spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Mails received with same message id ever

Re: Mails received with same message id every 15 - 20 seconds

From: Dominic Benson <dominic_at_nospam>
Date: Tue Oct 26 2010 - 12:06:20 GMT
To: "users@spamassassin.apache.org" <users@spamassassin.apache.org>

Hi,

On 26/10/10 12:40, Sharma, Ashish wrote:
> Hi,
>
> I have SpamAssassin integrated on my postfix mail server via 'Amavisd-new'.
>
> The problem that I am facing is that I am receiving same email every 15 second from same sender with same message-ID on my production mail servers, following are my postfix logs:
>
> "Oct 25 01:11:02 g2t0433g postfix/smtpd[6497]: connect from webmail.warwick.net[204.255.24.104]
> Oct 25 01:11:02 g2t0433g postfix/smtpd[6497]: 2EAAF23004C: client=webmail.warwick.net[204.255.24.104]
> Oct 25 01:11:02 g2t0433g postfix/cleanup[6579]: 2EAAF23004C: message-id=<CE130ED7-D498-4461-B076-E3B8AB55B462@warwick.net>
> Oct 25 01:11:02 g2t0433g opendkim[17677]: (unknown-jobid): webmail.warwick.net [204.255.24.104] not internal
> Oct 25 01:11:02 g2t0433g opendkim[17677]: (unknown-jobid): not authenticated
> Oct 25 01:11:02 g2t0433g opendkim[17677]: (unknown-jobid): no signing domain match for `warwick.net'
> Oct 25 01:11:02 g2t0433g opendkim[17677]: (unknown-jobid): no signing subdomain match for `warwick.net'
> Oct 25 01:11:02 g2t0433g postfix/qmgr[17833]: 2EAAF23004C: from=<peterm@warwick.net>, size=1987, nrcpt=1 (queue active)
> Oct 25 01:11:02 g2t0433g postfix/smtpd[6497]: disconnect from webmail.warwick.net[204.255.24.104]
> Oct 25 01:11:03 g2t0433g amavis[6492]: (06492-09) Passed CLEAN, [204.255.24.104] [204.255.24.104]<peterm@warwick.net> -> <775eejom36ebi@xxx.com>, Message-ID:<CE130ED7-D498-4461-B076-E3B8AB55B462@warwick.net>, mail_id: rJ8M8oQHBzWt, Hits: 1.104, size: 2234, queued_as: 250 Ok, 946 ms
> Oct 25 01:11:03 g2t0433g postfix/lmtp[6585]: 2EAAF23004C: to=<775eejom36ebi@xxx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.6/0/0.01/0.95, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=06492-09, from MTA([127.0.0.1]:10030): 250 Ok)
> Oct 25 01:11:03 g2t0433g postfix/qmgr[17833]: 2EAAF23004C: removed"
>

What happens to the message next? It's been passed to Amavis (and
accepted) and so removed from the queue, but what happens when Amavis
hands it back/on to the next MTA?

I don't know if you've redacted the domain, but should you be accepting
delivery of a message for that recipient at all? It doesn't *look* like
a real destination.
> How to determine that such mail is genuine or SPAM?
>
> Is there any rule on spamassassin that I can set that will discard such mails?
>
> Right now I have added 'peterm@warwick.net' in my postfix 'main.cf' restriction list as follows:
>
> smtpd_recipient_restrictions =
> check_sender_access hash:/etc/postfix/senderRestrictionList,
>
How is this file set up? Is it unintentionally allowing some senders to
bypass reject_unauth_destination (see
http://www.postfix.org/SMTPD_ACCESS_README.html) - I would have expected
a permit_mynetworks in there - alternatively are your relay domains set
correctly? You could also consider reject_unverified_recipient.
> reject_unauth_destination,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client bl.spamcop.net
> permit
>
> Is it the right approach?
>
> Please help
>
> Thanks in advance
> Ashish Sharma
>
Regards,

Dominic