Amavis new rejecting local mail as UCE

I was away overseas for a week and set up mail forwarding
(vis my desktop's 
email client) from one address to another on the same (my)
mail server.

Unfortunately a mail loop developed which resulted in over
4,000 near 
identical messages being sent through the SMTP server, and
growing, before I 
stopped it.

The mail server now rejects all mail from the email address
which these 
forwards came from.

it isn't the message content because an identical message
(with a different 
from address) gets through.

In this case both the sending and receiving address are on
the same mail 
server.

I've emptied the Amavis MySQL tables with no success. What
can do I do please?

--------------------------------
The notification message is as follows:

A message from <michaelnetworkstuff.co.nz> to:
-> EMAIL DELETED

was considered unsolicited bulk e-mail (UBE).

Our internal reference code for your message is
02271-01/BOtn6tyqfuLO

The message carried your return address, so it was either a
genuine mail
from you, or a sender address was faked and your e-mail
address abused
by third party, in which case we apologize for undesired
notification.

We do try to minimize backscatter for more prominent cases
of UBE and
for infected mail, but for less obvious cases of UBE some
balance
between losing genuine mail and sending undesired
backscatter is sought,
and there can be some collateral damage on both sides.

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 06:06 AM 11/5/2007, Michael Hallager wrote:
>I was away overseas for a week and set up mail
forwarding (vis my desktop's
>email client) from one address to another on the same
(my) mail server.
>
>Unfortunately a mail loop developed which resulted in
over 4,000 near
>identical messages being sent through the SMTP server,
and growing, before I
>stopped it.
>
>The mail server now rejects all mail from the email
address which these
>forwards came from.
>
>it isn't the message content because an identical
message (with a different
>from address) gets through.
>
>In this case both the sending and receiving address are
on the same mail
>server.
>
>I've emptied the Amavis MySQL tables with no success.
What can do I do please?

You need to check your logs to see why the message is marked
as 
spam.  Running amavisd at log level 2 or higher ($log_level
= 2; in 
amavisd.conf) will likely give you enough information to see
why the 
message is rejected.  Here's some wild guesses you can track
down:

- SpamAssassin Auto WhiteList "AWL" or bayes
features can 
automatically learn mail as spam.
You can try temporarily disabling AWL and bayes by adding
the 
following to your spamassassin
/etc/mail/spamassassin/local.cf
use_bayes 0
use_auto_whitelist 0
see http://wiki.apache.org/spamassassin/BasicConfiguration


- amavisd-new white/black lists?   This isn't an automated
feature, 
but something you set in amavisd.conf or associated SQL 
tables.  White/black list action is noted in the log.

>--------------------------------
>The notification message is as follows:

The notification message isn't particularly helpful in
tracking down 
problems.  This is by design; some anonymous sender doesn't
need 
details of your mail policy.  You need to search your logs
for more 
complete information.

-- 
Noel Jones 


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> You need to check your logs to see why the message is
marked as
> spam.  Running amavisd at log level 2 or higher
($log_level = 2; in
> amavisd.conf) will likely give you enough information
to see why the
> message is rejected.  Here's some wild guesses you can
track down:

Will try.

> - SpamAssassin Auto WhiteList "AWL" or bayes
features can
> automatically learn mail as spam.
> You can try temporarily disabling AWL and bayes by
adding the
> following to your spamassassin
/etc/mail/spamassassin/local.cf
> use_bayes 0
> use_auto_whitelist 0
> see http://wiki.apache.org/spamassassin/BasicConfiguration


Where does it store this information? I think if I can
delete the state and 
start again, this will fix the problem whereas setting it
not to use the 
above will degrade the performance.

> - amavisd-new white/black lists?   This isn't an
automated feature,
> but something you set in amavisd.conf or associated
SQL
> tables.  White/black list action is noted in the log.

I am not using this at present.

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 04:53 PM 11/5/2007, Michael Hallager wrote:

> > You need to check your logs to see why the message
is marked as
> > spam.  Running amavisd at log level 2 or higher
($log_level = 2; in
> > amavisd.conf) will likely give you enough
information to see why the
> > message is rejected.  Here's some wild guesses you
can track down:
>
>Will try.
>
> > - SpamAssassin Auto WhiteList "AWL" or
bayes features can
> > automatically learn mail as spam.
> > You can try temporarily disabling AWL and bayes by
adding the
> > following to your spamassassin
/etc/mail/spamassassin/local.cf
> > use_bayes 0
> > use_auto_whitelist 0
> > see http://wiki.apache.org/spamassassin/BasicConfiguration

>
>Where does it store this information? I think if I can
delete the state and
>start again, this will fix the problem whereas setting
it not to use the
>above will degrade the performance.

If you didn't set SA to use *SQL for these tables, they are
stored in 
the SA global config directory, usually 
/etc/mail/spamassassin, as 
auto-whitelist* and bayes*.  Stop amavisd-new and anything
else that 
uses SpamAssassin (such as if you configured spamd to run
for some 
reason), and then just remove those files.

