Debugging .forward

Rainer Dorsch ml at bokomoko.de
Fri Dec 11 17:20:51 UTC 2015 

Hello,

I run an exim4 mailserver on a Debian 8 system.

I use a .forward file for mail filtering, in particular I use spamassassin for filtering SPAM:

I added a header line

  warn  condition = ${if < {$message_size}{130K}}
        spam = Debian-exim:true
        add_header = X-Spam-Score: $spam_score ($spam_bar)
        add_header = X-Spam-Report: $spam_report

e.g.

X-Spam-Score: 9.5 (+++++++++) 
X-Spam-Report: Spam detection software, running on the system 
"netcup.bokomoko.de", has identified this incoming email as possible spam.  The 
original message has been attached to this so you can view it or label similar future 
email.  If you have any questions, see the administrator of that system for details. 
Content preview:  It looks absolutely amazing here! We Have a New Pick Coming Soon. 
It is now: .25 Company: Envoy Group Corp Trading Date: Dec, 11th Target Price: .80 
Sym: E N V_V It Headed for Exponential Growth! Time To Get Back On Track In A Huge 
Way! [...] Content analysis details:   (9.5 points, 5.0 required) pts rule 
name              description ---- ---------------------- 
-------------------------------------------------- 1.3 RCVD_ILLEGAL_IP        Received: contains 
illegal IP address 0.9 RCVD_NUMERIC_HELO      Received: contains an IP address used 
for HELO 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL 
[190.141.172.75 listed in zen.spamhaus.org] 0.1 MISSING_MID            Missing 
Message-Id: header 1.3 RDNS_NONE              Delivered to internal network by a host 
with no rDNS 1.4 MISSING_DATE           Missing Date: header 1.0 
FSL_HELO_BARE_IP_2     No description available. 


Then my .forward file starts with

if error_message then finish endif

if $h_X-Spam-Score: CONTAINS "++++++" then save Maildir/.SPAM/
  finish
elif $h_from: contains


The message with the header lines above did not make it into the SPAM directory, 
instead the mainlog shows that it is stored in my standard inbox:

2015-12-11 17:32:05 1a7Qbz-0002FV-RR <= <> H=(190.141.172.75) 
[190.141.172.75] P=smtp S=2022
2015-12-11 17:32:05 1a7Qbz-0002FV-RR => rd <metzingen at bokomoko.de> 
R=local_user T=maildir_home

What makes the issue even more weired is that it seems only one email address of a 
user on that system is affected. I.e. the user has many email aliases via /etc/aliases 
and one of them shows the broken behavior.

I do not expect that there is any expert out there who could explain right away what is 
going wrong, but does anybody know how to debug such an issue? Can I log which 
.forward rule did apply?

Thanks
Rainer

-- 
Rainer Dorsch
http://bokomoko.de/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20151211/6bbd10d4/attachment.html>

More information about the Pkg-exim4-maintainers mailing list