Marked spam

ricky gutierrez xserverlinux at gmail.com
Mon Oct 13 22:52:02 CEST 2014 

Hi , something strange, remove the database to check some emails and
policy marked as spam entering the inbox users.

$sa_tag_level_deflt  = -999.0;  # add spam info headers if at, or
above that level
$sa_tag2_level_deflt = 5.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5.9;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam

my local.cf

# New rbl lists
header   RCVD_IN_PSBL          eval:check_rbl('psbl','psbl.surriel.com.')
describe RCVD_IN_PSBL          Received via a relay in PSBL
tflags   RCVD_IN_PSBL          net
score    RCVD_IN_PSBL          0 1.00 0 1.00

header   RCVD_IN_CBL           eval:check_rbl('cbl','cbl.abuseat.org.')
describe RCVD_IN_CBL           Received via a relay in CBL
tflags   RCVD_IN_CBL           net
score    RCVD_IN_CBL           0 1.00 0 1.00

header   RCVD_IN_TQM           eval:check_rbl('tqm','dnsbl.tqmcube.com.')
describe RCVD_IN_TQM           Received via relay in TQM
tflags   RCVD_IN_TQM           net
score    RCVD_IN_TQM           0 1.00 0 1.00
#***
header LOCAL_SALESFORCE_FROM From =~ /salesforce\.com/i
score  LOCAL_SALESFORCE_FROM 0.5


required_score      5.0
report_safe         0
rewrite_header Subject ***SPAM***
#razor_timeout      8
skip_rbl_checks     0
use_bayes           1
bayes_auto_learn    0
bayes_auto_expire   0
spf_timeout         5

hope someone help me amavisd expert.

