<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1512036758898_96668">
<article id="yui_3_16_0_ym19_1_1512036758898_96669">
<blockquote id="yui_3_16_0_ym19_1_1512036758898_96670">Dear list,<br id="yui_3_16_0_ym19_1_1512036758898_96671">
<br id="yui_3_16_0_ym19_1_1512036758898_96672">
I received an email for raybans, which was 300% spam (14.0 score, threshold set at 5.0), and it didn't get marked by amavis.<br id="yui_3_16_0_ym19_1_1512036758898_96673">
<br id="yui_3_16_0_ym19_1_1512036758898_96674">
Here's how amavis is configured : <br id="yui_3_16_0_ym19_1_1512036758898_96675">
<br id="yui_3_16_0_ym19_1_1512036758898_96676">
<div id="yui_3_16_0_ym19_1_1512036758898_96677">
<div id="yui_3_16_0_ym19_1_1512036758898_96678"><br></div>
<pre id="yui_3_16_0_ym19_1_1512036758898_96679">root@messagerie[10.10.10.19] /etc/amavis/conf.d # removeblanks 50-user
use strict;
$myhostname = "mailhost.mytld.";
$virus_admin = "it_sys\@$mydomain";
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 999; # triggers spam evasive actions
$sa_dsn_cutoff_level = 5.0; # spam level beyond which a DSN is not sent
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
1; # ensure a defined return
root@messagerie[10.10.10.19] /etc/amavis/conf.d # </pre>
</div>In particular, this line caught my attention : <br id="yui_3_16_0_ym19_1_1512036758898_96680">
<br id="yui_3_16_0_ym19_1_1512036758898_96681">
<div id="yui_3_16_0_ym19_1_1512036758898_96682">
<div id="yui_3_16_0_ym19_1_1512036758898_96683"><br></div>
<pre id="yui_3_16_0_ym19_1_1512036758898_96684">$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level</pre>
</div>I also have grepped for SPAM to check where amavis rewrites the subject and found this line in 20-debian_defaults : <div id="yui_3_16_0_ym19_1_1512036758898_96687"><pre id="yui_3_16_0_ym19_1_1512036758898_96689">root@messagerie[10.10.10.19] /etc/amavis/conf.d # grep SPAM *
...
20-debian_defaults:$sa_spam_subject_tag = '***SPAM*** ';
...
root@messagerie[10.10.10.19] /etc/amavis/conf.d # </pre>
</div>So reading this configuration files it seems that amavis is supposed to <br id="yui_3_16_0_ym19_1_1512036758898_96690">
1) add a spam detected headers ("at that level" I don't know what that means)<br id="yui_3_16_0_ym19_1_1512036758898_96691">
2) add a ***SPAM*** tag in the subject<br id="yui_3_16_0_ym19_1_1512036758898_96692">
<br id="yui_3_16_0_ym19_1_1512036758898_96693">
<br id="yui_3_16_0_ym19_1_1512036758898_96694">
<br id="yui_3_16_0_ym19_1_1512036758898_96695">
Here's my spamassassin<div id="yui_3_16_0_ym19_1_1512036758898_96698"><pre id="yui_3_16_0_ym19_1_1512036758898_96700">root@messagerie[10.10.10.19] /etc/spamassassin # removeblanks local.cf
rewrite_header Subject *****SPAM*****
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif # Mail::SpamAssassin::Plugin::Shortcircuit
root@messagerie[10.10.10.19] /etc/spamassassin # </pre>
</div>It also seems, reading from this config file, that spamassassin should add a *****SPAM***** tag in the subject.<br id="yui_3_16_0_ym19_1_1512036758898_96701">
<br id="yui_3_16_0_ym19_1_1512036758898_96702">
<br id="yui_3_16_0_ym19_1_1512036758898_96703">
