Amavisd spam score low
Will Hall
lists at gnatter.net
Thu Aug 31 09:19:25 CEST 2017
Hi all,
I have a question that has been asked a number of times before, but I
can't find any definitive resolution. Following a recent 3rd party data
breach, my primary email address is now in the hands of spammers and I
am being swamped with the damn stuff, which is coming in under
sa_kill_level_deflt.
But in test mode using spamassassin -t the score is far higher.
A real example is as follows.
Original email:
X-Virus-Scanned: amavisd-new at <mydomain>
X-Spam-Flag: NO
X-Spam-Score: 1.592
X-Spam-Level: *
X-Spam-Status: No, score=1.592 tagged_above=1 required=4
tests=[BAYES_50=0.8,
RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from <myhostname> ([127.0.0.1])
by localhost (<myhostname> [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id WKZ38Oeo8gIw for <myemail>;
Thu, 31 Aug 2017 02:03:42 +0100 (BST)
Received: from taxord.club (unknown [185.80.227.10])
by <myhostname> (Postfix) with ESMTP id 1670E5F53
for <myemail>; Thu, 31 Aug 2017 02:03:42 +0100 (BST)
If I resend this to myself the score is a little higher (looks like
URIBL_ABUSE_SURBL has changed)
X-Spam-Flag: NO
X-Spam-Score: 3.551
X-Spam-Level: ***
X-Spam-Status: No, score=3.551 tagged_above=1 required=4
tests=[ALL_TRUSTED=-1, BAYES_50=0.8, URIBL_ABUSE_SURBL=1.25,
URIBL_BLOCKED=0.001, URIBL_DBL_SPAM=2.5]
autolearn=no autolearn_force=no
But if I use spamassassin -t, I get a score of 10.8
Content analysis details: (10.8 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
blocklist
[URIs: taxord.club]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: taxord.club]
1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[185.80.227.10 listed in
bb.barracudacentral.org]
2.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
[URIs: taxord.club]
0.0 TVD_RCVD_SPACE_BRACKET No description available.
3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[185.80.227.10 listed in zen.spamhaus.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.5 BAYES_60 BODY: Bayes spam probability is 60 to 80%
[score: 0.6509]
0.8 RDNS_NONE Delivered to internal network by a host with
no rDNS
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
For some reason the bayesian score is different - BAYES_50=0.8 for
amavisd, BAYES_60=1.5 for spamassassin.
I have the bayesian data in mysql, and both amavisd and spamassassin
seems to access this correctly:
amavisd -c /etc/amavisd/amavisd.conf debug-sa 2>&1 | grep bayes
dbg: config: fixed relative path:
/var/lib/spamassassin/3.004000/updates_spamassassin_org/23_bayes.cf
dbg: config: using
"/var/lib/spamassassin/3.004000/updates_spamassassin_org/23_bayes.cf"
for included file
dbg: config: read file
/var/lib/spamassassin/3.004000/updates_spamassassin_org/23_bayes.cf
dbg: bayes: learner_new
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x666ea58),
bayes_store_module=Mail::SpamAssassin::BayesStore::SQL
dbg: bayes: using username: amavis
dbg: bayes: learner_new: got
store=Mail::SpamAssassin::BayesStore::SQL=HASH(0x6a6db08)
dbg: bayes: database connection established
dbg: bayes: found bayes db version 3
dbg: bayes: Using userid: 7
spamassassin -D --lint 2>&1 | grep bayes
dbg: config: fixed relative path:
/var/lib/spamassassin/3.004000/updates_spamassassin_org/23_bayes.cf
dbg: config: using
"/var/lib/spamassassin/3.004000/updates_spamassassin_org/23_bayes.cf"
for included file
dbg: config: read file
/var/lib/spamassassin/3.004000/updates_spamassassin_org/23_bayes.cf
dbg: bayes: learner_new
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x3a95d58),
bayes_store_module=Mail::SpamAssassin::BayesStore::SQL
dbg: bayes: using username: amavis
dbg: bayes: learner_new: got
store=Mail::SpamAssassin::BayesStore::SQL=HASH(0x4224940)
