Page 1 of 2
"Unknown" Reason in Message Quarantine Report
Posted: 13 Jan 2015 19:54
by ressel
Hello EFA,
My server have begun to show none spam mails in my daily quarantine mail as unknown, this is something that started some time ago, but have not done it all the time.
How do I avoid this when I also want all emails to be stored on the server so that users can restore any deleted mails
- efa_unknown.PNG (168.96 KiB) Viewed 31054 times
Re: "Unknown" Reason in Message Quarantine Report
Posted: 17 Jan 2015 00:16
by shawniverson
What does the spam report look like for one of the unknowns?
Re: "Unknown" Reason in Message Quarantine Report
Posted: 16 Mar 2015 09:11
by ressel
This was fixed in 3.0.0.7 update.
Thank you!
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 08:13
by frank67de
Hi
it seems like this come again in 3.0.0.9. I had this the day after update.
How can I fix this?
Thanks
best regards
Frank
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 09:39
by b19wll
Yes, I updated this to 3.0.0.9 and all my users have bombarded me this morning with their "unkown" questions. So I am guessing its to do with the update.
Thanks
Will
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 11:24
by shawniverson
Mailwatch was updated in this version, may be a regression from that project...
Looking into this...
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 12:52
by shawniverson
Confirmed, checking on fix...
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 12:57
by shawniverson
It appears this is normal...believe it or not, when non-spam is included in the quarantine report.
Recommended fix. You probably don't want non-spam in your reports anyway...
To exclude non-spam from the quarantine report:
/var/www/html/mailscanner/conf.php
Code: Select all
// Hide Non Spam from quarantine reports
define('HIDE_NON_SPAM', true);
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 13:12
by frank67de
Hi
thanks it works perfect now!
best regards
Frank
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 17:26
by dsellens
This is not quite the issue. I am assuming that the Hide-Non-Spam option is designed to hide viruses and other malware from showing up in the quarantine report. The problem we are seeing is that messages that were delivered are showing up after the latest release are showing up in the report and have this unknown label on them. These are not messages that were quarantined in the first place.
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 17:58
by dsellens
Sorry about double posting, but I have looked further at the code. Let me make this clear to everyone. The HIDE-NON-SPAM flag is a valid work-around for the problem. It does solve the symptom of UNKNOWN's showing up in the Quarantine report. But it does not solve the root cause. In fact it has a side-effect of hiding messages that you may not want hidden. Without knowing the exam lineage of the isspam field, I do not know if this is blocking the display of such things as Blacklisted, Policy, and Content besides the obvious blocking of Virus and Infected messages.
Bottom line, these emails have the Quarantine flag set to 1 when they were not quarantined. That is the real problem. This is not a bug in the quarantine report, it is a bug elsewhere in the program where this Quarantine field is being set when the message was not quarantined. In addition, there should never be a message with Quarantine=1 that does not have a valid reason behind it.
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 18:57
by shawniverson
dsellens wrote:Bottom line, these emails have the Quarantine flag set to 1 when they were not quarantined. That is the real problem. This is not a bug in the quarantine report, it is a bug elsewhere in the program where this Quarantine field is being set when the message was not quarantined. In addition, there should never be a message with Quarantine=1 that does not have a valid reason behind it.
Actually, all email can be quarantined, including non-spam, which is the case for many people (including myself), and is the default out of box.
Can you confirm that when non-spam is not quarantined that this is the case? I'll do some testing later but I want to take a closer look at this.
Re: "Unknown" Reason in Message Quarantine Report
Posted: 22 Mar 2016 19:15
by shawniverson
dsellens wrote:But it does not solve the root cause. In fact it has a side-effect of hiding messages that you may not want hidden. Without knowing the exam lineage of the isspam field, I do not know if this is blocking the display of such things as Blacklisted, Policy, and Content besides the obvious blocking of Virus and Infected messages.
That is true, anything that is not explicitly classified as spam will be hidden from view with that setting.
In my case, I am fine with that, because I don't want those other categories showing up in the reports.
I wonder if the sql query in the quarantine_report.php can be improved.
Perhaps a compound OR block? Basically it needs to hit on at least one of these to show up in the report...
Code: Select all
$sql .= "
AND
(
isspam>0
OR
virusinfected>0
OR
nameinfected>0
OR
otherinfected>0
OR
ishighspam>0
OR
issaspam>0
OR
isrblspam>0
OR
spamblacklisted>0
OR
ismcp>0
OR
highmcp>0
OR
issamcp>0
OR
mcpblacklisted>0
)
";
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 10:29
by b19wll
Hi
Yesterday I added the below code and this morning I've still got lots of unknowns in my quarantine reports, am I missing something else?
Also is there a way of triggering the report so I can test if the unknowns have gone, rather than waiting for the morning.
Code: Select all
// Hide Non Spam from quarantine reports
define('HIDE_NON_SPAM', true);
Thanks in advance
Will
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 10:39
by shawniverson
You can run this as many times as you like to test it:
Code: Select all
sudo /usr/local/bin/mailwatch/tools/Cron_jobs/quarantine_report.php
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 10:50
by b19wll
Thanks
The reports just ran again, but still full of unkowns, does it matter where in the conf file i put the additional code?
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 10:53
by shawniverson
Make sure it isn't in there twice. That may cause a problem.
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 11:02
by b19wll
its only in there once at the bottom of the file
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 11:27
by shawniverson
No typos in this file?
In other words, the GUI is loading ok?
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 11:37
by b19wll
no it was a copy and paste and the gui is working fine?
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 11:44
by shawniverson
Is the copy of /usr/local/bin/mailscanner/Cron_jobs/quarantine_report.php up to date on your system?
In other words, does it contain "HIDE_NON_SPAM" in the code?
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 11:53
by b19wll
Just checked and this code is in there
Code: Select all
if (defined('HIDE_NON_SPAM') && HIDE_NON_SPAM === true) {
$sql .= "
AND
isspam>0";
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 11:56
by shawniverson
Interesting.
Do you notice a reduction in "UNKNOWN"s, at least?
We may need to examine one a little closer.
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 12:30
by b19wll
is it possible that I can edit qurantine_report file so it only my emailo address gets the report, rather than all the users getting bomabarded?
Re: "Unknown" Reason in Message Quarantine Report
Posted: 23 Mar 2016 12:31
by shawniverson
Yes, you just need to change the code a little.