Hi All,
My CO 7.2 box is doing a pretty good job on spam filtering, but every once a while, specific spam comes throug to my mailbox.
When i examine the mail it doesn't even get a hig score.
So now i try to train spamassassin, by moving the spam mails to the spam folder and then afterwards run the sa-learn command, where i point it to the spam folder.
I get no error message, it says it read the correct amount of mails (compare to the ones i sent to this folder).
But still i receive these spam mails.
I ran the sa-learn command as root, my (mail) user and as mavis user. I pointed the bayes_path to the correct (imo) location, as i did not find this in the local.cf configuration file.
But nothing seems to help.
Howto proper set this up on A CO7.2 box??
Thanks in advance,
Johan
My CO 7.2 box is doing a pretty good job on spam filtering, but every once a while, specific spam comes throug to my mailbox.
When i examine the mail it doesn't even get a hig score.
So now i try to train spamassassin, by moving the spam mails to the spam folder and then afterwards run the sa-learn command, where i point it to the spam folder.
I get no error message, it says it read the correct amount of mails (compare to the ones i sent to this folder).
But still i receive these spam mails.
I ran the sa-learn command as root, my (mail) user and as mavis user. I pointed the bayes_path to the correct (imo) location, as i did not find this in the local.cf configuration file.
But nothing seems to help.
Howto proper set this up on A CO7.2 box??
Thanks in advance,
Johan
Share this post:
Responses (7)
-
Accepted Answer
So here is the situation right now.
As i said been playing with a lot of different settings, or better said the way postfix an spamassassin are configured.
But all without the improvement i hoped for.
So i thought let's start over again, brought everything back in the the state is was before and how it's after a clean install from CO.
Funny thing is that these particular spam mails stopped coming in, i don't see them in my logs anymore. And the regular spam is still stopped. -
Accepted Answer
Hi Nick,
I will have a look at this and try some settings, especially the ones regarding RBL lists.
As i already said; a lot of the spam is already blocked. I almost receive none.
The ones that are coming through now are only from this week and affect 2 users on the mail server, one of them being me :-(
probably one of the reasons that they are hard to identify is that they are in my native laguage and are pretty well written. -
Accepted Answer
I may be slightly wrong becaus I can't remember what I've done, but one of my headers typically has this in it:
and another:X-Spam-Status: No, score=-0.31 tagged_above=-99 required=5
tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3,
RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
T_KAM_HTML_FONT_INVALID=0.01, URIBL_SBLXBL=2]
This is far more than you have. It may be because I've used the thread I linked to change my spamassassin configuration. What I won't have done is annotated the changes I made, because I don't use exactly what was posted. My RBL.cf reads:X-Spam-Status: No, score=0.376 tagged_above=-99 required=5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
RP_MATCHES_RCVD=-0.425, URIBL_SC_SWINOG=0.9] autolearn=no
.... and to get one of the whitelisting checks to work I had to install my own DNS resolver (Unbound) and configure spamassassin to use it instead of dnsmasq, but this is a tweak.## DNS Blocklists
header RCVD_IN_WPBL eval:check_rbl_txt('wpbl-notfirsthop', 'db.wpbl.info')
describe RCVD_IN_WPBL Listed in db.wpbl.info
tflags RCVD_IN_WPBL net
score RCVD_IN_WPBL 1.0
header BL_SPAMCANNIBAL eval:check_rbl('SPAMCANNIBLA-notfirsthop','bl.spamcannibal.org')
describe BL_SPAMCANNIBAL Listed in SpamCannibal
score BL_SPAMCANNIBAL 0.5
header SORBS_SPAM eval:check_rbl ('SORBS_SPAM-notfirsthop','spam.dnsbl.sorbs.net')
describe SORBS_SPAM Listed in SORBS-SPAM
score SORBS_SPAM 0.5
header RCVD_IN_SWINOG_SPAM eval:check_rbl('swinog-notfirsthop', 'dnsrbl.swinog.ch.', '127.0.0.3')
describe RCVD_IN_SWINOG_SPAM Listed in dnsrbl.swinog.ch.
