Marked spam

Sun Oct 12 03:03:07 CEST 2014

2014-10-10 23:41 GMT-06:00 Jernej Porenta <jernej.porenta at arnes.si>:
> Hi Rick,
>
> There could be lots of different settings which can cause this.
> Can you share some logs? Maybe you have some policy which overwrites the
> final_{spam|virus|banned}_destiny?

other settings

#$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
#  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option

};

>Do you have spam_lovers_maps set up? Do

No

> you have your policy settings stored in MySQL and if so, what are they?

not that I know, how could I check this?

>
> cheers, Jernej
>

log maillog amavisd

Oct 11 01:11:29 ns1 amavis[15818]: (15818-09) LMTP:[127.0.0.1]:10024
/var/amavis/tmp/amavis-20141010T203759-15818-RuuI9eo3:
<s471 at emailserverpakistan.com> ->
<info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>
SIZE=3998 BODY=8BITMIME Received: from ns1.domain.org.ni ([127.0.0.1])
by localhost (ns1.domain.org.ni [127.0.0.1]) (amavisd-new, port 10024)
with LMTP; Sat, 11 Oct 2014 01:11:29 -0600 (CST)

Oct 11 01:11:29 ns1 amavis[15818]: (15818-09) Checking: o5w5IGxZRG2M
[107.161.190.204] <s471 at emailserverpakistan.com> ->
<info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>

Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p003 1 Content-Type:
multipart/alternative

Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p001 1/1 Content-Type:
text/plain, size: 330 B, name:

Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p002 1/2 Content-Type:
text/html, size: 2257 B, name:

Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) spam-tag,
<s471 at emailserverpakistan.com> ->
<info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>, Yes,
score=13.229 tagged_above=-990 required=5 tests=[BAYES_50=0.8,
DATE_IN_PAST_03_06=1.592, DEAR_SOMETHING=1.973,
DKIM_ADSP_CUSTOM_MED=0.001, FH_RELAY_NODNS=1.451, FREEMAIL_FROM=0.001,
HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MPART_ALT_DIFF=0.79,
NML_ADSP_CUSTOM_MED=0.9, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RDNS_NONE=0.793,
URIBL_BLOCKED=0.001] autolearn=disabled

Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) FWD from
<s471 at emailserverpakistan.com> ->
<info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>,BODY=7BIT
250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as
4DF0750F0

Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) Passed SPAMMY
{RelayedTaggedInbound}, [107.161.190.204]:51770 [198.49.76.82]
<s471 at emailserverpakistan.com> ->
<info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>,
Message-ID: <8c87a67b9c45e50c33206315c1e27b87 at server471.emailserverpakistan.com>,
mail_id: o5w5IGxZRG2M, Hits: 13.229, size: 3997, queued_as: 4DF0750F0,
1387 ms

Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) TIMING-SA total 1194 ms
- parse: 3 (0.2%), extract_message_metadata: 27 (2.3%), poll_dns_idle:
142 (11.9%), get_uri_detail_list: 3 (0.3%), tests_pri_-1000: 7 (0.6%),
tests_pri_-950: 1.14 (0.1%), tests_pri_-900: 1.45 (0.1%),
tests_pri_-400: 28 (2.3%), check_bayes: 27 (2.2%), tests_pri_0: 992
(83.1%), check_spf: 54 (4.5%), check_razor2: 167 (14.0%), check_pyzor:
199 (16.7%), tests_pri_500: 114 (9.5%), get_report: 1.31 (0.1%)

Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) size: 3997, TIMING
[total 1396 ms] - SMTP greeting: 2 (0%)0, SMTP LHLO: 1 (0%)0, SMTP
pre-MAIL: 1 (0%)0, sql-connect: 5 (0%)1, lookup_sql: 1 (0%)1,
lookup_sql: 1 (0%)1, lookup_sql: 1 (0%)1, SMTP pre-DATA-flush: 2
(0%)1, SMTP DATA: 31 (2%)3, check_init: 0 (0%)3, digest_hdr: 1 (0%)3,
digest_body_dkim: 0 (0%)3, gen_mail_id: 4 (0%)3, mime_decode: 12
(1%)4, get-file-type2: 52 (4%)8, decompose_part: 1 (0%)8,
parts_decode: 0 (0%)8, check_header: 1 (0%)8, AV-scan-1: 13 (1%)9,
spam-wb-list: 3 (0%)9, SA msg read: 1 (0%)9, SA parse: 4 (0%)10, SA
check: 1186 (85%)95, lookup_sql: 11 (1%)95, penpals_check: 3 (0%)96,
decide_mail_destiny: 1 (0%)96, notif-quar: 1 (0%)96, fwd-connect: 33
(2%)98, fwd-mail-pip: 7 (0%)99, fwd-rcpt-pip: 0 (0%)99,
fwd-data-chkpnt: 0 (0%)99, write-header: 1 (0%)99, fwd-data-contents:
0 (0%)99, fwd-end-chkpnt: 3 (0%)99, prepare-dsn: 1 (0%)99,
main_log_entry: 6 (0%)99, sql-update: 3 (0%)100, update_snmp: 3
(0%)100, SMTP pre-response: 0 (0%)100,...

Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) ... SMTP response: 1
(0%)100, unlink-3-files: 0 (0%)100, rundown: 1 (0%)100

Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) NOTICE: reconnecting in
response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL
server has gone away at (eval 106) line 172.

Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) LMTP:[127.0.0.1]:10024
/var/amavis/tmp/amavis-20141010T203759-15847-DdGNH8Ta:
<noticias at winkalmail.com> ->
<ivania at domain.org.ni>,<spam at domain.org.ni> SIZE=44452 BODY=8BITMIME
Received: from ns1.domain.org.ni ([127.0.0.1]) by localhost
(ns1.domain.org.ni [127.0.0.1]) (amavisd-new, port 10024) with LMTP;
Sat, 11 Oct 2014 01:34:52 -0600 (CST)

Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) dkim: FAILED
Author+Sender+MailFrom signature by d=winkalmail.com, From:
<noticias at winkalmail.com>, a=rsa-sha1, c=relaxed/simple, s=dk1,
i=@winkalmail.com,
m.list(ml:http://tk.winkal.com/web/fnbox/lu/OHwkCQer-vSNssG9tXTkgSSo7C3QLzTsOW0vMyuHKkip-oEIDCFOqhvGnJXWp8mg87hW2w0zPVZJPmJLbo_eNwwpeV1nUzXaYp6T0XTUEJ8NqLUyw6d3l5ar2mWek9AcLc39oEFTV4RjybVwsoAjxDhQz1bMGTAumzHtn2Lbp7DhdLGvSj_9XfLkpdVMvLsQpwvL439Ar1do-w-KSJghOiQ.),
fail (body has been altered)

Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) Checking: XbjdOmTZoyKt
[208.74.29.94] <noticias at winkalmail.com> ->
<ivania at domain.org.ni>,<spam at domain.org.ni>

Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) p001 1 Content-Type:
text/html, size: 42896 B, name:

Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) check_header: 7, Missing
required header field: "Date"

Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) header_edits_for_quar:
<noticias at winkalmail.com> ->
<ivania at domain.org.ni>,<spam at domain.org.ni>, Yes, score=6.577 tag=-990
tag2=5 kill=15 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
MISSING_DATE=1.36, MISSING_MID=0.497, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_REMOTE_IMAGE=0.01,
URIBL_BLOCKED=0.001] autolearn=disabled

Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) local delivery: <> ->
bad-header-quarantine, mbx=/var/virusmails/badh-XbjdOmTZoyKt

Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) spam-tag,
<noticias at winkalmail.com> ->
<ivania at domain.org.ni>,<spam at domain.org.ni>, Yes, score=6.577 ta

gged_above=-990 required=5 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
MISSING_DATE=1.36, MISSING_MID=0.497, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_REMOTE_IMAGE=0.01,
URIBL_BLOCKED=0.001] autolearn=disabledOct 11 01:34:53 ns1
amavis[15847]: (15847-09) FWD from <noticias at winkalmail.com> ->
<ivania at domain.org.ni>,<spam at domain.org.ni>,BODY=8BITMIME 250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BB8B950F0

Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) Passed SPAMMY
{RelayedTaggedInbound,Quarantined}, [208.74.29.94]:63845
[208.74.29.94] <noticias at winkalmail.com> ->
<ivania at domain.org.ni>,<spam at domain.org.ni>, quarantine:
badh-XbjdOmTZoyKt, mail_id: XbjdOmTZoyKt, Hits: 6.577, size: 44434,
queued_as: BB8B950F0, 1409 ms

Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) TIMING-SA total 1094 ms
- parse: 4 (0.4%), extract_message_metadata: 51 (4.7%), poll_dns_idle:
167 (15.3%), get_uri_detail_list: 10 (0.9%), tests_pri_-1000: 18
(1.6%), tests_pri_-950: 1.12 (0.1%), tests_pri_-900: 1.22 (0.1%),
tests_pri_-400: 59 (5.4%), check_bayes: 57 (5.2%), tests_pri_0: 934
(85.4%), check_dkim_adsp: 5 (0.4%), check_spf: 193 (17.7%),
check_razor2: 236 (21.6%), check_pyzor: 193 (17.7%), tests_pri_500: 6
(0.6%), get_report: 1.00 (0.1%)

Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) size: 44434, TIMING
[total 1416 ms] - SMTP greeting: 1 (0%)0, SMTP LHLO: 1 (0%)0, SMTP
pre-MAIL: 1 (0%)0, sql-connect: 3 (0%)0, lookup_sql: 0 (0%)0,
lookup_sql: 1 (0%)0, SMTP pre-DATA-flush: 1 (0%)1, SMTP DATA: 36
(3%)3, check_init: 1 (0%)3, digest_hdr: 2 (0%)3, digest_body_dkim: 73
(5%)8, gen_mail_id: 5 (0%)9, mime_decode: 7 (1%)9, get-file-type1: 56
(4%)13, parts_decode: 0 (0%)13, check_header: 2 (0%)13, AV-scan-1: 18
(1%)15, spam-wb-list: 1 (0%)15, SA msg read: 1 (0%)15, SA parse: 6
(0%)15, SA check: 1084 (77%)92, lookup_sql: 11 (1%)93, penpals_check:
2 (0%)93, decide_mail_destiny: 1 (0%)93, notif-quar: 1 (0%)93,
quar-hdrs: 3 (0%)93, stat-mbx: 2 (0%)93, open-mbx: 0 (0%)93,
write-header: 0 (0%)93, save-to-local-mailbox: 0 (0%)93, fwd-connect:
31 (2%)96, fwd-mail-pip: 6 (0%)96, fwd-rcpt-pip: 0 (0%)96,
fwd-data-chkpnt: 0 (0%)96, write-header: 1 (0%)96, fwd-data-contents:
1 (0%)96, fwd-end-chkpnt: 43 (3%)99, prepare-dsn: 1 (0%)99,
main_log_entry: 6 (0%)...

Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) ...100, sql-update: 2
(0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 0 (0%)100, SMTP
response: 1 (0%)100, unlink-2-files: 0 (0%)100, rundown: 1 (0%)100

Oct 11 01:42:43 ns1 amavis[15818]: (15818-10) LMTP:[127.0.0.1]:10024
/var/amavis/tmp/amavis-20141010T203759-15818-RuuI9eo3:
<no-reply at netvigator.com> ->
<martha at domain.org.ni>,<spam at domain.org.ni> SIZE=481267 Received: from
ns1.domain.org.ni ([127.0.0.1]) by localhost (ns1.domain.org.ni
[127.0.0.1]) (amavisd-new, port 10024) with LMTP; Sat, 11 Oct 2014
01:42:43 -0600 (CST)

-- 
rickygm

http://gnuforever.homelinux.com