regardss

2014-10-13 14:20 GMT-06:00 Jernej Porenta <jernej.porenta at arnes.si>:
> Dear ricky,
>
> what are your levels for tagging spam (below are mine):
> $sa_tag_level_deflt  = -1.0;  # add spam info headers if at, or above that
> level
> $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
> $sa_tag3_level_deflt = 12; # $sa_tag3_level_deflt = ***BLATANT*SPAM***
> $sa_kill_level_deflt = $sa_tag2_level_deflt;  # triggers spam evasive
> actions
>
> Your spam levels may change through MySQL policy settings if you have set
> them up. Probably you can check this by looking into policy table of your
> MySQL setup (I don't know your set up, so I am just guessing).
>
> cheers, J.
>
>
> On 12/10/14 03:03, ricky gutierrez wrote:
>>
>> 2014-10-10 23:41 GMT-06:00 Jernej Porenta <jernej.porenta at arnes.si>:
>>>
>>> Hi Rick,
>>>
>>> There could be lots of different settings which can cause this.
>>> Can you share some logs? Maybe you have some policy which overwrites the
>>> final_{spam|virus|banned}_destiny?
>>
>>
>> other settings
>>
>> #$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our
>> users
>> #  originating => 1,  # declare that mail was submitted by our smtp client
>>    allow_disclaimers => 1,  # enables disclaimer insertion if available
>>    # notify administrator of locally originating malware
>>    virus_admin_maps => ["virusalert\@$mydomain"],
>>    spam_admin_maps  => ["virusalert\@$mydomain"],
>>    warnbadhsender   => 1,
>>    # forward to a smtpd service providing DKIM signing service
>>    forward_method => 'smtp:[127.0.0.1]:10027',
>>    # force MTA conversion to 7-bit (e.g. before DKIM signing)
>>    smtpd_discard_ehlo_keywords => ['8BITMIME'],
>>    bypass_banned_checks_maps => [1],  # allow sending any file names and
>> types
>>    terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS
>> option
>>
>> };
>>
>>
>>> Do you have spam_lovers_maps set up? Do
>>
>>
>> No
>>
>>> you have your policy settings stored in MySQL and if so, what are they?
>>
>>
>> not that I know, how could I check this?
>>
>>>
>>> cheers, Jernej
>>>
>>
>> log maillog amavisd
>>
>> Oct 11 01:11:29 ns1 amavis[15818]: (15818-09) LMTP:[127.0.0.1]:10024
>> /var/amavis/tmp/amavis-20141010T203759-15818-RuuI9eo3:
>> <s471 at emailserverpakistan.com> ->
>> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>
>> SIZE=3998 BODY=8BITMIME Received: from ns1.domain.org.ni ([127.0.0.1])
>> by localhost (ns1.domain.org.ni [127.0.0.1]) (amavisd-new, port 10024)
>> with LMTP; Sat, 11 Oct 2014 01:11:29 -0600 (CST)
>>
>> Oct 11 01:11:29 ns1 amavis[15818]: (15818-09) Checking: o5w5IGxZRG2M
>> [107.161.190.204] <s471 at emailserverpakistan.com> ->
>> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>
>>
>> Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p003 1 Content-Type:
>> multipart/alternative
>>
>> Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p001 1/1 Content-Type:
>> text/plain, size: 330 B, name:
>>
>> Oct 11 01:11:30 ns1 amavis[15818]: (15818-09) p002 1/2 Content-Type:
>> text/html, size: 2257 B, name:
>>
>> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) spam-tag,
>> <s471 at emailserverpakistan.com> ->
>> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>, Yes,
>> score=13.229 tagged_above=-990 required=5 tests=[BAYES_50=0.8,
>> DATE_IN_PAST_03_06=1.592, DEAR_SOMETHING=1.973,
>> DKIM_ADSP_CUSTOM_MED=0.001, FH_RELAY_NODNS=1.451, FREEMAIL_FROM=0.001,
>> HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MPART_ALT_DIFF=0.79,
>> NML_ADSP_CUSTOM_MED=0.9, RAZOR2_CF_RANGE_51_100=0.5,
>> RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RDNS_NONE=0.793,
>> URIBL_BLOCKED=0.001] autolearn=disabled
>>
>> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) FWD from
>> <s471 at emailserverpakistan.com> ->
>> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>,BODY=7BIT
>> 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as
>> 4DF0750F0
