Relayed outbound spam checking

Dusan Obradovic dusan at euracks.net
Fri Jul 27 01:14:09 CEST 2018 

> On Jul 25, 2018, at 12:50, Simon Wilson <simon at simonandkate.net> wrote:
> 
> Quoting Simon Wilson <simon at simonandkate.net>:
> 
>> Hi list, wondering if I can get some help with the below.
>> 
>> I have run a small Postfix mail server for many years, with amavisd and spamassassin. We have about 10 users, 95% of the time using only Horde Webmail as the interface to send mail.
>> 
>> The server is set to only allow mail send through port 587, and only for authenticated users. This auth is generally only through the Horde server on the same subnet, but I do have a requirement for port 587 to be externally accessible for direct (non-Horde) submission.
>> 
>> I had outbound mail not spam scanning, but got stung when one of our users had their email/password on a cracked list, and the server spent 24 hours relaying authenticated email that was spam. Ouch.
>> 
>> Immediate fix was to change the user's password, stopped the problem, but I want to prevent similar happening again. I enabled spam scanning on outbound (commented out bypass_spam_checks_maps   => [1] in the policy ban), with Amavisd set to kill level 6.2... BUT one of my users is in Ecuador, on the end of a dodgy internet connection with a dodgy ISP, and his outbound email starting getting dropped, as coming through Horde shows the path from the web client in use, and SA scanning was penalising based on his location:
>> 
>> Content analysis details:   (8.5 points, 6.2 required)
>> 
>> pts rule name              description
>> ---- ---------------------- --------------------------------------------------
>> 3.3 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
>>                            [190.131.127.84 listed in zen.spamhaus.org]
>> 1.4 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
>>                            [190.131.127.84 listed in bb.barracudacentral.org]
>> 0.0 HTML_MESSAGE           BODY: HTML included in message
>> 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
>>                            [score: 0.4956]
>> 1.0 RDNS_DYNAMIC           Delivered to internal network by host with
>>                            dynamic-looking rDNS
>> 2.0 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr
>>                            1)
>> 
>> I have set kill level to 10 to let his through but that is obviously not helping with the original issue... and with it set to 10 kill level I do not get notified.
>> 
>> I want to be notified for ONE policy bank, if a user sends a SPAMMY mail (say hits from 2.5 to 10) but let the mail through; but kill_level 10 for SPAM. That way I can let email from Ecuador client through, but still be notified if anyone else starts sending mail above 2.5 (none of the rest of my outgoing is ever above 2.5).
>> 
>> Policy bank that applies is currently:
>> 
>> $policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
>>  originating => 1,  # declare that mail was submitted by our smtp client
>>  allow_disclaimers => 1,  # enables disclaimer insertion if available
>>  # notify administrator of locally originating malware
>>  virus_admin_maps => ["virusalert\@$mydomain"],
>>  spam_admin_maps  => ["spamalert\@$mydomain"],
>>  warnbadhsender   => 1,
>>  spam_kill_level_maps => [10],
>>  # bypass_spam_checks_maps   => [1],  # don't spam-check this mail
>>  # forward to a smtpd service providing DKIM signing service
>>  forward_method => 'smtp:[127.0.0.1]:10025',
>>  # force MTA conversion to 7-bit (e.g. before DKIM signing)
>>  smtpd_discard_ehlo_keywords => ['8BITMIME'],
>>  bypass_banned_checks_maps => [1],  # allow sending any file names and types
>>  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
>> };
>> 
>> Any advice or suggestions would be appreciated.
>> 
>> 
>> -- 
>> Simon Wilson
>> M: 0400 12 11 16
> 
> So my query seems to have been too complex.
> 
> Let's simplify:
> 
> Default non-policy-bank setup is:
> 
> $sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
> $sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 1000;  # triggers spam evasive actions (e.g. blocks mail)
> 
> So always add headers; call it spam above 6.2; but let it through for imapd and sieve to deal with.
> 
> How do I configure a *policy bank* that applies to sasl-authenticated port-587-submitted outbound mail only to:
> 1. spam scan
> 2. if it hits above 2.5, let it out, but notify admin of spammy outbound
> 3. if it hits above 10, discard it, notify admin of spam outbound
> 
> Alternately any other recommendations to catch email accounts where password has been compromised so sasl_auth is passed, to prevent submission port abuse.
> 
> Thanks
> Simon.
> 
> -- 
> Simon Wilson
> M: 0400 12 11 16
> 

Ideally, Spamassassin should skip rbl tests (RCVD_IN_*) for authenticated submission so you can lower spam_kill_level_maps score with originating policy.

https://wiki.apache.org/spamassassin/TrustPath
https://wiki.apache.org/spamassassin/DynablockIssues

More information about the amavis-users mailing list