Tracking Down Rejected Email

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Tracking Down Rejected Email

Carlwill
It appears the previous administrator has a dump load of header_checks and I feel this is blocking some legit email and I am unable to receive a quote from a vendor I am working with. I get the following message:

May  8 10:43:53 mail amavis[5526]: (05526-17) Passed CLEAN, LOCAL [10.1.1.204] [10.1.1.204] <[hidden email]> -> <[hidden email]>, Message-ID: <[hidden email]>, mail_id: iJlE9bc6lx2c, Hits: -, size: 785, queued_as: AD1AF15C071, 141 ms
May  8 10:52:23 mail postfix/cleanup[9085]: 46AC415C06D: reject: header Message-ID: <[hidden email]> from mailout.cdw.com[12.32.90.134]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mailout.cdw.com>: Message content rejected
May  8 15:32:20 mail postfix/cleanup[22356]: 05BAE15C080: reject: header Message-ID: <[hidden email]> from mailout.cdw.com[12.32.90.134]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mailout.cdw.com>: Message content rejected

I don't know what he is using in the header or could it be something in the body / attachment if it indicates "Message content rejected"? I would like to see how I can narrow down what is causing the reject on /etc/postfix/header_checks and remove that entry. I don't want to completely remove everything from header_checks because some of them may (or may not) be doing a legit job of blocking junk.

Thanks for any help!
Reply | Threaded
Open this post in threaded view
|

Re: Tracking Down Rejected Email

Victor Duchovni
On Fri, May 23, 2008 at 11:35:07AM -0400, Carlos Williams wrote:

> May  8 15:32:20 mail postfix/cleanup[22356]: 05BAE15C080: reject: header
> Message-ID: <[hidden email]> from
> mailout.cdw.com[12.32.90.134]; from=<[hidden email]> to=<
> [hidden email]> proto=ESMTP helo=<mailout.cdw.com>: Message content
> rejected

Without a doubt there are rules to reject Letter "S", Letter "E", Letter
"X" or or ditto with "change" after it.

> I don't want to completely
> remove everything from header_checks because some of them may (or may not)
> be doing a legit job of blocking junk.

Actually, I would ditch a poorly constructed header check file completely.
Implement zen.spamhaus.org (paying attention to query volume and perhaps
subscribe to a data feed) and a content filter (amavisd-new with SA?).
These should be much more effective and less error-prone that header
checks (which are best used sparingly just for blocking unsafe attachments
and the like).

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Tracking Down Rejected Email

Carlwill
On Fri, May 23, 2008 at 11:46 AM, Victor Duchovni <[hidden email]> wrote:
On Fri, May 23, 2008 at 11:35:07AM -0400, Carlos Williams wrote:

> May  8 15:32:20 mail postfix/cleanup[22356]: 05BAE15C080: reject: header
> Message-ID: <[hidden email]> from
> mailout.cdw.com[12.32.90.134]; from=<[hidden email]> to=<
> [hidden email]> proto=ESMTP helo=<mailout.cdw.com>: Message content
> rejected

Without a doubt there are rules to reject Letter "S", Letter "E", Letter
"X" or or ditto with "change" after it.

> I don't want to completely
> remove everything from header_checks because some of them may (or may not)
> be doing a legit job of blocking junk.

Actually, I would ditch a poorly constructed header check file completely.
Implement zen.spamhaus.org (paying attention to query volume and perhaps
subscribe to a data feed) and a content filter (amavisd-new with SA?).
These should be much more effective and less error-prone that header
checks (which are best used sparingly just for blocking unsafe attachments
and the like).

If I do comment out every entry in my  header_checks file, is there a safe template I can use to avoid any false positive rejects on header_checks?
I did a search in my logs and the big ones I see being filtered are "mortgage" and "sex".

