<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">the x-spam-status headers should always be present Spam or not. So what you are saying is that the x-spam-status headers are not present when email goes through
normally or when they are run manually?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Can you paste your amavis config here?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Gabriele Bulfon [mailto:gabriele.bulfon@sonicle.com]
<br>
<b>Sent:</b> Tuesday, June 27, 2017 9:03 AM<br>
<b>To:</b> Dino Edwards <dino.edwards@mydirectmail.net>; amavis-users@amavis.org<br>
<b>Subject:</b> [SUSPECTED SPAM]RE: different spamassassin behaviours<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif">The x-spam-status headers on that cases are not present, because the score is too low, and is considered non-spam.<br>
Is there any way I can force the injection of the x-spam-status header even for low scores? This may help.<br>
<br>
I meant that all the cf files (the rules files) are taken from the same place by spamassassin, both manually and automatically during postfix injection, as I can see it from the spam taken.<br>
<br>
And finally, yes, I can find the logs you say, where the mail (that manually scores 18.0+) passes as "CLEAN" in amavis and back into postfix.<br>
<br>
I attach an example email, and here is the relative log while passing in:<br>
<br>
Jun 27 14:30:15 cloudserver amavis[28190]: [ID 702911 mail.notice] (28190-16) Passed CLEAN, [107.175.149.43] [107.175.149.43] <<a href="mailto:VIVINT.Premier-Provider@tmess.us">VIVINT.Premier-Provider@tmess.us</a>> -> <<a href="mailto:davide.dicosola@eurovetrocap.com">davide.dicosola@eurovetrocap.com</a>>,
Message-ID: <<a href="mailto:037996f410ef6dcfefa9bbb8b98e2681.3964721.19453093@tmess.us_ys9">037996f410ef6dcfefa9bbb8b98e2681.3964721.19453093@tmess.us_ys9</a>>, mail_id: tW7q84X98Ieq, Hits: -0.347, size: 5698, queued_as: 9C78D27B16D, 1781 ms<o:p></o:p></span></p>
<div id="wt-mailcard">
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif">-------------------------------------------------------------------------------------------<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.5pt;font-family:"Arial",sans-serif">Sonicle S.r.l. </span></strong><span style="font-size:10.5pt;font-family:"Arial",sans-serif">: <a href="http://www.sonicle.com/" target="_new">http://www.sonicle.com</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.5pt;font-family:"Arial",sans-serif">Music: </span></strong><span style="font-size:10.5pt;font-family:"Arial",sans-serif"><a href="http://www.gabrielebulfon.com/" target="_new">http://www.gabrielebulfon.com</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.5pt;font-family:"Arial",sans-serif">Quantum Mechanics : </span></strong><span style="font-size:10.5pt;font-family:"Arial",sans-serif"><a href="http://www.cdbaby.com/cd/gabrielebulfon" target="_new">http://www.cdbaby.com/cd/gabrielebulfon</a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<br>
<tt>----------------------------------------------------------------------------------</tt><br>
<br>
<tt>Da: Dino Edwards <<a href="mailto:dino.edwards@mydirectmail.net">dino.edwards@mydirectmail.net</a>></tt><br>
<tt>A: <a href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a> </tt>
<br>
<tt>Data: 27 giugno 2017 13.59.37 CEST</tt><br>
<tt>Oggetto: RE: different spamassassin behaviours</tt></span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif"><o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid navy 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><tt><span style="font-size:10.0pt">Can you provide the x-spam-status headers for the same email when run through Postfix normally and then manually so we can see the differences?</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<br>