Here are the mail logs : <div id="yui_3_16_0_ym19_1_1512036758898_96706"><pre id="yui_3_16_0_ym19_1_1512036758898_96708">Nov 28 16:33:14 messagerie postfix/smtpd[42277]: 738D73A80088: client=unknown[101.55.71.90]
Nov 28 16:33:14 messagerie postfix/cleanup[46611]: 738D73A80088: message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
Nov 28 16:33:15 messagerie postfix/qmgr[37877]: 738D73A80088: from=<bounce-3308-19491836-3512-248@frdww.com>, size=46200, nrcpt=1 (queue active)
Nov 28 16:33:16 messagerie postfix/smtpd[42277]: disconnect from unknown[101.55.71.90]
Nov 28 16:33:16 messagerie postfix/smtpd[46615]: connect from localhost[127.0.0.1]
Nov 28 16:33:16 messagerie postfix/smtpd[46615]: 6609E3A8008E: client=localhost[127.0.0.1]
Nov 28 16:33:16 messagerie postfix/cleanup[46611]: 6609E3A8008E: message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
Nov 28 16:33:16 messagerie postfix/smtpd[46615]: disconnect from localhost[127.0.0.1]
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6609E3A8008E: from=<bounce-3308-19491836-3512-248@frdww.com>, size=46717, nrcpt=1 (queue active)
Nov 28 16:33:16 messagerie amavis[46130]: (46130-07) Passed SPAMMY {RelayedOpenRelay}, [101.55.71.90]:53783 [101.55.71.90] <bounce-3308-19491836-3512-248@frdww.com> -> <a.chaouche@mydomain.tld>, Queue-ID: 738D73A80088, Message-ID: <bf680addabf683575f7cc153be8a9094@101.55.71.3>, mail_id: lBrIu_4QeHCa, Hits: 11.386, size: 46197, queued_as: 6609E3A8008E, 736 ms
Nov 28 16:33:16 messagerie postfix/smtp[46612]: 738D73A80088: to=<a.chaouche@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, delays=1.2/0.01/0/0.74, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6609E3A8008E)
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 738D73A80088: removed
Nov 28 16:33:16 messagerie postfix/pickup[45522]: 6AD523A80092: uid=1001 from=<bounce-3308-19491836-3512-248@frdww.com>
Nov 28 16:33:16 messagerie postfix/cleanup[46611]: 6AD523A80092: message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6AD523A80092: from=<bounce-3308-19491836-3512-248@frdww.com>, size=47174, nrcpt=1 (queue active)
Nov 28 16:33:16 messagerie postfix/lmtp[46616]: 6609E3A8008E: to=<a.chaouche@mydomain.tld>, relay=mailhost.tl[dprivate/dovecot-lmtp], delay=0.03, delays=0/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 <a.chaouche@mydomain.tld> uTNQGbyBHVrKtQAArJM0yg Saved)
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6609E3A8008E: removed
</pre>
</div>In particular, we have this line :<br id="yui_3_16_0_ym19_1_1512036758898_96709">
<br id="yui_3_16_0_ym19_1_1512036758898_96710">
<div id="yui_3_16_0_ym19_1_1512036758898_96711">
<div id="yui_3_16_0_ym19_1_1512036758898_96712"><br></div>
<pre id="yui_3_16_0_ym19_1_1512036758898_96713">Nov 28 16:33:16 messagerie amavis[46130]: (46130-07) Passed SPAMMY {RelayedOpenRelay}, [101.55.71.90]:53783 [101.55.71.90] <bounce-3308-19491836-3512-248@frdww.com> -> <a.chaouche@mydomain.tld>, Queue-ID: 738D73A80088, Message-ID: <bf680addabf683575f7cc153be8a9094@101.55.71.3>, mail_id: lBrIu_4QeHCa, Hits: 11.386, size: 46197, queued_as: 6609E3A8008E, 736 ms</pre>
</div>So we know amavis detected that the email was spammy, but didn't rewrite the subject ! here are the headers :<br id="yui_3_16_0_ym19_1_1512036758898_96715">
<br id="yui_3_16_0_ym19_1_1512036758898_96717">
<div dir="ltr" id="yui_3_16_0_ym19_1_1512036758898_103620">Return-Path: <bounce-3308-19491836-3512-248@frdww.com><br id="yui_3_16_0_ym19_1_1512036758898_103577">Delivered-To: <a.chaouche@mydomain.tld><br id="yui_3_16_0_ym19_1_1512036758898_103578">Received: from messagerie.mydomain.tld<br id="yui_3_16_0_ym19_1_1512036758898_103579"> by messagerie.mydomain.tld (Dovecot) with LMTP id uTNQGbyBHVrKtQAArJM0yg<br id="yui_3_16_0_ym19_1_1512036758898_103580"> for <a.chaouche@mydomain.tld>; Tue, 28 Nov 2017 16:33:16 +0100<br id="yui_3_16_0_ym19_1_1512036758898_103581">Received: from localhost (localhost [127.0.0.1])<br id="yui_3_16_0_ym19_1_1512036758898_103582"> by messagerie.mydomain.tld (Postfix) with ESMTP id 6609E3A8008E<br id="yui_3_16_0_ym19_1_1512036758898_103583"> for <a.chaouche@mydomain.tld>; Tue, 28 Nov 2017 16:33:16 +0100 (CET)<br id="yui_3_16_0_ym19_1_1512036758898_103584">X-Virus-Scanned: Debian amavisd-new at messagerie.mydomain.tld<br id="yui_3_16_0_ym19_1_1512036758898_103585">Received: from messagerie.mydomain.tld ([127.0.0.1])<br id="yui_3_16_0_ym19_1_1512036758898_103586"> by localhost (messagerie.mydomain.tld. [127.0.0.1]) (amavisd-new, port 10024)<br id="yui_3_16_0_ym19_1_1512036758898_103587"> with ESMTP id lBrIu_4QeHCa for <a.chaouche@mydomain.tld>;<br id="yui_3_16_0_ym19_1_1512036758898_103588"> Tue, 28 Nov 2017 16:33:15 +0100 (CET)<br id="yui_3_16_0_ym19_1_1512036758898_103589">Received: from 9.frdww.com (unknown [101.55.71.90])<br id="yui_3_16_0_ym19_1_1512036758898_103590"> by messagerie.mydomain.tld (Postfix) with ESMTP id 738D73A80088<br id="yui_3_16_0_ym19_1_1512036758898_103591"> for <a.chaouche@mydomain.tld>; Tue, 28 Nov 2017 16:33:14 +0100 (CET)<br id="yui_3_16_0_ym19_1_1512036758898_103592">DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=frdww; d=frdww.com;<br id="yui_3_16_0_ym19_1_1512036758898_103593"> h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Transfer-Encoding:Content-Type; i=hello@frdww.com;<br id="yui_3_16_0_ym19_1_1512036758898_103594"> bh=SQsVo8OmiXaSIiVx4P9ctCKthwM=;<br id="yui_3_16_0_ym19_1_1512036758898_103595"> b=EqbkxLTMUduPOzVBULrkN48h5yST8A3MkVUuI+u1XQh+gyFszmY2GKS4a6b2kNzTbqVvU/OAdfM0<br id="yui_3_16_0_ym19_1_1512036758898_103596"> 85J8m/+N0h/AwGnp2W2bXQ5QPoJGrYk/npL98xfx2FWxETrd+9l/NankuuI4pdW3CWshSVNv3q1+<br id="yui_3_16_0_ym19_1_1512036758898_103597"> yqNN1S1bHfq1aQjiBx4=<br id="yui_3_16_0_ym19_1_1512036758898_103598">DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=frdww; d=frdww.com;<br id="yui_3_16_0_ym19_1_1512036758898_103599"> b=HIA8xB9FoklljU9NDxZjwSZRCVNiBSWnpvt3yH75Am9K82UMiWEEbEb/XtPYz3FncjOxSrXAKwVl<br id="yui_3_16_0_ym19_1_1512036758898_103600"> HRSy6qqPtm+Y+UYeVRS9mwgR7zL/j48IX6zNhBL1RbtKMzMzdPND5HzSCuugoBhrHuqBOG8hPBps<br id="yui_3_16_0_ym19_1_1512036758898_103601"> cgic2UZJJ/pgPaMFXCQ=;<br id="yui_3_16_0_ym19_1_1512036758898_103602">Received: by 9.frdww.com id h3nove0e97c0 for <a.chaouche@mydomain.tld>; Tue, 28 Nov 2017 09:32:31 -0500 (envelope-from <bounce-3308-19491836-3512-248@frdww.com>)<br id="yui_3_16_0_ym19_1_1512036758898_103603">Date: Tue, 28 Nov 2017 09:32:31 -0500<br id="yui_3_16_0_ym19_1_1512036758898_103604">To: "a.chaouche@mydomain.tld" <a.chaouche@mydomain.tld><br id="yui_3_16_0_ym19_1_1512036758898_103605">From: Ray Ban <hello@frdww.com><br id="yui_3_16_0_ym19_1_1512036758898_103606">Reply-to: Ray Ban <hello@frdww.com><br id="yui_3_16_0_ym19_1_1512036758898_103607">Subject: [Black Friday] Ray Ban Sunglasses 2017 New Styles. 