Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 13946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

need help interpreting message_log

PierreE

Hello. I need to find out why a particular message was quarantined. I got the following snippet from the message_log.

2010-02-18T10:43:38 q=o1I2harw009087 f=<luke@rebels.com> t=<vader@evilempire.com> h=RDNS_SUSP_MSGID h=MSGID_SPAM_5 h=HTML_70_90 h=BODY_SIZE_5000_5999 h=BODY_SIZE_7000_LESS h=INVALID_MSGID_NO_FQDN h=RDNS_NXDOMAIN h=RDNS_SUSP h=RDNS_SUSP_GENERIC h=__BOUNCE_CHALLENGE_SUBJ h=__BOUNCE_NDR_SUBJ_EXEMPT h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_ALT h=__HAS_HTML h=__HAS_MSGID h=__HAS_X_MAILER h=__HTML_FONT_BLUE h=__MIME_HTML h=__MIME_VERSION h=__OUTLOOK_MSGID_1 h=__OUTLOOK_MUA h=__OUTLOOK_MUA_1 h=__SANE_MSGID h=__STYLE_RATWARE h=__STYLE_RATWARE_2 h=__TAG_EXISTS_HTML h=__TO_MALFORMED_2 h=__USER_AGENT_MS_GENERIC Size=7853 fur=0.0.0.0 vs p=0.825 pmx_action=quarantine,-,-,vader@evilempire.com,vader@evilempire.com r=[111.11.11.11] tm=0.81 a=d/eom

I don't know how to interprete this. Can some one help me with this? Or if you point me to some documentation, that would be great too. Thank you.

- Pierre

:1442


This thread was automatically locked due to age.
  • 0

    The first thing I see is that pmx is 82.5% sure (positive) the messages is spam. p=0.825

    The other thing is all of the h=Some_Value are the reasons why it's at 82%. The h stands for hit, as in it matched a SPAM rule and each time it matched, the internal counter for pmx tallied this up to a number past the threshold in your policy. The policy then quarantined the message. Check out page 212 of the admin reference to see what each entry in the log file means.

    From the appendix:

    ``spam score
     The spam score is the score assigned to a message by the anti-spam engine that indicates the relative likelihood that the
     message is spam.
     Anti-spam rules consist of a test definition and a "weight". If the test matches the message, the corresponding weight is
     added to the message's total spam score. Generally, multiple rules must be triggered by a message in order to result in a
     spam score high enough for an action to be taken. SophosLabs constantly analyzes emerging spam techniques and updates
     the ES4000 and PureMessage anti-spam rule sets accordingly.''

    You may also want to review the troubleshooting steps starting on page 217.

    :1471
  • 0

    Hello PierreE,

    Since the message is quarantined, you can run a command line utility on the quarantined message to find out more information.

    Locate the physical message in your quarantine:

    It will reside on the server that quarantined it, in /opt/pmx/var/qdir/cur/[0-9]

    You can find the ID for it either in the Manager interface or creative grep'ing.

    Once you have located the file, as the pmx user:

    $ pmx-spam scan -v <FILENAME>

    This will give you the most detailed verbose output about which rules cause the message to be quarantined.

    You can send this output in to support, or put it up here and I can discuss what the rules mean and what may have caused it.

    Off the top, I see you hit RDNS_SUSP_MSGID

    If I go into the Manager, Policy -> Anti-Spam Rules -> Search for RDNS_SUSP_MSGID:

    Message contains a ratware message-id pattern and arrived via a host with suspicious rDNS.

    So message heuristics have determined the message-id looks spamish, and the sending MTA was most likely from an IP range that is dynamic, and should not be sending mail.

    This is a very quick look, and the steps above will show in more depth why this message was quarantined.

    Hope this helps!

    :1472
  • 0

    Thanks a lot, guys. Your posts were very helpful.

    I have a problem with the pmx commands though. When I enter in the command "pmx-spam scan -v 17505749" I get:

    -bash: pmx-spam: command not found

    I get this with other pmx commands too. I'm logged in as root, then did a 'su pmx'.

    :1477
  • 0

    Hi,

    Look in your pmx home dir. There is a file called .pmx_sh_vars that you need to source after you su to the pmx user:

    pmx@somehostname ~ $ . .pmx_sh_vars (if you use the csh there is one for calle .pmx_csh_vars)

    Look closely because there is a period followed by the .pmx_sh_vars file. This is not a typo and it's how the shell reads that file.

    To make this happen automagically on log in, you could add the . .pmx_sh_vars line to your .bashrc and the call your .bashrc from .bash_profile

    Erric

    :1490
  • 0

    Instead of :

    # su  pmx

    Do:

    # su - pmx

    Using the dash will make sure you get the pmx user's environment. 

    If that doesn't work:

    $ /opt/pmx/bin/pmx-spam scan ...

    :1491
Unfiltered HTML