<tt>Also, I'm a little confused, what do you mean when you say " All the files are taken from /sonicle/etc/mail/spamassassin and /sonicle/share/spamassassin"?</tt><br>
<br>
<tt>Also, in your mail log, do you say a lines similar to below? The first one is Amavis passing the message as CLEAN and then re-injecting it back to Postfix on port 10025 for delivery. Your port config may vary.</tt><br>
<br>
<tt>Jun 27 07:55:32 smtp amavis[22662]: (22662-15) Passed CLEAN [198.241.162.22]:12141 [198.241.162.22] <<a href="mailto:noreply@visaprepaidprocessing.com">noreply@visaprepaidprocessing.com</a>> -> <someone@domaintld>, Queue-ID: D19FC40B0A, Message-ID: <<a href="mailto:d5360d$6ue5tu@cportal1.visa.com">d5360d$6ue5tu@cportal1.visa.com</a>>,
mail_id: X1sVYvfQoUFh, Hits: -0.877, size: 2490, queued_as: 250 2.6.0 Message received, dkim_sd=cportal:visaprepaidprocessing.com, 1280 ms</tt><br>
<br>
<br>
<tt>Jun 27 07:55:32 smtp postfix/smtp[22949]: D19FC40B0A: to=<<a href="mailto:someone@domain.tld">someone@domain.tld</a>>, relay=127.0.0.1[127.0.0.1]:10021, delay=2.6, delays=1.3/0/0/1.3, dsn=2.6.0, status=sent (250 2.6.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.6.0 Message received)</tt><br>
<br>
<br>
<br>
<br>
<tt>From: Gabriele Bulfon [<a href="mailto:gbulfon@sonicle.com">mailto:gbulfon@sonicle.com</a>]
</tt><br>
<tt>Sent: Tuesday, June 27, 2017 2:35 AM</tt><br>
<tt>To: Dino Edwards <<a href="mailto:dino.edwards@mydirectmail.net">dino.edwards@mydirectmail.net</a>>;
<a href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a></tt><br>
<tt>Subject: RE: different spamassassin behaviours</tt><br>
<br>
<tt>Hi, thanks for your response.</tt><br>
<br>
<tt>There are a lot of things rising the score manually:</tt><br>
<tt> </tt><br>
<tt>X-Spam-Status: Yes, score=18.1 required=5.0 tests=BAYES_50,CUSTOM_MANY_BL,</tt><br>
<tt>HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSBL_INPS_DE,</tt><br>
<tt>RCVD_IN_HOSTKARMA_BL,RCVD_IN_MSPIKE_H2,RCVD_IN_UCEPROTECT2,</tt><br>
<tt>RCVD_IN_UCEPROTECT3,RCVD_IN_WPBL,SPF_HELO_PASS,TVD_RCVD_SPACE_BRACKET,</tt><br>
<tt>T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_ABUSE_SURBL,URIBL_DBL_SPAM</tt><br>
<tt>autolearn=spam autolearn_force=no version=3.4.1</tt><br>
<br>
<tt>All the files are taken from /sonicle/etc/mail/spamassassin and /sonicle/share/spamassassin, and they looks to be read both manually and during postfix run, as many of the mails are caught and contains X-Spam-Status with tags taken from there (sare cf files,
kam file, fili_br file etc).</tt><br>
<tt>Also, many of the auto-learnt mails get spammed after being trained.</tt><br>
<tt>The bayes is configured as :</tt><br>
<br>
<tt>use_bayes 1</tt><br>
<tt>bayes_auto_learn 1</tt><br>
<tt>bayes_path /sonicle/var/spamassassin/bayes_db/bayes</tt><br>
<tt>bayes_file_mode 0777</tt><br>
<br>
<tt>and here are the files:</tt><br>
<br>
<tt>sonicle@www:~$ ls -l /sonicle/var/spamassassin/bayes_db</tt><br>
<tt>total 12699</tt><br>
<tt>-rw-rw-rw- 1 snclamav snclamav 25680 Jun 27 08:28 bayes_journal</tt><br>
<tt>-rw-rw-rw- 1 snclamav snclamav 10567680 Jun 27 07:58 bayes_seen</tt><br>
<tt>-rw-rw-rw- 1 snclamav snclamav 5128192 Jun 27 07:58 bayes_toks</tt><br>
<br>
<tt>here are the amavis processes:</tt><br>
<br>
<tt>sonicle@www:~$ ps -ef | grep amavisd</tt><br>
<tt>snclamav 23517 20393 0 07:43:58 ? 0:04 /sonicle/bin/perl -T /sonicle/sbin/amavisd -u snclamav -c /sonicle/etc/amavis/a...</tt><br>
<tt>snclamav 20393 6278 0 May 12 ? 0:49 /sonicle/bin/perl -T /sonicle/sbin/amavisd -u snclamav -c /sonicle/etc/amavis/a...</tt><br>
<tt>snclamav 29614 20393 0 08:28:49 ? 0:00 /sonicle/bin/perl -T /sonicle/sbin/amavisd -u snclamav -c /sonicle/etc/amavis/a...</tt><br>
<br>
<tt>is there any way I can run amavisd manually exactly as postfix would do during an incoming email?</tt><br>
