How to unquarantine items in /var/virusmails (move to a users mail folder)

Question

How to unquarantine items in /var/virusmails (move to a users mail folder)

Until now I have had all my virusmails quarentined in /var/virusmails.
I now need to get some of these e-mails "visible" (EG available from Mail.app) again.

I tried to:
1. copy a file "spam-1de9446ae8e71ba79b483f78a136c405-20081222-164346-16621-05.gz"
from /var/virusmail
to a newly created (from Mail.app) folder inside my mailaccount

2. unzip'ed it

3. renamed it to "1."

4. chown cyrusimap 1.

5. rebuild the index in that specific folder (with SirAdmin)

But I cannot get the mail visible.

How can I get these mails to be accessible from my Mail.app?

I have now changed what happens to the spam and have the virusmails redirected to a specific "spam" account so that I can search this folder in case I am missing an e-mail that I think have been marked as spam.

Why do I need to find mails inside /var/virusmails?

Well, I created a paypal account but never got my confirmation mail, and apparently the quality of Paypal's mails are bad, since I have used the fine guide from Pterobyte using the tips in Frontline defense and currently have the cut off level = 5 and PayPal is getting hits around 7…

I do not want to whitelist this often forged domain, so I need to get hold of the mails (my first task) and thyen later move them to my "notjunk" folder that SA is watching to get better bayesian rules…

Mac OS X Server = 10.4.11

iMac 24" and a lot more, Mac OS X (10.5.5)

Posted on Dec 23, 2008 1:31 AM

Reply

Answer 1

pterobyte

Level 6

11,104 points

Dec 23, 2008 4:02 AM in response to Thomas von Eyben

Which version of amavisd/SpamAssassin are you running? Legit PayPal messages should not score high. Check headers to see which tests triggered.

There is a utility called amavisd-release which can be used to release mail from quarantine. Unfortunately it does not come with OS X Server. You need to download the amavisd-new source corresponding to the version you have installed and fetch it from there.
Once this is done, simply issue "amavisd-release quarantinenumber". You may need to adjust your amavisd.conf settings depending on your configuration. For more info see here: http://www.ijs.si/software/amavisd/amavisd-new-docs.html

HTH,
Alex

P.S. The Frontline Spam Defense tutorial only adjusts Postfix settings. It has nothing to do with amavisd/spamassassin and related scoring

Reply

Answer 2

Dec 25, 2008 4:22 AM in response to pterobyte

Thanx for feedback, it is really helpfull!

The server will be upgraded (well reinstalled) from 10.4.11 to 10.5 over X-mas.
Currently it is running amavisd-new-2.2.0 (20041102)

+server:~ admin$ amavisd --version+
WARN: running under user '501' (UID=501), the config file specifies $daemon_user='clamav' (UID=82)+
+amavisd-new-2.2.0 (20041102): Unknown argument. Usage:+
+/usr/bin/amavisd [-u user] [-g group] [-c config-file] ( [start] | stop | reload | debug | debug-sa | foreground )

I don't like the error message regarding which user is running the process, but since I am migrating I will not think a lot about it 🙂

Here are the headers from the two spam-flagged mails.
I can also see that the headers contain DKIM information that looks valid, so I do not think that the mails are forged.
I also like to see the "SARE LEGITPAYPAL" rule have been trigered 🙂

A: (From: "service@intl.paypal.com" <service@intl.paypal.com>)
+X-Spam-Status: Yes, hits=7.586 tag=-999 tag2=5 kill=5 tests=AWL, BAYES_50,
HTML 8090, HTML BACKHAIR4, HTML BADTAG_0010, HTML_MESSAGE,
HTML TAG_BALANCEHEAD, J BACKHAIR25, J BACKHAIR47, J BACKHAIR55,
J CHICKENPOX54, MIME BOUNDNEXTPART, SARE LEGITPAYPAL, SARE_OBFUTEENS
X-Spam-Level: *****+

B: (From: "service@intl.paypal.com" <service@intl.paypal.com>)
X-Spam-Status: Yes, hits=6.932 tag=-999 tag2=5 kill=5 tests=AWL, BAYES_60,
HTML 7080, HTML BACKHAIR2, HTML BADTAG_2030, HTML_MESSAGE,
HTML TAG_BALANCEHEAD, J CHICKENPOX54, MIME BOUNDNEXTPART,
SARE LEGITPAYPAL, SARE_OBFUTEENS
X-Spam-Level: ****

I have now downloaded the correct package ( http://www.ijs.si/software/amavisd/amavisd-new-2.2.0.tar.gz) and cannot see amavisd-release as part of the package.