tflags RCVD_IN_SWINOG_SPAM net
score RCVD_IN_SWINOG_SPAM 2.5
header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-notfirsthop','ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM Listed in NIX-SPAM DNSBL (heise.de)
tflags RCVD_IN_NIX_SPAM net
score RCVD_IN_NIX_SPAM 1.0
header RCVD_IN_BRBL eval:check_rbl('brbl-notfirsthop', 'b.barracudacentral.org')
describe RCVD_IN_BRBL received via a relay in b.barracudacentral.org
tflags RCVD_IN_BRBL net
score RCVD_IN_BRBL 2.5
## URI Blocklists
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL')
describe URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist
score URIBL_SBLXBL 2.0
uridnsbl URIBL_RBLJP url.rbl.jp TXT
body URLBL_RBLJP eval:check_uridnsbl('URLBL_RBLJP')
describe URLBL_RBLJP Has URI in url.rbl.jp
tflags URLBL_RBLJP net
score URLBL_RBLJP 4.0
urirhssub URIBL_JP_SURBL multi.surbl.org. A 64
body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
tflags URIBL_JP_SURBL net
score URIBL_JP_SURBL 4.0
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 2.0
urirhsbl URIBL_SC_SWINOG uribl.swinog.ch. A
body URIBL_SC_SWINOG eval:check_uridnsbl('URIBL_SC_SWINOG')
describe URIBL_SC_SWINOG URI's listed in uribl.swinog.ch.
tflags URIBL_SC_SWINOG net
score URIBL_SC_SWINOG 0 0.900 0 1.500 -
Accepted Answer
-
Accepted Answer
It does not look like you are running the anti-spam app. That would be a start. Then have a look at this thread. Do not implement all of the first post and definitely do not put the word "permit" after any section. Read the whole thread and note some of the comments. I also would not make the spamassassin changes, at lears until you'va sorted out main.cf.
Note that even with my configuration (without greylisting) I get the odd spam, and I suspect I am missing e-mails from my electricity/gas supplier so one of the restrictions may be over-tight, but it is the only thing I know of which may be missing (and it would be his fault due to a mis-configured mail server, but I suffer). I've seen other misconfigurations from places which should know better, and I've had to relax my restrictions because of it. I think I've notes all my differences in the thread.
I did a blacklist check on the sending IP in your mail header but it did not feature on any of them. -
Accepted Answer
Hi Nick
Below your request.
I've change some data like domainname and mail address and some other lines with the ******
As you can see, i also have greylisting, which always did a very good job.
The thing that bothers me, looking at the header, that for some reason it's learning this mail as ham and not spam
X-Spam-Status: No, score=-1.899 tagged_above=-99 required=3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001]
autolearn=ham autolearn_force=no
The output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = *******
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = *******
message_strip_characters = \0
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = something.com
myhostname = mail.something.com
mynetworks = 127.0.0.0/8 [::1]/128, [::1]/128, 192.168.10.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
recipient_delimiter = +
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:/var/spool/postfix/postgrey/socket
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = ******.pem
smtpd_tls_key_file = *******.pem
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf
The representing part from the maillog:
Oct 28 17:41:48 mail postfix/smtpd[14531]: initializing the server-side TLS engine
Oct 28 17:41:48 mail postfix/smtpd[14531]: connect from static-199-193-244-211.a.awsrdns.net[199.193.244.211]
Oct 28 17:41:48 mail postfix/smtpd[14531]: setting up TLS connection from static-199-193-244-211.a.awsrdns.net[199.193.244.211]
Oct 28 17:41:48 mail postfix/smtpd[14531]: static-199-193-244-211.a.awsrdns.net[199.193.244.211]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Oct 28 17:41:48 mail postfix/smtpd[14531]: SSL_accept:before/accept initialization
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 read client hello A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write server hello A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write certificate A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write key exchange A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write server done A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 flush data
