Spamd not called for certain emails

snowweb

Verified User
Joined
Aug 31, 2007
Messages
144
Location
Antipolo City, Rizal, Philippines (a British Natio
Exim.conf and spamassassin seem to working together exceptionally well and managing to enable us to eliminate 95% of the spam.

However, in the last couple of days I have been noticing an annoying one which seems to be slipping through the net. The odd thing is that according to the headers of the message delivered, spamd is not being called at all for this particular breed of spam.

This is only effecting one type of spam that always seems to say the same thing and always seems to come with a virus in a zip file.

It's also odd that clamav isn't stopping it too, since it updates automatically every four hours.

Here are the headers:

Return-path: <banacha55@royalkoas.com>
Envelope-to: user@host.co.uk
Delivery-date: Fri, 24 Jul 2009 11:12:38 +0800
Received: from [190.144.0.42] (helo=CWXNQKBTZ)
by s1.snowweb.info with esmtp (Exim 4.67)
(envelope-from <banacha55@royalkoas.com>)
id 1MUBD2-0002wE-2i
for user@host.co.uk; Fri, 24 Jul 2009 11:12:38 +0800
Received: from 190.144.0.42 by red3.redtong.com; Thu, 23 Jul 2009 22:24:55 -0500
Message-ID: <000d01ca0c0e$50804720$6400a8c0@banacha55>
From: <user@host.co.uk>
To: user@host.co.uk
Subject: You have received an eCard
Date: Thu, 23 Jul 2009 22:24:55 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01CA0C0E.50804720"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
I'm using SpamBlocker.exim.conf.2.1.1-release 05-Jun-2007 and DA 1.3.3.7

My SPF record is "v=spf1 a mx ip4:216.108.227.20 ?all"

I could change the SPF record to -all if this is caused by the server not checking mail that it thinks is local? If I do that though, it doesn't solve it for my customers domains unless they are all change (and some of them probably can't accept that).

My other thought is that maybe exim.conf is mis-identifying it as local mail and therefore not invoking spamd? Could I just over-ride that so that spamd checks it regardless? If so, how?

Last of all, I'm wondering what's happened to clamav! Don't know where to start looking to see if it is running and why it didn't catch this.

Sorry this is so long. Any help would be appreciated.

Thanks.

pete
 

snowweb

Verified User
Joined
Aug 31, 2007
Messages
144
Location
Antipolo City, Rizal, Philippines (a British Natio
Solved

It turns out that in exim.conf, there was a 100K limit on messages which would be parsed by SpamAssassin. I've increased this limit to 300K which I rekon should solve the problem.

Still wondering why clamav never picked it up though (and also why clamav isn't adding any headers)?

Does anyone have any ideas on this?

pete
 
Top