R: R: R: R: R: Message quarantined as SPAM

Scappatura Rocco Rocco.Scappatura at infracom.it
Wed Jul 19 13:56:23 CEST 2017


Hello.

Even after the changes done to the amavis configuration, I still notice that some messages has been blocked as SPAM. For example:

Jul 18 12:04:55 zzz amavis[18242]: (18242-14) Blocked SPAM {DiscardedInbound,Quarantined}, [195.245.231.137]:39849 [193.67.127.189] <orderfleet at example.org> -> <iagrossi at example.net>, quarantine: B/spam-BknEtFAN2Yh1.gz, Queue-ID: 31099D5C4B, Message-ID: <OF2B08DA46.86F90238-ON80258161.003760D6 at leaseplancorp.net>, mail_id: BknEtFAN2Yh1, Hits: 7.946, size: 170434, 551 ms

while the score I get while testing the messages is much lower that $sa_tag2_level_deflt (1.9 < 6.31):

Content analysis details:   (1.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
                            trust
                            [195.245.231.137 listed in list.dnswl.org]
-2.8 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                            [195.245.231.137 listed in wl.mailspike.net]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 MISSING_MIME_HB_SEP    BODY: Missing blank line between MIME header and
                            body
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 1.5 BASE64_LENGTH_79_INF   BODY: base64 encoded email part uses line length
                             greater than 79 characters
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.5 HTML_IMAGE_ONLY_20     BODY: HTML: images with 1600-2000 bytes of words
 0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
 0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.0 T_REMOTE_IMAGE         Message contains an external image
 2.0 TO_NO_BRKTS_HTML_IMG   To: lacks brackets and HTML and one image

Where is the problem? Why the message is tagged as SPAM and quarantined?