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 read client key exchange A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 read finished A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write change cipher spec A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write finished A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 flush data
Oct 28 17:41:49 mail postfix/smtpd[14531]: Anonymous TLS connection established from static-199-193-244-211.a.awsrdns.net[199.193.244.211]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct 28 17:41:49 mail postgrey[15936]: action=greylist, reason=new, client_name=static-199-193-244-211.a.awsrdns.net, client_address=199.193.244.211, sender=anouk@780tuners.com, recipient=me@something.com
Oct 28 17:41:49 mail postfix/smtpd[14531]: NOQUEUE: reject: RCPT from static-199-193-244-211.a.awsrdns.net[199.193.244.211]: 450 4.2.0 <me@something.com>: Recipient address rejected: Greylisted for 120 seconds; from=<anouk@780tuners.com> to=<me@something.com> proto=ESMTP helo=<vps755.urljet.com>
Oct 28 17:41:49 mail postfix/smtpd[14531]: disconnect from static-199-193-244-211.a.awsrdns.net[199.193.244.211]
And the header from such a spam mail:
Return-Path: <anouk@780tuners.com>
Received: from localhost (localhost [127.0.0.1])
by mail.me@something.com (Cyrus v2.4.17-Fedora-RPM-2.4.17-8.v7) with LMTPA;
Fri, 28 Oct 2016 19:57:48 +0200
X-Sieve: CMU Sieve 2.4
Received: from localhost (localhost [127.0.0.1])
by mail.me@something.com (Postfix) with ESMTP id 527A33001F8CB
for <me@me@something.com>; Fri, 28 Oct 2016 19:57:48 +0200 (CEST)
X-Virus-Scanned: amavisd-new at something.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-99 required=3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001]
autolearn=ham autolearn_force=no
Received: from mail.something.com ([127.0.0.1])
by localhost (mail.something.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id tlSokkM4ojW2 for <me@something.com>;
Fri, 28 Oct 2016 19:57:45 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by mail.something.com (Postfix) with ESMTP id C452C30278179
for <me@something.com>; Fri, 28 Oct 2016 19:57:45 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.something.com C452C30278179
X-Greylist: delayed 8156 seconds by postgrey-1.34 at mail.something.com; Fri, 28 Oct 2016 19:57:45 CEST
Received: from vps755.urljet.com (static-199-193-244-211.a.awsrdns.net [199.193.244.211])
by mail.something.com (Postfix) with ESMTPS id 85C0A3001F8CB
for <me@something.com>; Fri, 28 Oct 2016 19:57:45 +0200 (CEST)
Received: from forums78 by vps755.urljet.com with local (Exim 4.87)
(envelope-from <anouk@780tuners.com>
id 1c09Hv-0000Gu-3W
for me@something.com; Fri, 28 Oct 2016 19:41:47 +0400
To: me@something.com
Subject: Liefde is dichtbij en wij kunnen je helpen!
Date: Fri, 28 Oct 2016 18:41:47 +0300
From: Anouk <anouk@780tuners.com>
Message-ID: <1009d054b86832a8c215c7eaf68928b9@780tuners.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_1009d054b86832a8c215c7eaf68928b9"
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=0.8
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps755.urljet.com
X-AntiAbuse: Original Domain - something.com
X-AntiAbuse: Originator/Caller UID/GID - [512 509] / [47 12]
X-AntiAbuse: Sender Address Domain - 780tuners.com
X-Get-Message-Sender-Via: vps755.urljet.com: authenticated_id: forums78/from_h
X-Authenticated-Sender: vps755.urljet.com: anouk@780tuners.com
--b1_1009d054b86832a8c215c7eaf68928b9
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit -
Accepted Answer
I've no idea how to set up the bayesian filter, but can you be more explicit about your spam?
Can you post the output of "postconf -n" and the connection maillog when the spam arrives, and, perhaps the e-mail header?
The main thing I can't filter for is basic e-mails supposedly coming from a known person with a brief message suggesting I click on a link. I've never tried clicking on the link and I don't intend to!
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »