So here is the situation right now.

As i said been playing with a lot of different settings, or better said the way postfix an spamassassin are configured.
But all without the improvement i hoped for.

So i thought let's start over again, brought everything back in the the state is was before and how it's after a clean install from CO.

Funny thing is that these particular spam mails stopped coming in, i don't see them in my logs anymore. And the regular spam is still stopped.

Hi Nick,

I will have a look at this and try some settings, especially the ones regarding RBL lists.

As i already said; a lot of the spam is already blocked. I almost receive none.

The ones that are coming through now are only from this week and affect 2 users on the mail server, one of them being me :-(
probably one of the reasons that they are hard to identify is that they are in my native laguage and are pretty well written.

I may be slightly wrong becaus I can't remember what I've done, but one of my headers typically has this in it:

X-Spam-Status: No, score=-0.31 tagged_above=-99 required=5

	tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3,

	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,

	T_KAM_HTML_FONT_INVALID=0.01, URIBL_SBLXBL=2]

and another:

X-Spam-Status: No, score=0.376 tagged_above=-99 required=5

	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,

	MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,

	RP_MATCHES_RCVD=-0.425, URIBL_SC_SWINOG=0.9] autolearn=no

This is far more than you have. It may be because I've used the thread I linked to change my spamassassin configuration. What I won't have done is annotated the changes I made, because I don't use exactly what was posted. My RBL.cf reads:

## DNS Blocklists

header		RCVD_IN_WPBL 		eval:check_rbl_txt('wpbl-notfirsthop', 'db.wpbl.info')

describe	RCVD_IN_WPBL 		Listed in db.wpbl.info

tflags		RCVD_IN_WPBL 		net

score 		RCVD_IN_WPBL 		1.0



header		BL_SPAMCANNIBAL	eval:check_rbl('SPAMCANNIBLA-notfirsthop','bl.spamcannibal.org')

describe	BL_SPAMCANNIBAL	Listed in SpamCannibal

score 		BL_SPAMCANNIBAL	0.5



header		SORBS_SPAM		eval:check_rbl ('SORBS_SPAM-notfirsthop','spam.dnsbl.sorbs.net')

describe	SORBS_SPAM		Listed in SORBS-SPAM

score 		SORBS_SPAM		0.5



header		RCVD_IN_SWINOG_SPAM	eval:check_rbl('swinog-notfirsthop', 'dnsrbl.swinog.ch.', '127.0.0.3')

describe	RCVD_IN_SWINOG_SPAM	Listed in dnsrbl.swinog.ch.

tflags		RCVD_IN_SWINOG_SPAM	net

score		RCVD_IN_SWINOG_SPAM	2.5



header		RCVD_IN_NIX_SPAM	eval:check_rbl('nix-spam-notfirsthop','ix.dnsbl.manitu.net.')

describe	RCVD_IN_NIX_SPAM	Listed in NIX-SPAM DNSBL (heise.de)

tflags		RCVD_IN_NIX_SPAM	net

score		RCVD_IN_NIX_SPAM	1.0



header		RCVD_IN_BRBL		eval:check_rbl('brbl-notfirsthop', 'b.barracudacentral.org')

describe	RCVD_IN_BRBL		received via a relay in b.barracudacentral.org

tflags		RCVD_IN_BRBL		net

score		RCVD_IN_BRBL		2.5



## URI Blocklists



uridnsbl	URIBL_SBLXBL		sbl-xbl.spamhaus.org.   TXT

body		URIBL_SBLXBL		eval:check_uridnsbl('URIBL_SBLXBL')

describe	URIBL_SBLXBL		Contains a URL listed in the SBL/XBL blocklist

score		URIBL_SBLXBL		2.0



uridnsbl	URIBL_RBLJP		url.rbl.jp	TXT

body		URLBL_RBLJP		eval:check_uridnsbl('URLBL_RBLJP')

describe	URLBL_RBLJP		Has URI in url.rbl.jp

tflags		URLBL_RBLJP		net

score		URLBL_RBLJP		4.0



urirhssub	URIBL_JP_SURBL	multi.surbl.org.  A   64

body		URIBL_JP_SURBL	eval:check_uridnsbl('URIBL_JP_SURBL')

describe	URIBL_JP_SURBL	Has URI in JP at http://www.surbl.org/lists.html

tflags		URIBL_JP_SURBL	net

score		URIBL_JP_SURBL	4.0



urirhssub	URIBL_BLACK		multi.uribl.com.        A   2

body		URIBL_BLACK		eval:check_uridnsbl('URIBL_BLACK')

describe	URIBL_BLACK		Contains an URL listed in the URIBL blacklist

tflags		URIBL_BLACK		net

score		URIBL_BLACK		3.0



urirhssub	URIBL_GREY		multi.uribl.com.        A   4

body		URIBL_GREY		eval:check_uridnsbl('URIBL_GREY')

describe	URIBL_GREY		Contains an URL listed in the URIBL greylist

tflags		URIBL_GREY		net

score		URIBL_GREY		2.0



urirhsbl	URIBL_SC_SWINOG	uribl.swinog.ch.   A

body		URIBL_SC_SWINOG	eval:check_uridnsbl('URIBL_SC_SWINOG')

describe	URIBL_SC_SWINOG	URI's listed in uribl.swinog.ch.

tflags		URIBL_SC_SWINOG	net

score		URIBL_SC_SWINOG	0 0.900 0 1.500

.... and to get one of the whitelisting checks to work I had to install my own DNS resolver (Unbound) and configure spamassassin to use it instead of dnsmasq, but this is a tweak.

Hi,

Can you be a bit more specific, about the part; It does not look like you are running the anti-spam app?

I've done a complete set-ip of CO with anti-spam, in the webgui it says it's running. Does this mean that it never did from the start?
Or is the basic install from CO wrong?

It does not look like you are running the anti-spam app. That would be a start. Then have a look at this thread. Do not implement all of the first post and definitely do not put the word "permit" after any section. Read the whole thread and note some of the comments. I also would not make the spamassassin changes, at lears until you'va sorted out main.cf.

Note that even with my configuration (without greylisting) I get the odd spam, and I suspect I am missing e-mails from my electricity/gas supplier so one of the restrictions may be over-tight, but it is the only thing I know of which may be missing (and it would be his fault due to a mis-configured mail server, but I suffer). I've seen other misconfigurations from places which should know better, and I've had to relax my restrictions because of it. I think I've notes all my differences in the thread.

I did a blacklist check on the sending IP in your mail header but it did not feature on any of them.

Hi Nick

Below your request.

I've change some data like domainname and mail address and some other lines with the ******

As you can see, i also have greylisting, which always did a very good job.

The thing that bothers me, looking at the header, that for some reason it's learning this mail as ham and not spam

X-Spam-Status: No, score=-1.899 tagged_above=-99 required=3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001]
autolearn=ham autolearn_force=no

The output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = *******
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = *******
message_strip_characters = \0
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = something.com
myhostname = mail.something.com
mynetworks = 127.0.0.0/8 [::1]/128, [::1]/128, 192.168.10.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
recipient_delimiter = +
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:/var/spool/postfix/postgrey/socket
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = ******.pem
smtpd_tls_key_file = *******.pem
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf


The representing part from the maillog:


Oct 28 17:41:48 mail postfix/smtpd[14531]: initializing the server-side TLS engine
Oct 28 17:41:48 mail postfix/smtpd[14531]: connect from static-199-193-244-211.a.awsrdns.net[199.193.244.211]
Oct 28 17:41:48 mail postfix/smtpd[14531]: setting up TLS connection from static-199-193-244-211.a.awsrdns.net[199.193.244.211]
Oct 28 17:41:48 mail postfix/smtpd[14531]: static-199-193-244-211.a.awsrdns.net[199.193.244.211]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Oct 28 17:41:48 mail postfix/smtpd[14531]: SSL_accept:before/accept initialization
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 read client hello A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write server hello A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write certificate A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write key exchange A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write server done A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 flush data
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 read client key exchange A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 read finished A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write change cipher spec A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 write finished A
Oct 28 17:41:49 mail postfix/smtpd[14531]: SSL_accept:SSLv3 flush data
Oct 28 17:41:49 mail postfix/smtpd[14531]: Anonymous TLS connection established from static-199-193-244-211.a.awsrdns.net[199.193.244.211]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct 28 17:41:49 mail postgrey[15936]: action=greylist, reason=new, client_name=static-199-193-244-211.a.awsrdns.net, client_address=199.193.244.211, sender=anouk@780tuners.com, recipient=me@something.com
Oct 28 17:41:49 mail postfix/smtpd[14531]: NOQUEUE: reject: RCPT from static-199-193-244-211.a.awsrdns.net[199.193.244.211]: 450 4.2.0 <me@something.com>: Recipient address rejected: Greylisted for 120 seconds; from=<anouk@780tuners.com> to=<me@something.com> proto=ESMTP helo=<vps755.urljet.com>
Oct 28 17:41:49 mail postfix/smtpd[14531]: disconnect from static-199-193-244-211.a.awsrdns.net[199.193.244.211]

And the header from such a spam mail:

Return-Path: <anouk@780tuners.com>
Received: from localhost (localhost [127.0.0.1])
by mail.me@something.com (Cyrus v2.4.17-Fedora-RPM-2.4.17-8.v7) with LMTPA;
Fri, 28 Oct 2016 19:57:48 +0200
X-Sieve: CMU Sieve 2.4
Received: from localhost (localhost [127.0.0.1])
by mail.me@something.com (Postfix) with ESMTP id 527A33001F8CB
for <me@me@something.com>; Fri, 28 Oct 2016 19:57:48 +0200 (CEST)
X-Virus-Scanned: amavisd-new at something.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-99 required=3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001]
autolearn=ham autolearn_force=no
Received: from mail.something.com ([127.0.0.1])
by localhost (mail.something.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id tlSokkM4ojW2 for <me@something.com>;
Fri, 28 Oct 2016 19:57:45 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by mail.something.com (Postfix) with ESMTP id C452C30278179
for <me@something.com>; Fri, 28 Oct 2016 19:57:45 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.something.com C452C30278179
X-Greylist: delayed 8156 seconds by postgrey-1.34 at mail.something.com; Fri, 28 Oct 2016 19:57:45 CEST
Received: from vps755.urljet.com (static-199-193-244-211.a.awsrdns.net [199.193.244.211])
by mail.something.com (Postfix) with ESMTPS id 85C0A3001F8CB
for <me@something.com>; Fri, 28 Oct 2016 19:57:45 +0200 (CEST)
Received: from forums78 by vps755.urljet.com with local (Exim 4.87)
(envelope-from <anouk@780tuners.com>
id 1c09Hv-0000Gu-3W
for me@something.com; Fri, 28 Oct 2016 19:41:47 +0400
To: me@something.com
Subject: Liefde is dichtbij en wij kunnen je helpen!
Date: Fri, 28 Oct 2016 18:41:47 +0300
From: Anouk <anouk@780tuners.com>
Message-ID: <1009d054b86832a8c215c7eaf68928b9@780tuners.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_1009d054b86832a8c215c7eaf68928b9"
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=0.8
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps755.urljet.com
X-AntiAbuse: Original Domain - something.com
X-AntiAbuse: Originator/Caller UID/GID - [512 509] / [47 12]
X-AntiAbuse: Sender Address Domain - 780tuners.com
X-Get-Message-Sender-Via: vps755.urljet.com: authenticated_id: forums78/from_h
X-Authenticated-Sender: vps755.urljet.com: anouk@780tuners.com


--b1_1009d054b86832a8c215c7eaf68928b9
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

I've no idea how to set up the bayesian filter, but can you be more explicit about your spam?

Can you post the output of "postconf -n" and the connection maillog when the spam arrives, and, perhaps the e-mail header?

The main thing I can't filter for is basic e-mails supposedly coming from a known person with a brief message suggesting I click on a link. I've never tried clicking on the link and I don't intend to!