Regards,

RS

> -----Messaggio originale-----
> Da: amavis-users [mailto:amavis-users-
> bounces+rocco.scappatura=infracom.it at amavis.org] Per conto di Scappatura
> Rocco
> Inviato: giovedì 29 giugno 2017 15:32
> A: 'amavis-users at amavis.org' <amavis-users at amavis.org>
> Oggetto: R: R: R: R: R: Message quarantined as SPAM
> 
> Hello.
> 
> Is it correct what I stated in my email? Could someone take a look below and
> give me an answer to each of my question?
> 
> Regards,
> 
> RS
> 
> > -----Messaggio originale-----
> > Da: amavis-users [mailto:amavis-users-
> > bounces+rocco.scappatura=infracom.it at amavis.org] Per conto di
> > bounces+Scappatura
> > Rocco
> > Inviato: mercoledì 28 giugno 2017 09:34
> > A: 'amavis-users at amavis.org' <amavis-users at amavis.org>
> > Oggetto: R: R: R: R: R: Message quarantined as SPAM
> >
> > Hello.
> >
> > I easily constructed files:
> >
> > /etc/postfix/relay_domains
> > /etc/postfix/mynetworks.cidr
> >
> > Then I set:
> >
> > @local_domains_acl = (
> >   ".$mydomain" ,
> >   read_hash('/etc/postfix/relay_domains')
> > );
> >
> > @local_domains_maps = @local_domains_acl;
> >
> > In amavis log now I see a different tag ({RelayedInbound}):
> >
> > Jun 28 09:24:05 av8 amavis[21699]: (21699-15) Passed CLEAN
> > {RelayedInbound}, [xxx.yyy.zzz.uuu]:40882 [xxx.yyy.zzz.uuu]
> > <aaa at example.com> -> <bbb at example.org>, Queue-ID: 0C98ED61C4,
> > Message-ID: <8386362.10890651498634643768.JavaMail.www-data at v080>,
> > mail_id: 0g9XxEmqcNPj, Hits: 2.2, size: 9179, queued_as: 7DAA4D61CA,
> > 453 ms
> >
> > Even in case neither example.com nor example.org are local domain.
> >
> > What change made really implied?
> >
> > For @mynetworks instead, I did not still set:
> >
> > @mynetworks = @{ read_cidr('/etc/postfix/mynetworks.cidr') };
> >
> > Because at the moment I have:
> >
> > @mynetworks = qw( 127.0.0.0/8);
> >
> > and:
> >
> > $policy_bank{'MYNETS'} = {  # clients in @mynetworks
> >   bypass_spam_checks_maps   => [1],  # don't spam-check internal mail
> >   bypass_banned_checks_maps => [1],  # don't banned-check internal mail
> >   bypass_header_checks_maps => [1],  # don't header-check internal
> > mail };
> >
> > So I fear that the change that you suggested me, avoid the SPAM scan
> > for ALL mail departing from my real networks..
> >
> > Is my fear justified?
> >
> > Regards,
> >
> > RS
> >
> >
> > > -----Messaggio originale-----
> > > Da: amavis-users [mailto:amavis-users-
> > > bounces+rocco.scappatura=infracom.it at amavis.org] Per conto di
> > > bounces+Patrick Ben
> > > Koetter
> > > Inviato: martedì 27 giugno 2017 15:37
> > > A: amavis-users at amavis.org
> > > Oggetto: Re: R: R: R: R: Message quarantined as SPAM
> > >
> > > * Scappatura Rocco <Rocco.Scappatura at infracom.it>:
> > > > Hello.
> > > >
> > > > Maybe is the line:
> > > >
> > > > 50-user:$spam_quarantine_to         = 'spam-quarantine';
> > > >
> > > > that has enabled quarantine..
> > >
> > > Quite likely this line enables quarantine. In case you want to disable it:
> > >
> > > $spam_quarantine_to = undef;
> > >
> > >
> > > > Moreover, I have the list of 'mynetworks' defined in a mysql DB
> > > > used by
> > > postfix, through the following query:
> > > >
> > > > select action from access where inet_aton(ip) & inet_aton(mask) =
> > > > inet_aton('%s') & inet_aton(mask) order by mask DESC limit 0,1;
> > > >
> > > > Similarly, I have  the list of local domain defined in a mysql DB
> > > > used by
> > > postfix, through the following query:
> > > >
> > > > select domain from domain where domain='%s' and active='1';
> > > >
> > > > How can I safely import these lists into amavis?
> > >
> > > If they change frequently, add a trigger to MySQL that dumps the
> > > results to tables. If they change only once in a while, create a
> > > script that
> > does the same.
> > >
> > > Then import the lists into amavis, using the read_* methods. For
> example:
> > >
> > > @local_domains_maps = (
> > >     ".$mydomain",
> > >     read_hash('/etc/postfix/relay_domains')
> > > );
> > >
> > > Or for networks:
> > >
> > > @mynetworks = @{ read_cidr('/etc/postfix/mynetworks.cidr') };
> > >
> > > See the RELEASE-NOTES for more information.
> > >
> > > p at rick
> > >
> > >
> > >
> > >
> > >
> > > >
> > > > Regards,
> > > >
> > > > RS
> > > >
> > > >
> > > >
> > > > > -----Messaggio originale-----
> > > > > Da: amavis-users [mailto:amavis-users-
> > > > > bounces+rocco.scappatura=infracom.it at amavis.org] Per conto di
> > > > > bounces+Patrick Ben
> > > > > Koetter
> > > > > Inviato: martedì 27 giugno 2017 15:16
> > > > > A: amavis-users at amavis.org
> > > > > Oggetto: Re: R: R: R: Message quarantined as SPAM
> > > > >
> > > > > * Scappatura Rocco <Rocco.Scappatura at infracom.it>:
> > > > > > Hello.
> > > > > >
> > > > > > Here, all what you ask for:
> > > > > >
> > > > > > 1) @bypass_spam_checks_maps:
> > > > > >
> > > > > > 15-content_filter_mode:@bypass_spam_checks_maps = (
> > > > > >    \%bypass_spam_checks, \@bypass_spam_checks_acl,
> > > > > > \$bypass_spam_checks_re);
> > > > > >
> > > > > > @spam_tag_level_maps =
> > > > > >         ({
> > > > > > #        'yyy at example.org' => 1.5,
> > > > > >         '.' => 5.0,
> > > > > >         });
> > > > > >
> > > > > > @spam_tag2_level_maps =
> > > > > >         ({
> > > > > > #        ' yyy at example.org ' => 2.0,
> > > > > >         '.' => 6.31,