But if you don't check the logs to see if this is really the
problem, 
you're just shooting in the dark.

-- 
Noel Jones 


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On 11/5/07, Michael Hallager wrote:
>
> > You need to check your logs to see why the message
is marked as
> > spam.  Running amavisd at log level 2 or higher
($log_level = 2; in
> > amavisd.conf) will likely give you enough
information to see why the
> > message is rejected.  Here's some wild guesses you
can track down:
>
> Will try.
>
> > - SpamAssassin Auto WhiteList "AWL" or
bayes features can
> > automatically learn mail as spam.
> > You can try temporarily disabling AWL and bayes by
adding the
> > following to your spamassassin
/etc/mail/spamassassin/local.cf
> > use_bayes 0
> > use_auto_whitelist 0
> > see http://wiki.apache.org/spamassassin/BasicConfiguration

>
> Where does it store this information? I think if I can
delete the state and
> start again, this will fix the problem whereas setting
it not to use the
> above will degrade the performance.
>

Since your amavis home directory is /var/amavis, what does
this say?

ls -l /var/amavis/.spamassassin

If you are using the default settings, the bayes and auto
whitelist
databases will be stored there. If you are using SQL, then
they will
be stored in the SQL database specified by your settings in
local.cf.
There are way to surgically remove items, rather than taking
off and
nuking them from outer space.

To remove an address from auto-whitelist:
spamassassin --remove-addr-from-whitelist=userexample.com
and to relearn messages marked as spam sa ham:
sa-learn --ham <copy_of_my_message.txt

man sa-learn
man spamassassin-run

It would be better to see what SA rules actually hit
however. Setting
$log_level at 2, sending a message from you through and
looking in the
mail log noting what SA rules hit (as Noel mentioned) would
be a
better approach.

-- 
Gary V

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

It isn't the message text because sent from any other 'from'
email address it 
gets through and all messages from that one email address
are stopped.

It can't be a rules based thing either because it was
working fine until this 
problem and as I said, sent from another 'from' address an
identical message 
gets through.

I really don't have time for a surgical job because this is
a production 
server.

What do I need to do to clean it out?


> Since your amavis home directory is /var/amavis, what
does this say?
>
> ls -l /var/amavis/.spamassassin
>
> If you are using the default settings, the bayes and
auto whitelist
> databases will be stored there. If you are using SQL,
then they will
> be stored in the SQL database specified by your
settings in local.cf.
> There are way to surgically remove items, rather than
taking off and
> nuking them from outer space.
>
> To remove an address from auto-whitelist:
> spamassassin --remove-addr-from-whitelist=userexample.com
> and to relearn messages marked as spam sa ham:
> sa-learn --ham <copy_of_my_message.txt
>
> man sa-learn
> man spamassassin-run
>
> It would be better to see what SA rules actually hit
however. Setting
> $log_level at 2, sending a message from you through and
looking in the
> mail log noting what SA rules hit (as Noel mentioned)
would be a
> better approach.



------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On 11/5/07, Michael Hallager <michaelnetworkstuff.co.nz> wrote:
> It isn't the message text because sent from any other
'from' email address it
> gets through and all messages from that one email
address are stopped.
>
> It can't be a rules based thing either because it was
working fine until this
> problem and as I said, sent from another 'from' address
an identical message
> gets through.
>
> I really don't have time for a surgical job because
this is a production
> server.
>

Even more reason to do surgery as opposed to doing something
that may
affect every recipient.

> What do I need to do to clean it out?
>
>

I asked, what does this say?

ls -l /var/amavis/.spamassassin

If there are bayes and auto-whitelist files like this:

-rw------- 1 amavis amavis 12288 2007-08-18 11:35
auto-whitelist
-rw------- 1 amavis amavis 12288 2007-08-18 11:35
bayes_seen
-rw------- 1 amavis amavis 12288 2007-08-18 11:35
bayes_toks
-rw-r--r-- 1 amavis amavis  1487 2007-08-18 11:42
user_prefs

Check if the date is current (an indication the files are
being
updated), then you can delete them. SpamAssassin will create
new ones
as needed. As Noel said, good idea to stop amavisd-new,
delete these
files, then start amavisd-new.

-- 
Gary V

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> Where does it store this information?

In the .spamassassin subdirectory of the home directory of
the user
running spamassassin.

-- 
Gary V

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On 11/5/07, Gary V wrote:
> > Where does it store this information?
>
> In the .spamassassin subdirectory of the home directory
of the user
> running spamassassin.
>

By default, that is. It can be configured to be somewhere
else, and
named something else. It can also be stored in an SQL
database.

-- 
Gary V

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

On Tue, 06 Nov 2007 15:02:02 Gary V wrote:
> > Where does it store this information?
>
> In the .spamassassin subdirectory of the home directory
of the user
> running spamassassin.

I've tried 'cleaning it all out' with no success.

I'm really unsure at this point what is going on.

All I know is that my email from one account to another on
the box is being 
scored at 6+ and rejected.

Michael.

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/