Marked spam

Jernej Porenta jernej.porenta at arnes.si
Mon Oct 13 22:20:52 CEST 2014 

Dear ricky,

what are your levels for tagging spam (below are mine):
$sa_tag_level_deflt  = -1.0;  # add spam info headers if at, or above 
that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_tag3_level_deflt = 12; # $sa_tag3_level_deflt = ***BLATANT*SPAM***
$sa_kill_level_deflt = $sa_tag2_level_deflt;  # triggers spam evasive 
actions

Your spam levels may change through MySQL policy settings if you have 
set them up. Probably you can check this by looking into policy table of 
your MySQL setup (I don't know your set up, so I am just guessing).

cheers, J.

On 12/10/14 03:03, ricky gutierrez wrote:
> 2014-10-10 23:41 GMT-06:00 Jernej Porenta <jernej.porenta at arnes.si>:
>> Hi Rick,
>>
>> There could be lots of different settings which can cause this.
>> Can you share some logs? Maybe you have some policy which overwrites the
>> final_{spam|virus|banned}_destiny?
>
> other settings
>
> #$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
> #  originating => 1,  # declare that mail was submitted by our smtp client
>    allow_disclaimers => 1,  # enables disclaimer insertion if available
>    # notify administrator of locally originating malware
>    virus_admin_maps => ["virusalert\@$mydomain"],
>    spam_admin_maps  => ["virusalert\@$mydomain"],
>    warnbadhsender   => 1,
>    # forward to a smtpd service providing DKIM signing service
>    forward_method => 'smtp:[127.0.0.1]:10027',
>    # force MTA conversion to 7-bit (e.g. before DKIM signing)
>    smtpd_discard_ehlo_keywords => ['8BITMIME'],
>    bypass_banned_checks_maps => [1],  # allow sending any file names and types
>    terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
>
> };
>
>
>> Do you have spam_lovers_maps set up? Do
>
> No
>
>> you have your policy settings stored in MySQL and if so, what are they?
>
> not that I know, how could I check this?
>
>>
>> cheers, Jernej
>>
>
> log maillog amavisd
>
> Oct 11 01:11:29 ns1 amavis[15818]: (15818-09) LMTP:[127.0.0.1]:10024
> /var/amavis/tmp/amavis-20141010T203759-15818-RuuI9eo3:
> <s471 at emailserverpakistan.com> ->
> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>
> SIZE=3998 BODY=8BITMIME Received: from ns1.domain.org.ni ([127.0.0.1])
> by localhost (ns1.domain.org.ni [127.0.0.1]) (amavisd-new, port 10024)
> with LMTP; Sat, 11 Oct 2014 01:11:29 -0600 (CST)
>
> Oct 11 01:11:29 ns1 amavis[15818]: (15818-09) Checking: o5w5IGxZRG2M
> [107.161.190.204] <s471 at emailserverpakistan.com> ->
> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>
>
> Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p003 1 Content-Type:
> multipart/alternative
>
> Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p001 1/1 Content-Type:
> text/plain, size: 330 B, name:
>
> Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p002 1/2 Content-Type:
> text/html, size: 2257 B, name:
>
> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) spam-tag,
> <s471 at emailserverpakistan.com> ->
> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>, Yes,
> score=13.229 tagged_above=-990 required=5 tests=[BAYES_50=0.8,
> DATE_IN_PAST_03_06=1.592, DEAR_SOMETHING=1.973,
> DKIM_ADSP_CUSTOM_MED=0.001, FH_RELAY_NODNS=1.451, FREEMAIL_FROM=0.001,
> HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MPART_ALT_DIFF=0.79,
> NML_ADSP_CUSTOM_MED=0.9, RAZOR2_CF_RANGE_51_100=0.5,
> RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RDNS_NONE=0.793,
> URIBL_BLOCKED=0.001] autolearn=disabled
>
> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) FWD from
> <s471 at emailserverpakistan.com> ->
> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>,BODY=7BIT
> 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as
> 4DF0750F0
>
>
> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) Passed SPAMMY
> {RelayedTaggedInbound}, [107.161.190.204]:51770 [198.49.76.82]
> <s471 at emailserverpakistan.com> ->
> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>,
> Message-ID: <8c87a67b9c45e50c33206315c1e27b87 at server471.emailserverpakistan.com>,
> mail_id: o5w5IGxZRG2M, Hits: 13.229, size: 3997, queued_as: 4DF0750F0,
> 1387 ms
>
>
> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) TIMING-SA total 1194 ms
> - parse: 3 (0.2%), extract_message_metadata: 27 (2.3%), poll_dns_idle:
> 142 (11.9%), get_uri_detail_list: 3 (0.3%), tests_pri_-1000: 7 (0.6%),
> tests_pri_-950: 1.14 (0.1%), tests_pri_-900: 1.45 (0.1%),
> tests_pri_-400: 28 (2.3%), check_bayes: 27 (2.2%), tests_pri_0: 992
> (83.1%), check_spf: 54 (4.5%), check_razor2: 167 (14.0%), check_pyzor:
> 199 (16.7%), tests_pri_500: 114 (9.5%), get_report: 1.31 (0.1%)
>
> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) size: 3997, TIMING
> [total 1396 ms] - SMTP greeting: 2 (0%)0, SMTP LHLO: 1 (0%)0, SMTP
> pre-MAIL: 1 (0%)0, sql-connect: 5 (0%)1, lookup_sql: 1 (0%)1,
> lookup_sql: 1 (0%)1, lookup_sql: 1 (0%)1, SMTP pre-DATA-flush: 2
> (0%)1, SMTP DATA: 31 (2%)3, check_init: 0 (0%)3, digest_hdr: 1 (0%)3,
> digest_body_dkim: 0 (0%)3, gen_mail_id: 4 (0%)3, mime_decode: 12
> (1%)4, get-file-type2: 52 (4%)8, decompose_part: 1 (0%)8,
> parts_decode: 0 (0%)8, check_header: 1 (0%)8, AV-scan-1: 13 (1%)9,
> spam-wb-list: 3 (0%)9, SA msg read: 1 (0%)9, SA parse: 4 (0%)10, SA
> check: 1186 (85%)95, lookup_sql: 11 (1%)95, penpals_check: 3 (0%)96,
> decide_mail_destiny: 1 (0%)96, notif-quar: 1 (0%)96, fwd-connect: 33
> (2%)98, fwd-mail-pip: 7 (0%)99, fwd-rcpt-pip: 0 (0%)99,
> fwd-data-chkpnt: 0 (0%)99, write-header: 1 (0%)99, fwd-data-contents:
> 0 (0%)99, fwd-end-chkpnt: 3 (0%)99, prepare-dsn: 1 (0%)99,
> main_log_entry: 6 (0%)99, sql-update: 3 (0%)100, update_snmp: 3
> (0%)100, SMTP pre-response: 0 (0%)100,...
>
> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) ... SMTP response: 1
> (0%)100, unlink-3-files: 0 (0%)100, rundown: 1 (0%)100
>
> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) NOTICE: reconnecting in
> response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL
> server has gone away at (eval 106) line 172.
>
> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) LMTP:[127.0.0.1]:10024
> /var/amavis/tmp/amavis-20141010T203759-15847-DdGNH8Ta:
> <noticias at winkalmail.com> ->
> <ivania at domain.org.ni>,<spam at domain.org.ni> SIZE=44452 BODY=8BITMIME
> Received: from ns1.domain.org.ni ([127.0.0.1]) by localhost
> (ns1.domain.org.ni [127.0.0.1]) (amavisd-new, port 10024) with LMTP;
> Sat, 11 Oct 2014 01:34:52 -0600 (CST)
>
> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) dkim: FAILED
> Author+Sender+MailFrom signature by d=winkalmail.com, From:
> <noticias at winkalmail.com>, a=rsa-sha1, c=relaxed/simple, s=dk1,
> i=@winkalmail.com,
> m.list(ml:http://tk.winkal.com/web/fnbox/lu/OHwkCQer-vSNssG9tXTkgSSo7C3QLzTsOW0vMyuHKkip-oEIDCFOqhvGnJXWp8mg87hW2w0zPVZJPmJLbo_eNwwpeV1nUzXaYp6T0XTUEJ8NqLUyw6d3l5ar2mWek9AcLc39oEFTV4RjybVwsoAjxDhQz1bMGTAumzHtn2Lbp7DhdLGvSj_9XfLkpdVMvLsQpwvL439Ar1do-w-KSJghOiQ.),
> fail (body has been altered)
>
> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) Checking: XbjdOmTZoyKt
> [208.74.29.94] <noticias at winkalmail.com> ->
> <ivania at domain.org.ni>,<spam at domain.org.ni>
>
> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) p001 1 Content-Type:
> text/html, size: 42896 B, name:
>
> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) check_header: 7, Missing
> required header field: "Date"
>
> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) header_edits_for_quar:
> <noticias at winkalmail.com> ->
> <ivania at domain.org.ni>,<spam at domain.org.ni>, Yes, score=6.577 tag=-990