> > > > > >         });
> > > > > >
> > > > > > @spam_kill_level_maps =
> > > > > >         ({
> > > > > > #        ' yyy at example.org ' => 2.0,
> > > > > >         '.' => 6.31,
> > > > > >         });
> > > > > >
> > > > > > 2) $final_spam_destiny:
> > > > > >
> > > > > > 20-debian_defaults:$final_spam_destiny       = D_DISCARD;
> > > > > > 50-user:$final_spam_destiny       = D_DISCARD;
> > > > > >
> > > > > > 3) $spam_quarantine_method:
> > > > > >
> > > > > > 50-user:#$spam_quarantine_method         = 'sql:';
> > > > >
> > > > >
> > > > > You have disabled quarantine in 50-user, but it is enabled
> > > > > somethere else. It delivers messages to a file based quarantine,
> > > > > as your original LOG
> > > shows:
> > > > >
> > > > > Jun 22 11:45:48 av8 amavis[22610]: (22610-11) Blocked SPAM
> > > > > {DiscardedOpenRelay,Quarantined}, [xxx.yyy.zzz.uuu]:50412
> > > > > [xxx.yyy.zzz.uuu] <aaa at example.com> -> <bbb at mydomain>,
> > > quarantine:
> > > > > z/spam-zRJd9Wo5250M.gz, Queue-ID: 8647AD5DBA, Message-ID:
> > > > > <776AB7C587CC457C95FF35582FC9F0E1 at AutoRPZ.local>, mail_id:
> > > > > zRJd9Wo5250M, Hits: 6.793, size: 77514, 364 ms
> > > > >
> > > > > The message has been save to $QUARANTINE/z/spam-
> > > zRJd9Wo5250M.gz.
> > > > >
> > > > >
> > > > > In order to find out why the message has a different score you
> > > > > need to set @local_domains_maps correctly, or amavis will not
> > > > > add the header to the message.
> > > > >
> > > > > Add these to 50-user, once you have setup @local_domains_maps,
> > > > > and amavis will document the rules SA used and how they scored:
> > > > >
> > > > > $allowed_added_header_fields{lc('X-Spam-Status')} = 1;
> > > > > $allowed_added_header_fields{lc('X-Spam-Report')} = 1;
> > > > >
> > > > > p at rick
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > >
> > > > > > 4) $sa_local_tests_only:
> > > > > >
> > > > > > 20-debian_defaults:$sa_local_tests_only = 0;    # only tests which do
> > > not
> > > > > require internet access?
> > > > > > 50-user:$sa_local_tests_only = 1;    # only tests which do not require
> > > > > internet access?
> > > > > >
> > > > > > 5) $sa_tag_level_deflt:
> > > > > > 20-debian_defaults:$sa_tag_level_deflt  = 2.0;  # add spam
> > > > > > info headers if at, or above that level
> > > > > >
> > > > > > 6) $sa_tag2_level_deflt:
> > > > > > 20-debian_defaults:$sa_tag2_level_deflt = 6.31;
> > > > > >
> > > > > > @spam_tag2_level_maps = ({
> > > > > > },
> > > > > > \$sa_tag2_level_deflt,
> > > > > > );
> > > > > >
> > > > > > 7) $sa_dsn_cutoff_level:
> > > > > > 20-debian_defaults:$sa_dsn_cutoff_level = 10;   # spam level
> beyond
> > > > > which a DSN is not sent
> > > > > >
> > > > > > 8) $sa_crediblefrom_dsn_cutoff_level:
> > > > > >
> > > > > > NOT DEFINED
> > > > > >
> > > > > > Moreover I have set:
> > > > > >
> > > > > > @spam_lovers_maps = ({
> > > > > >   '.example.net'     => 1, # this domain and it's subdomains
> > > > > > });
> > > > > >
> > > > > > @spam_kill_level_maps = ({
> > > > > >   '.example.net'     => 9999,
> > > > > > },
> > > > > > \$sa_kill_level_deflt,
> > > > > > );
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > RS
> > > > > >
> > > > > > > -----Messaggio originale-----
> > > > > > > Da: amavis-users [mailto:amavis-users-
> > > > > > > bounces+rocco.scappatura=infracom.it at amavis.org] Per conto
> > > > > > > bounces+di Patrick Ben
> > > > > > > Koetter
> > > > > > > Inviato: martedì 27 giugno 2017 14:01
> > > > > > > A: amavis-users at amavis.org
> > > > > > > Oggetto: Re: R: R: Message quarantined as SPAM
> > > > > > >
> > > > > > > * Scappatura Rocco <Rocco.Scappatura at infracom.it>:
> > > > > > > > Thank you Patrick.
> > > > > > > >
> > > > > > > > What configuration you need, in particular?
> > > > > > >
> > > > > > > Lets start with this and LOG that shows the incident you
> > > > > > > need to
> > > > > research:
> > > > > > >
> > > > > > > @bypass_spam_checks_maps
> > > > > > > $final_spam_destiny
> > > > > > > $spam_quarantine_method
> > > > > > > $sa_local_tests_only
> > > > > > > $sa_tag_level_deflt
> > > > > > > $sa_tag2_level_deflt
> > > > > > > $sa_dsn_cutoff_level
> > > > > > > $sa_crediblefrom_dsn_cutoff_level
> > > > > > >
> > > > > > > p at rick
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > [*] sys4 AG
> > > > > > >
> > > > > > > https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße
> > > > > > > 26/MG,80333 München
> > > > > > >
> > > > > > > Sitz der Gesellschaft: München, Amtsgericht München: HRB
> > > > > > > 199263
> > > > > > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang
> > > > > > > Stief
> > > > > > > Aufsichtsratsvorsitzender: Florian Kirstein
> > > > > > >
> > > > >
> > > > > --
> > > > > [*] sys4 AG
> > > > >
> > > > > https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße
> > > > > 26/MG,80333 München
> > > > >
> > > > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> > > > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> > > > > Aufsichtsratsvorsitzender: Florian Kirstein
> > > > >
> > >
> > > --
> > > [*] sys4 AG
> > >
> > > https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße
> > > 26/MG,80333 München
> > >
> > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> > > Aufsichtsratsvorsitzender: Florian Kirstein
> > >


More information about the amavis-users mailing list