dbg: bayes: database connection established
dbg: bayes: found bayes db version 3
dbg: bayes: Using userid: 7
dbg: bayes: corpus size: nspam = 52984, nham = 737939
dbg: bayes: tok_get_all: token count: 20
dbg: bayes: score = 0.458708402467354
/etc/amavisd/amavisd.conf (slightly edited)
$max_servers = 2;
$daemon_user = 'amavis';
$daemon_group = 'amavis';
$mydomain = '<mydomain>';
$MYHOME = '/var/spool/amavisd';
$TEMPBASE = "$MYHOME/tmp";
$ENV{TMPDIR} = $TEMPBASE;
$QUARANTINEDIR = "/var/spool/amavisd/quarantine";
$db_home = "$MYHOME/db";
$lock_file = "/var/run/amavisd/amavisd.lock";
$pid_file = "/var/run/amavisd/amavisd.pid";
$log_level = 2;
$log_recip_templ = undef;
$do_syslog = 1;
$syslog_facility = 'mail';
$enable_db = 1;
$nanny_details_level = 2;
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
@local_domains_maps = undef;
@mynetworks = qw( 127.0.0.0/8);
$unix_socketname = "/var/run/amavisd/amavisd.sock";
$inet_socket_port = 10024;
@client_ipaddr_policy = ([qw( 0.0.0.0/8 [::] 127.0.0.0/8 [::1] )] =>
'TRUSTED',\@mynetworks => 'MYNETS',);
$policy_bank{'TRUSTED'} = {
bypass_spam_checks_maps => [1],
bypass_banned_checks_maps => [1],
bypass_header_checks_maps => [1],
};
$policy_bank{'MYNETS'} = {
originating => 1,
os_fingerprint_method => undef,
};
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
originating => 1,
allow_disclaimers => 1,
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["spamalert\@$mydomain"],
warnbadhsender => 1,
forward_method => 'smtp:[127.0.0.1]:10027',
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1],
terminate_dsn_on_notify_success => 0,
};
$interface_policy{'SOCK'} = 'AM.PDP-SOCK';
$policy_bank{'AM.PDP-SOCK'} = {...};
$sa_tag_level_deflt = 1.0;
$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = 4.5;
$sa_dsn_cutoff_level = 10;
$sa_crediblefrom_dsn_cutoff_level = 18;
$sa_quarantine_cutoff_level = 25;
$penpals_bonus_score = 8;
$penpals_threshold_high = $sa_kill_level_deflt;
$bounce_killer_score = 100;
$sa_mail_body_size_limit = 400*1024;
$sa_local_tests_only = 0;
@lookup_sql_dsn = (
['DBI:mysql:database=postfix;host=127.0.0.1;port=3306', 'postfix',
'<password>']);
$sql_select_policy = 'SELECT "Y" as local FROM domains WHERE virtual=1
AND CONCAT("@",name) IN (%k)';
$virus_admin = "virusalert\@$mydomain";
$spam_admin = "spamalert\@$mydomain";
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
$mailfrom_to_quarantine = '';
@addr_extension_virus_maps = ('virus');
@addr_extension_banned_maps = ('banned');
@addr_extension_spam_maps = ('spam');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 3000;
$MIN_EXPANSION_QUOTA = 100*1024;
$MAX_EXPANSION_QUOTA = 500*1024*1024;
$sa_spam_subject_tag = '***Spam*** ';
$defang_virus = 1;
$defang_banned = 1;
$defang_by_ccat{CC_BADH.",3"} = 1;
$defang_by_ccat{CC_BADH.",5"} = 1;
$defang_by_ccat{CC_BADH.",6"} = 1;
$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
$myhostname = '<myhostname>';
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_BOUNCE;
@keep_decoded_original_maps = (new_RE(
$banned_filename_re = new_RE(
@score_sender_maps = ({...});
@decoders = ({...});
@av_scanners = (...);
@av_scanners_backup = (...);
/etc/mail/spamassassin/local.cf
required_hits 4
report_safe 0
rewrite_header Subject [SPAM]
use_bayes 1
use_razor2 1
# trusted_networks 127.0.0.1 (not sure what this should be, the MTA is
localhost)
# internal_networks !0/0
# Per-User in MySQL
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:mysql:bayesian:localhost
bayes_sql_username amavis
bayes_sql_password <password>
bayes_sql_override_username amavis
Any help in understanding why there is such a score discrepancy would be
highly appreciated.
Thanks
Will
More information about the amavis-users
mailing list