LINK_CLICK_HERE,
HTML_TAG_EXISTS_TBODY,HTML_WEB_BUGS,HTTP_CTRL_CHARS_HOST,
HTTP_ESCAPED_HOST,HTTP_USERNAME_USED,MIME_HTML_ONLY,
NO_REAL_NAME,USERPASS
version=2.55
X-Spam-Level: ******
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_402330B9.D706FFA6"
X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at psyctc.org
Status:
X-PMFLAGS: 570949760 0 1 P8P90219.CNM

This is a multi-part message in MIME format.

------------=_402330B9.D706FFA6
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

That really only shows a localhost to local received trail which I
guess is true for all SA detects (seems to be on my system anyway) as
they're really new messages from SA to me.

The message was an odd one so I wanted to sort out its route into my
system. As far as I can see, the only way I can do that is to turn
to the postfix mail.log and there I found:

Feb 6 06:14:02 www postfix/smtpd[9136]: connect from mail5.hostingexpress.com[66.96.128.19]
Feb 6 06:14:02 www postfix/smtpd[9136]: A6EB8777A8: client=mail5.hostingexpress.com[66.96.128.19]
Feb 6 06:14:03 www postfix/cleanup[9137]: A6EB8777A8: message-id=<20040206061106.29880.qmail@www36.networkshosting.com>
Feb 6 06:14:03 www spamd[24663]: connection from localhost [127.0.0.1] at port 4871
Feb 6 06:14:03 www spamd[9143]: info: setuid to filter succeeded
Feb 6 06:14:04 www spamd[9143]: processing message <20040206061106.29880.qmail@www36.networkshosting.com> for filter:1012.
Feb 6 06:14:08 www postfix/smtpd[9136]: disconnect from mail5.hostingexpress.com[66.96.128.19]

Am I right that this suggests (confirms?) a transfer of an incoming
message from mail5.hostingexpress.com[66.96.128.19] on process 9136
being passed to amavis/SA on process 9137? Is the sequential process
ID the only way of telling this? If so, is it likely to fail when a
system is heavily loaded with incoming messages and the sequence then
be likely not to be sequential in process number?

Would be very keen to hear some definitive advice or pointers to
documentation or tools I've overlooked.

Setup is Debian stable up to date behind a firewall, running postfix
1.1.11, amavis-postfix Debian package ((0.3.12pre5.20020310-5?) and
SA 2.55.

TIA,

Chris

PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@psyctc.org
Re: Interpreting SA/amavis/postfix headers and logs: difficult to trace [ In reply to ]
On 6 Feb 2004 at 12:28, Duncan Hill wrote:

> I'd say you've got a setting somewhere to trim all headers but the
> local machine headers. Postfix always stamps where it got the mail
> from.

Yes, that's my feeling too but I can't think where and assume it's in
SA or amavis but if a setting is there, then I'm looking straight
through it. Anyone else point me onward?

TIA,

Chris
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@psyctc.org