> tag2=5 kill=15 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1,
> HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
> MISSING_DATE=1.36, MISSING_MID=0.497, SPF_HELO_PASS=-0.001,
> SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_REMOTE_IMAGE=0.01,
> URIBL_BLOCKED=0.001] autolearn=disabled
>
> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) local delivery: <> ->
> bad-header-quarantine, mbx=/var/virusmails/badh-XbjdOmTZoyKt
>
> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) spam-tag,
> <noticias at winkalmail.com> ->
> <ivania at domain.org.ni>,<spam at domain.org.ni>, Yes, score=6.577 ta
>
> gged_above=-990 required=5 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1,
> HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
> MISSING_DATE=1.36, MISSING_MID=0.497, SPF_HELO_PASS=-0.001,
> SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_REMOTE_IMAGE=0.01,
> URIBL_BLOCKED=0.001] autolearn=disabledOct 11 01:34:53 ns1
> amavis[15847]: (15847-09) FWD from <noticias at winkalmail.com> ->
> <ivania at domain.org.ni>,<spam at domain.org.ni>,BODY=8BITMIME 250 2.0.0
> from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BB8B950F0
>
> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) Passed SPAMMY
> {RelayedTaggedInbound,Quarantined}, [208.74.29.94]:63845
> [208.74.29.94] <noticias at winkalmail.com> ->
> <ivania at domain.org.ni>,<spam at domain.org.ni>, quarantine:
> badh-XbjdOmTZoyKt, mail_id: XbjdOmTZoyKt, Hits: 6.577, size: 44434,
> queued_as: BB8B950F0, 1409 ms
>
> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) TIMING-SA total 1094 ms
> - parse: 4 (0.4%), extract_message_metadata: 51 (4.7%), poll_dns_idle:
> 167 (15.3%), get_uri_detail_list: 10 (0.9%), tests_pri_-1000: 18
> (1.6%), tests_pri_-950: 1.12 (0.1%), tests_pri_-900: 1.22 (0.1%),
> tests_pri_-400: 59 (5.4%), check_bayes: 57 (5.2%), tests_pri_0: 934
> (85.4%), check_dkim_adsp: 5 (0.4%), check_spf: 193 (17.7%),
> check_razor2: 236 (21.6%), check_pyzor: 193 (17.7%), tests_pri_500: 6
> (0.6%), get_report: 1.00 (0.1%)
>
> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) size: 44434, TIMING
> [total 1416 ms] - SMTP greeting: 1 (0%)0, SMTP LHLO: 1 (0%)0, SMTP
> pre-MAIL: 1 (0%)0, sql-connect: 3 (0%)0, lookup_sql: 0 (0%)0,
> lookup_sql: 1 (0%)0, SMTP pre-DATA-flush: 1 (0%)1, SMTP DATA: 36
> (3%)3, check_init: 1 (0%)3, digest_hdr: 2 (0%)3, digest_body_dkim: 73
> (5%)8, gen_mail_id: 5 (0%)9, mime_decode: 7 (1%)9, get-file-type1: 56
> (4%)13, parts_decode: 0 (0%)13, check_header: 2 (0%)13, AV-scan-1: 18
> (1%)15, spam-wb-list: 1 (0%)15, SA msg read: 1 (0%)15, SA parse: 6
> (0%)15, SA check: 1084 (77%)92, lookup_sql: 11 (1%)93, penpals_check:
> 2 (0%)93, decide_mail_destiny: 1 (0%)93, notif-quar: 1 (0%)93,
> quar-hdrs: 3 (0%)93, stat-mbx: 2 (0%)93, open-mbx: 0 (0%)93,
> write-header: 0 (0%)93, save-to-local-mailbox: 0 (0%)93, fwd-connect:
> 31 (2%)96, fwd-mail-pip: 6 (0%)96, fwd-rcpt-pip: 0 (0%)96,
> fwd-data-chkpnt: 0 (0%)96, write-header: 1 (0%)96, fwd-data-contents:
> 1 (0%)96, fwd-end-chkpnt: 43 (3%)99, prepare-dsn: 1 (0%)99,
> main_log_entry: 6 (0%)...
>
> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) ...100, sql-update: 2
> (0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 0 (0%)100, SMTP
> response: 1 (0%)100, unlink-2-files: 0 (0%)100, rundown: 1 (0%)100
>
> Oct 11 01:42:43 ns1 amavis[15818]: (15818-10) LMTP:[127.0.0.1]:10024
> /var/amavis/tmp/amavis-20141010T203759-15818-RuuI9eo3:
> <no-reply at netvigator.com> ->
> <martha at domain.org.ni>,<spam at domain.org.ni> SIZE=481267 Received: from
> ns1.domain.org.ni ([127.0.0.1]) by localhost (ns1.domain.org.ni
> [127.0.0.1]) (amavisd-new, port 10024) with LMTP; Sat, 11 Oct 2014
> 01:42:43 -0600 (CST)
>
>
>

More information about the amavis-users mailing list