Spam sneaking in.

Bob D bob at inter-control.com
Thu Aug 1 22:01:46 CEST 2019 

On 7/31/19 12:36 PM, Matus UHLAR - fantomas wrote:
> On 31.07.19 11:47, