"Unknown" Reason in Message Quarantine Report

[ressel]

Hello EFA,

My server have begun to show none spam mails in my daily quarantine mail as unknown, this is something that started some time ago, but have not done it all the time.
How do I avoid this when I also want all emails to be stored on the server so that users can restore any deleted mails

efa_unknown.PNG (168.96 KiB) Viewed 22013 times

[shawniverson]

What does the spam report look like for one of the unknowns?

[ressel]

This was fixed in 3.0.0.7 update.
Thank you!

[frank67de]

Hi

it seems like this come again in 3.0.0.9. I had this the day after update.

How can I fix this?

Thanks
best regards
Frank

[b19wll]

Yes, I updated this to 3.0.0.9 and all my users have bombarded me this morning with their "unkown" questions. So I am guessing its to do with the update.
Thanks

Will

[shawniverson]

Mailwatch was updated in this version, may be a regression from that project...

Looking into this...

[shawniverson]

Confirmed, checking on fix...

[shawniverson]

It appears this is normal...believe it or not, when non-spam is included in the quarantine report.

Recommended fix. You probably don't want non-spam in your reports anyway...

To exclude non-spam from the quarantine report:

/var/www/html/mailscanner/conf.php

Code: Select all

// Hide Non Spam from quarantine reports
define('HIDE_NON_SPAM', true);

[frank67de]

Hi

thanks it works perfect now!

best regards
Frank

[dsellens]

This is not quite the issue. I am assuming that the Hide-Non-Spam option is designed to hide viruses and other malware from showing up in the quarantine report. The problem we are seeing is that messages that were delivered are showing up after the latest release are showing up in the report and have this unknown label on them. These are not messages that were quarantined in the first place.

[dsellens]

Sorry about double posting, but I have looked further at the code. Let me make this clear to everyone. The HIDE-NON-SPAM flag is a valid work-around for the problem. It does solve the symptom of UNKNOWN's showing up in the Quarantine report. But it does not solve the root cause. In fact it has a side-effect of hiding messages that you may not want hidden. Without knowing the exam lineage of the isspam field, I do not know if this is blocking the display of such things as Blacklisted, Policy, and Content besides the obvious blocking of Virus and Infected messages.

Bottom line, these emails have the Quarantine flag set to 1 when they were not quarantined. That is the real problem. This is not a bug in the quarantine report, it is a bug elsewhere in the program where this Quarantine field is being set when the message was not quarantined. In addition, there should never be a message with Quarantine=1 that does not have a valid reason behind it.

[shawniverson]

Bottom line, these emails have the Quarantine flag set to 1 when they were not quarantined. That is the real problem. This is not a bug in the quarantine report, it is a bug elsewhere in the program where this Quarantine field is being set when the message was not quarantined. In addition, there should never be a message with Quarantine=1 that does not have a valid reason behind it.

Actually, all email can be quarantined, including non-spam, which is the case for many people (including myself), and is the default out of box.

Can you confirm that when non-spam is not quarantined that this is the case? I'll do some testing later but I want to take a closer look at this.

[shawniverson]

But it does not solve the root cause. In fact it has a side-effect of hiding messages that you may not want hidden. Without knowing the exam lineage of the isspam field, I do not know if this is blocking the display of such things as Blacklisted, Policy, and Content besides the obvious blocking of Virus and Infected messages.

That is true, anything that is not explicitly classified as spam will be hidden from view with that setting.

In my case, I am fine with that, because I don't want those other categories showing up in the reports.

I wonder if the sql query in the quarantine_report.php can be improved.

Perhaps a compound OR block? Basically it needs to hit on at least one of these to show up in the report...

Code: Select all

  $sql .= "
    AND
      ( 
      isspam>0
      OR 
      virusinfected>0
      OR
      nameinfected>0
      OR
      otherinfected>0
      OR
      ishighspam>0
      OR
      issaspam>0
      OR
      isrblspam>0
      OR
      spamblacklisted>0
      OR
      ismcp>0
      OR
      highmcp>0
      OR
      issamcp>0
      OR
      mcpblacklisted>0
      )
      ";

[b19wll]

Hi
Yesterday I added the below code and this morning I've still got lots of unknowns in my quarantine reports, am I missing something else?

Also is there a way of triggering the report so I can test if the unknowns have gone, rather than waiting for the morning.

Code: Select all

// Hide Non Spam from quarantine reports
define('HIDE_NON_SPAM', true);

Thanks in advance

Will

[shawniverson]

You can run this as many times as you like to test it:

Code: Select all

sudo /usr/local/bin/mailwatch/tools/Cron_jobs/quarantine_report.php

[b19wll]

Thanks

The reports just ran again, but still full of unkowns, does it matter where in the conf file i put the additional code?

[shawniverson]

Make sure it isn't in there twice. That may cause a problem.

[b19wll]

its only in there once at the bottom of the file

[shawniverson]

No typos in this file?

In other words, the GUI is loading ok?

[b19wll]

no it was a copy and paste and the gui is working fine?

[shawniverson]

Is the copy of /usr/local/bin/mailscanner/Cron_jobs/quarantine_report.php up to date on your system?

In other words, does it contain "HIDE_NON_SPAM" in the code?

[b19wll]

Just checked and this code is in there

Code: Select all

 if (defined('HIDE_NON_SPAM') && HIDE_NON_SPAM === true) {
        $sql .= "
    AND
     isspam>0";

[shawniverson]

Interesting.

Do you notice a reduction in "UNKNOWN"s, at least?

We may need to examine one a little closer.

[b19wll]

is it possible that I can edit qurantine_report file so it only my emailo address gets the report, rather than all the users getting bomabarded?

[shawniverson]

Yes, you just need to change the code a little.