<tt>I bet I need debugging output, but enabling it live may fill my mail logs, and I would have to wait for some spam to get in.</tt><br>
<br>
<tt>Thanks again,</tt><br>
<tt>Gabriele</tt><br>
<br>
<br>
<br>
<br>
<tt>------------------------------------------------------------------------------------------</tt><br>
<tt>Sonicle S.r.l. : <a href="http://www.sonicle.com">http://www.sonicle.com</a></tt><br>
<tt>Music: <a href="http://www.gabrielebulfon.com">http://www.gabrielebulfon.com</a></tt><br>
<tt>Quantum Mechanics : <a href="http://www.cdbaby.com/cd/gabrielebulfon">http://www.cdbaby.com/cd/gabrielebulfon</a></tt><br>
<br>
<tt>________________________________________</tt><br>
<br>
<br>
<tt>Da: Dino Edwards <<a href="mailto:dino.edwards@mydirectmail.net">dino.edwards@mydirectmail.net</a>></tt><br>
<tt>A: <a href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a></tt><br>
<tt>Data: 26 giugno 2017 19.08.11 CEST</tt><br>
<tt>Oggetto: RE: different spamassassin behaviours</tt><br>
<br>
<tt>Do you know for a fact that the bayes database is making those scores get higher when you run it in debug? If so, where is your bayes database stored and who is the owner of that path? Do you know for a fact that Amavis calls Spamassassin to scan emails?</tt><br>
<tt> </tt><br>
<tt> </tt><br>
<tt> </tt><br>
<tt> </tt><br>
<tt> </tt><br>
<tt>----------------</tt><br>
<br>
<tt>Hermes Secure Email Gateway</tt><br>
<tt>Hermes Secure Email Gateway is a Free Open Source (Hermes SEG Community Only) Email Gateway that provides Spam, Virus and Malware protection, full in-transit and at-rest email encryption as well as email archiving. Hermes Secure Email Gateway combines Open
Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization. It can be deployed to protect
your in-house email solution as well as cloud email solutions such as Google Mail and Microsoft Office 365.</tt><br>
<tt> </tt><br>
<tt>Learn More & Download the free open-source appliance at:</tt><br>
<tt><a href="https://www.deeztek.com/hermes-secure-email-gateway/">https://www.deeztek.com/hermes-secure-email-gateway/</a></tt><br>
<tt> </tt><br>
<tt>From: amavis-users [<a href="mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org">mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org</a>] On Behalf Of Gabriele Bulfon</tt><br>
<tt>Sent: Monday, June 26, 2017 11:57 AM</tt><br>
<tt>To: <a href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a></tt><br>
<tt>Subject: different spamassassin behaviours</tt><br>
<tt> </tt><br>
<tt>Hi,</tt><br>
<br>
<tt>I have some installation of amavis+postfix, where I discovered that some spam is coming in with a very low score, but if I run spamassassin in debug mode on the same emails they get a very high score.</tt><br>
<br>
<tt>On my installations, amavisd runs under the "snclamav" user, while the smtp-amavis postfix daemons run under the "snclmail" user.</tt><br>
<tt>I run the bayes learn using the snclamav user, and also run spamassassin debug mode using the same user, that stores the bayes database in a specific path.</tt><br>
<br>
<tt>Any idea what may happen in amavisd spawn spamassassin that does not happen in manual debug mode?</tt><br>
<br>
<tt>Thanks for any help</tt><br>
<br>
<tt>Gabriele</tt><br>
<tt>------------------------------------------------------------------------------------------</tt><br>
<tt>Sonicle S.r.l. : <a href="http://www.sonicle.com">http://www.sonicle.com</a></tt><br>
<tt>Music: <a href="http://www.gabrielebulfon.com">http://www.gabrielebulfon.com</a></tt><br>
<tt>Quantum Mechanics : <a href="http://www.cdbaby.com/cd/gabrielebulfon">http://www.cdbaby.com/cd/gabrielebulfon</a></tt><br>
<br>
<br>
<tt><<<a href="mailto:image002.jpg@01D2EE7D.41BA0B40">image002.jpg@01D2EE7D.41BA0B40</a>>></tt><br>
<br>
</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif"><o:p></o:p></span></p>
</blockquote>
</div>
</div>
</body>
</html>