89% Off All Sales.<br id="yui_3_16_0_ym19_1_1512036758898_103608">Message-ID: <bf680addabf683575f7cc153be8a9094@101.55.71.3><br id="yui_3_16_0_ym19_1_1512036758898_103609">X-Priority: 3<br id="yui_3_16_0_ym19_1_1512036758898_103610">X-Mailer: frdww.com<br id="yui_3_16_0_ym19_1_1512036758898_103611">X-Complaints-To: helen@frdww.com<br id="yui_3_16_0_ym19_1_1512036758898_103612">List-Unsubscribe: <http://rb3.frdww.com/oem/u.php?p=s8/rs/22hw/s9/s8/rs><br id="yui_3_16_0_ym19_1_1512036758898_103613">X-MessageID: MTZ8fHx8OTU1NDh8fHx8YS5jaGFvdWNoZUBhbGdlcmlhbi1yYWRpby5kenx8fHwxN3x8fHwxfHx8fDA%3D<br id="yui_3_16_0_ym19_1_1512036758898_103614">X-Report-Abuse: <http://rb3.frdww.com/oem/report_abuse.php?mid=MTZ8fHx8OTU1NDh8fHx8YS5jaGFvdWNoZUBhbGdlcmlhbi1yYWRpby5kenx8fHwxN3x8fHwxfHx8fDA%3D><br id="yui_3_16_0_ym19_1_1512036758898_103615">X-frdww.com: frdww.com<br id="yui_3_16_0_ym19_1_1512036758898_103616">MIME-Version: 1.0<br id="yui_3_16_0_ym19_1_1512036758898_103617">Content-Transfer-Encoding: quoted-printable<br id="yui_3_16_0_ym19_1_1512036758898_103618">Content-Type: text/html; charset="utf-8"<br id="yui_3_16_0_ym19_1_1512036758898_103619"><br></div><div><br></div><div><br></div>
Here's what spamc says about the email :<div id="yui_3_16_0_ym19_1_1512036758898_96721"><pre id="yui_3_16_0_ym19_1_1512036758898_96723">root@messagerie[10.10.10.19] /etc/amavis/conf.d # cat /tmp/spamreport
14.1/5.0
Spam detection software, running on the system "messagerie.algerian-radio.dz",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Untitled document SHOP ONLINE AVIATOR WAYFARER CUSTOMIZE PRESCRIPTION
SUN Back with a hero's welcome, General is the latest iconic style to the
revived by Ray-Ban. SHOP NOW RAY-BAN CUSTOMER CARE 12 Harbor Park Drive Port
Washington, NY 11050 [...]
Content analysis details: (14.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
[101.55.71.90 listed in psbl.surriel.com]
2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
[URIs: rbwayn.com]
1.3 URI_HEX URI: URI hostname has long hexadecimal sequence
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
background
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[101.55.71.90 listed in bb.barracudacentral.org]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
[URIs: frdww.com]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: rbwayn.com]
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
root@messagerie[10.10.10.19] /etc/amavis/conf.d # </pre>
</div><br id="yui_3_16_0_ym19_1_1512036758898_96724">
Any tips on how to troubleshoot this appreaciated.<br id="yui_3_16_0_ym19_1_1512036758898_96725">
<br id="yui_3_16_0_ym19_1_1512036758898_96726">
Yassine.
<div id="yui_3_16_0_ym19_1_1512036758898_96727"> </div>
</blockquote>
</article>
</div>
<div id="yui_3_16_0_ym19_1_1512036758898_103629"><br></div></div></body></html>