>>
>>
>> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) Passed SPAMMY
>> {RelayedTaggedInbound}, [107.161.190.204]:51770 [198.49.76.82]
>> <s471 at emailserverpakistan.com> ->
>> <info at domain.org.ni>,<ivania at domain.org.ni>,<spam at domain.org.ni>,
>> Message-ID:
>> <8c87a67b9c45e50c33206315c1e27b87 at server471.emailserverpakistan.com>,
>> mail_id: o5w5IGxZRG2M, Hits: 13.229, size: 3997, queued_as: 4DF0750F0,
>> 1387 ms
>>
>>
>> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) TIMING-SA total 1194 ms
>> - parse: 3 (0.2%), extract_message_metadata: 27 (2.3%), poll_dns_idle:
>> 142 (11.9%), get_uri_detail_list: 3 (0.3%), tests_pri_-1000: 7 (0.6%),
>> tests_pri_-950: 1.14 (0.1%), tests_pri_-900: 1.45 (0.1%),
>> tests_pri_-400: 28 (2.3%), check_bayes: 27 (2.2%), tests_pri_0: 992
>> (83.1%), check_spf: 54 (4.5%), check_razor2: 167 (14.0%), check_pyzor:
>> 199 (16.7%), tests_pri_500: 114 (9.5%), get_report: 1.31 (0.1%)
>>
>> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) size: 3997, TIMING
>> [total 1396 ms] - SMTP greeting: 2 (0%)0, SMTP LHLO: 1 (0%)0, SMTP
>> pre-MAIL: 1 (0%)0, sql-connect: 5 (0%)1, lookup_sql: 1 (0%)1,
>> lookup_sql: 1 (0%)1, lookup_sql: 1 (0%)1, SMTP pre-DATA-flush: 2
>> (0%)1, SMTP DATA: 31 (2%)3, check_init: 0 (0%)3, digest_hdr: 1 (0%)3,
>> digest_body_dkim: 0 (0%)3, gen_mail_id: 4 (0%)3, mime_decode: 12
>> (1%)4, get-file-type2: 52 (4%)8, decompose_part: 1 (0%)8,
>> parts_decode: 0 (0%)8, check_header: 1 (0%)8, AV-scan-1: 13 (1%)9,
>> spam-wb-list: 3 (0%)9, SA msg read: 1 (0%)9, SA parse: 4 (0%)10, SA
>> check: 1186 (85%)95, lookup_sql: 11 (1%)95, penpals_check: 3 (0%)96,
>> decide_mail_destiny: 1 (0%)96, notif-quar: 1 (0%)96, fwd-connect: 33
>> (2%)98, fwd-mail-pip: 7 (0%)99, fwd-rcpt-pip: 0 (0%)99,
>> fwd-data-chkpnt: 0 (0%)99, write-header: 1 (0%)99, fwd-data-contents:
>> 0 (0%)99, fwd-end-chkpnt: 3 (0%)99, prepare-dsn: 1 (0%)99,
>> main_log_entry: 6 (0%)99, sql-update: 3 (0%)100, update_snmp: 3
>> (0%)100, SMTP pre-response: 0 (0%)100,...
>>
>> Oct 11 01:11:31 ns1 amavis[15818]: (15818-09) ... SMTP response: 1
>> (0%)100, unlink-3-files: 0 (0%)100, rundown: 1 (0%)100
>>
>> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) NOTICE: reconnecting in
>> response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL
>> server has gone away at (eval 106) line 172.
>>
>> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) LMTP:[127.0.0.1]:10024
>> /var/amavis/tmp/amavis-20141010T203759-15847-DdGNH8Ta:
>> <noticias at winkalmail.com> ->
>> <ivania at domain.org.ni>,<spam at domain.org.ni> SIZE=44452 BODY=8BITMIME
>> Received: from ns1.domain.org.ni ([127.0.0.1]) by localhost
>> (ns1.domain.org.ni [127.0.0.1]) (amavisd-new, port 10024) with LMTP;
>> Sat, 11 Oct 2014 01:34:52 -0600 (CST)
>>
>> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) dkim: FAILED
>> Author+Sender+MailFrom signature by d=winkalmail.com, From:
>> <noticias at winkalmail.com>, a=rsa-sha1, c=relaxed/simple, s=dk1,
>> i=@winkalmail.com,
>>
>> m.list(ml:http://tk.winkal.com/web/fnbox/lu/OHwkCQer-vSNssG9tXTkgSSo7C3QLzTsOW0vMyuHKkip-oEIDCFOqhvGnJXWp8mg87hW2w0zPVZJPmJLbo_eNwwpeV1nUzXaYp6T0XTUEJ8NqLUyw6d3l5ar2mWek9AcLc39oEFTV4RjybVwsoAjxDhQz1bMGTAumzHtn2Lbp7DhdLGvSj_9XfLkpdVMvLsQpwvL439Ar1do-w-KSJghOiQ.),
>> fail (body has been altered)
>>
>> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) Checking: XbjdOmTZoyKt
>> [208.74.29.94] <noticias at winkalmail.com> ->
>> <ivania at domain.org.ni>,<spam at domain.org.ni>
>>
>> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) p001 1 Content-Type:
>> text/html, size: 42896 B, name:
>>
>> Oct 11 01:34:52 ns1 amavis[15847]: (15847-09) check_header: 7, Missing
>> required header field: "Date"
>>
>> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) header_edits_for_quar:
>> <noticias at winkalmail.com> ->
>> <ivania at domain.org.ni>,<spam at domain.org.ni>, Yes, score=6.577 tag=-990
>> tag2=5 kill=15 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1,
>> HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
>> MISSING_DATE=1.36, MISSING_MID=0.497, SPF_HELO_PASS=-0.001,
>> SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_REMOTE_IMAGE=0.01,
>> URIBL_BLOCKED=0.001] autolearn=disabled
>>
>> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) local delivery: <> ->
>> bad-header-quarantine, mbx=/var/virusmails/badh-XbjdOmTZoyKt
>>
>> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) spam-tag,
>> <noticias at winkalmail.com> ->
>> <ivania at domain.org.ni>,<spam at domain.org.ni>, Yes, score=6.577 ta
>>
>> gged_above=-990 required=5 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1,
>> HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
>> MISSING_DATE=1.36, MISSING_MID=0.497, SPF_HELO_PASS=-0.001,
>> SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_REMOTE_IMAGE=0.01,
>> URIBL_BLOCKED=0.001] autolearn=disabledOct 11 01:34:53 ns1
>> amavis[15847]: (15847-09) FWD from <noticias at winkalmail.com> ->
>> <ivania at domain.org.ni>,<spam at domain.org.ni>,BODY=8BITMIME 250 2.0.0
>> from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BB8B950F0
>>
>> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) Passed SPAMMY
>> {RelayedTaggedInbound,Quarantined}, [208.74.29.94]:63845
>> [208.74.29.94] <noticias at winkalmail.com> ->
>> <ivania at domain.org.ni>,<spam at domain.org.ni>, quarantine:
>> badh-XbjdOmTZoyKt, mail_id: XbjdOmTZoyKt, Hits: 6.577, size: 44434,
>> queued_as: BB8B950F0, 1409 ms
>>
>> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) TIMING-SA total 1094 ms
>> - parse: 4 (0.4%), extract_message_metadata: 51 (4.7%), poll_dns_idle:
>> 167 (15.3%), get_uri_detail_list: 10 (0.9%), tests_pri_-1000: 18
>> (1.6%), tests_pri_-950: 1.12 (0.1%), tests_pri_-900: 1.22 (0.1%),
>> tests_pri_-400: 59 (5.4%), check_bayes: 57 (5.2%), tests_pri_0: 934
>> (85.4%), check_dkim_adsp: 5 (0.4%), check_spf: 193 (17.7%),
>> check_razor2: 236 (21.6%), check_pyzor: 193 (17.7%), tests_pri_500: 6
>> (0.6%), get_report: 1.00 (0.1%)
>>
>> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) size: 44434, TIMING
>> [total 1416 ms] - SMTP greeting: 1 (0%)0, SMTP LHLO: 1 (0%)0, SMTP
>> pre-MAIL: 1 (0%)0, sql-connect: 3 (0%)0, lookup_sql: 0 (0%)0,
>> lookup_sql: 1 (0%)0, SMTP pre-DATA-flush: 1 (0%)1, SMTP DATA: 36
>> (3%)3, check_init: 1 (0%)3, digest_hdr: 2 (0%)3, digest_body_dkim: 73
>> (5%)8, gen_mail_id: 5 (0%)9, mime_decode: 7 (1%)9, get-file-type1: 56
>> (4%)13, parts_decode: 0 (0%)13, check_header: 2 (0%)13, AV-scan-1: 18
>> (1%)15, spam-wb-list: 1 (0%)15, SA msg read: 1 (0%)15, SA parse: 6
>> (0%)15, SA check: 1084 (77%)92, lookup_sql: 11 (1%)93, penpals_check:
>> 2 (0%)93, decide_mail_destiny: 1 (0%)93, notif-quar: 1 (0%)93,
>> quar-hdrs: 3 (0%)93, stat-mbx: 2 (0%)93, open-mbx: 0 (0%)93,
>> write-header: 0 (0%)93, save-to-local-mailbox: 0 (0%)93, fwd-connect:
>> 31 (2%)96, fwd-mail-pip: 6 (0%)96, fwd-rcpt-pip: 0 (0%)96,
>> fwd-data-chkpnt: 0 (0%)96, write-header: 1 (0%)96, fwd-data-contents:
>> 1 (0%)96, fwd-end-chkpnt: 43 (3%)99, prepare-dsn: 1 (0%)99,
>> main_log_entry: 6 (0%)...
>>
>> Oct 11 01:34:53 ns1 amavis[15847]: (15847-09) ...100, sql-update: 2
>> (0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 0 (0%)100, SMTP
>> response: 1 (0%)100, unlink-2-files: 0 (0%)100, rundown: 1 (0%)100
>>
>> Oct 11 01:42:43 ns1 amavis[15818]: (15818-10) LMTP:[127.0.0.1]:10024
>> /var/amavis/tmp/amavis-20141010T203759-15818-RuuI9eo3:
>> <no-reply at netvigator.com> ->
>> <martha at domain.org.ni>,<spam at domain.org.ni> SIZE=481267 Received: from
>> ns1.domain.org.ni ([127.0.0.1]) by localhost (ns1.domain.org.ni
>> [127.0.0.1]) (amavisd-new, port 10024) with LMTP; Sat, 11 Oct 2014
>> 01:42:43 -0600 (CST)
>>
>>
>>
>



-- 
rickygm

http://gnuforever.homelinux.com

More information about the amavis-users mailing list