Possible problem with SpamAssassin and DCCifd

Kevin W. Gagel gagel@cnc.bc.ca
Fri Oct 15 18:29:14 UTC 2004


This is cross posted to the DCC list and SA developers list. It takes a bit of
explaining so bare with me.

DCCIFD is reporting “missing message body” errors. In order to track this
down I searched the mail log for the same date and time that dccifd reports
them in the log and found the correlating entries.  Mail flows into my gateway
through postfix. Postfix launches a bash script I created. The script I made
saves the message to a file then uses spamc to check the message against
spamd. Spamc/d are the c compiled alternatives to the perl spamassassin.
SpamAssassin and spamd and spamc are for the purposes of this document the
same thing. Anyway, after matching a number of these entry combinations I
found that each of them had two things in common. The message id was found to
be invalid and the message headers were missing. These are noted in the
spamassassin test results as seen below.

DCCIFD is reporting a “missing message body” when in fact it seems that
it’s the header that is missing. I believe that the “missing message
body” error is erroneous and should state “missing headers” instead.

SpamAssassin is reporting a “Permission denied” error when in fact it’s
trying to read the headers in a message that is missing them. So I believe
that the “Permission denied” error is erroneous and should state
“missing headers” instead.

In any case the message is in fact being processed correctly at all stages. If
the message is scored at 10 or higher then its deleted correctly and if it
scores 5 or higher its tagged. At no time was I able to find a message with a
missing body.
 
The “Permission denied” line below traces back to the Dns.pm code that is
checking the headers of the mail message. The code does an if check and upon
failing to find headers it executes the following:
Line 698 reads: dbg("failed read header");

Supporting log entries:

/var/log/messages
Oct 14 01:30:47 avas dccifd[26936]: missing message body

/var/log/mail
Oct 14 01:30:47 avas spamd[16267]: connection from localhost [127.0.0.1] at
port 42038
Oct 14 01:30:47 avas spamd[16267]: processing message <?C[20> for
spamfilter:501.
Oct 14 01:30:47 avas spamd[16267]: DCCifd -> check skipped: Permission denied
Died at /usr/local/lib/perl5/site_perl/5.8.4/Mail/SpamAssassin/Dns.pm line
698.
Oct 14 01:30:48 avas spamd[16267]: identified spam (21.0/5.0) for
spamfilter:501 in 1.2 seconds, 390 bytes.
Oct 14 01:30:48 avas spamd[16267]: result: Y 21 -
AWL,BAYES_99,DNS_FROM_AHBL_RHSBL,INVALID_MSGID,MISSING_HEADERS,MISSING_SUBJECT
,NO_REAL_NAME,RCVD_IN_XBL,RCVD_NUMERIC_HELO
scantime=1.2,size=390,mid=<?C[20>,bayes=0.999511923376872458,autolearn=no
Oct 14 01:30:48 avas postfix/SPAMC[26938]: DISCARDING SPAM.

/var/log/messages
Oct 14 03:11:29 avas dccifd[31504]: missing message body

/var/log/mail
Oct 14 03:11:29 avas spamd[16535]: DCCifd -> check skipped: Permission denied
Died at /usr/local/lib/perl5/site_perl/5.8.4/Mail/SpamAssassin/Dns.pm line
698.
Oct 14 03:11:29 avas spamd[16535]: identified spam (8.7/5.0) for
spamfilter:501 in 3.0 seconds, 461 bytes.
Oct 14 03:11:29 avas spamd[16535]: result: Y  8 -
BAYES_95,INVALID_MSGID,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,RCVD_BY_IP
,RCVD_DOUBLE_IP_SPAM
scantime=3.0,size=461,mid=<?O[20>,bayes=0.96354278224830079,autolearn=no

/var/log/messages
Oct 14 06:55:03 avas dccifd[10894]: missing message body

/var/log/mail
Oct 14 06:55:03 avas spamd[5377]: connection from localhost [127.0.0.1] at
port 43475
Oct 14 06:55:03 avas spamd[5377]: processing message <?I> for spamfilter:501.
Oct 14 06:55:03 avas spamd[5377]: DCCifd -> check skipped: Permission denied
Died at /usr/local/lib/perl5/site_perl/5.8.4/Mail/SpamAssassin/Dns.pm line
698.
Oct 14 06:55:04 avas spamd[5377]: identified spam (9.0/5.0) for spamfilter:501
in 1.2 seconds, 311 bytes.
Oct 14 06:55:04 avas spamd[5377]: result: Y  8 -
BAYES_60,FORGED_YAHOO_RCVD,INVALID_MSGID,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME
,RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO
scantime=1.2,size=311,mid=<?I>,bayes=0.709654615569724961,autolearn=no

/var/log/messages
Oct 14 07:31:12 avas dccifd[13072]: missing message body

/var/log/mail
Oct 14 07:31:12 avas spamd[5377]: connection from localhost [127.0.0.1] at
port 43698
Oct 14 07:31:12 avas spamd[5377]: processing message <?4[8> for
spamfilter:501.
Oct 14 07:31:13 avas spamd[5377]: DCCifd -> check skipped: Permission denied
Died at /usr/local/lib/perl5/site_perl/5.8.4/Mail/SpamAssassin/Dns.pm line
698.
Oct 14 07:31:14 avas spamd[5377]: identified spam (6.8/5.0) for spamfilter:501
in 1.3 seconds, 564 bytes.
Oct 14 07:31:14 avas spamd[5377]: result: Y  6 -
BAYES_40,FROM_STARTS_WITH_NUMS,INVALID_MSGID,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME
,RCVD_HELO_IP_MISMATCH,RCVD_IN_RFC_IPWHOIS,RCVD_NUMERIC_HELO
scantime=1.3,size=564,mid=<?4[8>,bayes=0.305460830887101821,autolearn=no




====================
Kevin W. Gagel
Network Administrator
(250) 561-5848 local 448
(250) 562-2131 local 448

--------------------------------------------------------------
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
--------------------------------------------------------------




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.