Here are my logs:

May 22 15:08:45 mail postfix/cleanup[31382]: EC4F815C03B: reject: header thread-index: Aci8Pz0SexBNp7H8Tg+dLzhf4fTNVQ== from unknown[10.1.10.60]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<vwoodward>: Message content rejected
May 22 15:22:09 mail postfix/cleanup[8913]: C053915C03B: reject: header From: "Mortgage Help" <[hidden email]> from terracottagreen.com[66.180.221.124]; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<terracottagreen.com>: Message content rejected
May 22 19:22:21 mail postfix/cleanup[9022]: 4B0EA15C03B: reject: header From: "Mortgage Help" <[hidden email]> from terracottagreen.com[66.180.221.124]; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<terracottagreen.com>: Message content rejected
May 23 02:10:40 mail postfix/cleanup[19824]: 89FC115C048: reject: header Subject: Ban on Sex for Soldiers in Afghanistan Lifted ... Sort Of  from ncmail1.blackbaud.com[216.235.200.122]; from=<SRS0=88a4afe7e7ea7ecd062daa4059d82e1153323997=710=miltnews.com=[hidden email]> to=<[hidden email]> proto=ESMTP helo=<ncmail1.blackbaud.com>: Message content rejected
May 23 08:18:44 mail postfix/cleanup[24566]: 3EF0F15C02F: reject: header Subject: FW: Sex With A Cowboy from mail.ttiinc.com[12.5.162.114]; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<mail.ttiinc.com>: Message content rejected
May 23 08:31:24 mail postfix/cleanup[25803]: DDB7D15C02F: reject: header Subject: Final Notice re: Delinquent Mortgage Payment from ssl.nokiewebproduction.com[64.187.126.171]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<ssl.nokiewebproduction.com>: Message content rejected
May 23 08:58:16 mail postfix/cleanup[28711]: 8879115C02F: reject: header From: "Mortgage Help" <[hidden email]> from wisteriahazel.com[66.180.222.77]; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<wisteriahazel.com>: Message content rejected
May 23 11:52:10 mail postfix/cleanup[19640]: 009D115C042: reject: header Received: from lewes.staff.uscs.susx.ac.uk ([139.184.134.43]:63407)??by sivits.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256)??(Exim 4.64) (envelope-from <[hidden email]>) id K1BVZ3-000AV0-FF? from ds049.xs4all.nl[194.109.142.194]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<tad.clamav.net>: Message content rejected

Obviously the last one seems to be a false positive from clamav-users mailing list.

I just don't want to wipe the entire file since I don't know what its doing and then have spam slip through the cracks. I already use spamhaus in my main.cf but I don't have spamassassin enabled. Just clamav, amavisd-new, & RBL's in main.cf.

Thanks for any points into the right direction!
Reply | Threaded
Open this post in threaded view
|

Re: Tracking Down Rejected Email

mouss-2
Carlos Williams wrote:
> [snip]
>
> If I do comment out every entry in my  header_checks file, is there a safe
> template I can use to avoid any false positive rejects on header_checks?
>  

if you remove all header and body checks, there will be no FP because of
header and body checks :)


> I did a search in my logs and the big ones I see being filtered are
> "mortgage" and "sex".
>  

The latter matches: essex, sussex, MSexchange, RossExelman, ... etc.

keyword blocking is generally unsafe. It is also not very effective
since spammers obfuscate words (5ex, "s e x", "s3x", ... etc).

As suggested by Viktor, better use a content filter instead.

> Here are my logs:
> [snip]
> May 23 11:52:10 mail postfix/cleanup[19640]: 009D115C042: reject: header
> Received: from lewes.staff.uscs.susx.ac.uk ([139.184.134.43]:63407)??by
> sivits.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256)??(Exim 4.64)
> (envelope-from <[hidden email]>) id K1BVZ3-000AV0-FF? from
> ds049.xs4all.nl[194.109.142.194]; from=<
> [hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<tad.clamav.net>: Message content rejected
>
> Obviously the last one seems to be a false positive from clamav-users
> mailing list.
>  

sussex.ac.uk matches the keyword...



> I just don't want to wipe the entire file since I don't know what its doing
> and then have spam slip through the cracks.

If you don't know what it does, then you'd better remove it.  then when
spam slips, check if there is a safe rule to block it. otherwise, let
your content filter do its job.

>  I already use spamhaus in my
> main.cf but I don't have spamassassin enabled. Just clamav, amavisd-new, &
> RBL's in main.cf.
>
> Thanks for any points into the right direction!
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Tracking Down Rejected Email

Noel Jones-2
> Carlos Williams wrote:
>
>>  I already use spamhaus in my
>> main.cf but I don't have spamassassin enabled. Just clamav,
>> amavisd-new, &
>> RBL's in main.cf.
>>

Since you're already using amavisd-new and clamav, I suggest
also using the Sanesecurity add-on signatures for phish and
scam mail.  Can't say enough good stuff about them...
http://www.sanesecurity.com/clamav/usage.htm

--
Noel Jones