Downloading 2.3.0 I can see that the script is part of THAT package, so does this mean that the script will not function unless the installed version of amavisd-new is >= 2.3.0?

PS.: I wonder why Apple does not prodise so many of the open source tools that are - otherwise - part of the packages. I found that they also NOT included a usefull ssh script "ssh-copy-id". One should think that either you included ALL or NOTHING…
BR TvE

Reply

Answer 3

pterobyte

Level 6

11,104 points

Dec 26, 2008 1:04 AM in response to Thomas von Eyben

WARN: running under user '501' (UID=501), the config file specifies $daemon_user='clamav' (UID=82)+amavisd-new-2.2.0 (20041102)

This is normal since you ran the command as admin and not as user clamav.

Other than that, I would think some of the rules you added (probably in /etc/mail/spamassassin) are a bit too aggressive.

I would not use scripts from versions that do not match. Since you say you will be migrating soon, I would simply whitelist the affected addresses for time being.

Reply

Answer 4

Dec 26, 2008 2:54 AM in response to pterobyte

I have not (AFAIK) added any rules myself, so I should be using the std. rules as delivered by Apple (og amavis).

The only thing I would like to do now (but might have to wait until after I migrate) is to get the 3 or 4 spam mailes from /var/virusmail visible from an IMAP connection (eg. from Mail.app).

Is there an easy way to hand feed the mails in to an existing folder and somehow recreate the index/cache/header files so that cyrus will "see" and serve these messages to IMAP clients?

Reply

Answer 5

pterobyte

Level 6

11,104 points

Dec 29, 2008 1:15 AM in response to Thomas von Eyben

SARE_OBFUTEENS, SARE LEGITPAYPAL, J CHICKENPOX54 are not standard. Check /etc/mail/spamassassin for extra rules.

You cannot simply move the quarantined files into a cyrus mailbox. This will not work.

If you have no compatible amavisd-release and it is only a few messages, just open the quarantined messages in a text editor and extract the information you need.

Reply

Answer 6

Dec 29, 2008 2:14 AM in response to pterobyte

OK - I'll just copy'paste the actual text for now!

Hmm - then I must have added these rules before I began to make detailed configuration notes for the server (another good reason to migrate to 10.5 😉

server:/etc/mail/spamassassin admin$ ls -l
total 1248
-rw-r--r-- 1 root wheel 53868 Nov 2 2006 70 sareadult.cf
-rw-r--r-- 1 root wheel 45933 Dec 27 2005 70 saregenlsubj0.cf
-rw-r--r-- 1 root wheel 123362 Nov 2 2006 70 sareheader0.cf
-rw-r--r-- 1 root wheel 28066 Jun 4 2006 70 sarehtml0.cf
-rw-r--r-- 1 root wheel 51886 Oct 1 2005 70 sareobfu0.cf
-rw-r--r-- 1 root wheel 12739 Dec 27 2005 70 sareoem.cf
-rw-r--r-- 1 root wheel 20301 Jul 25 2006 70 sarespoof.cf
-rw-r--r-- 1 root wheel 59515 Oct 18 2006 70 sarestocks.cf
-rw-r--r-- 1 root wheel 25124 Nov 12 2005 70 sareunsub.cf
-rw-r--r-- 1 root wheel 15481 May 16 2006 72 sare_redirectpost3.0.0.cf
-rw-r--r-- 1 root wheel 22393 Jun 2 2005 backhair.cf
-rw-r--r-- 1 root wheel 109810 Jun 22 2005 bogus-virus-warnings.cf
-rw-r--r-- 1 root wheel 23155 Jun 2 2005 chickenpox.cf
-rw-r--r-- 1 root wheel 935 Feb 14 2008 init.pre
-rwxr-xr-x 1 root wheel 1311 Feb 14 2008 learn junkmail
-rw-r--r-- 1 root wheel 670 Feb 14 2008 local.cf
-rw-r--r-- 1 root wheel 670 Mar 22 2006 local.cf-TvE
-rw-r--r-- 1 root wheel 3880 Jun 2 2005 weeds.cf

Reply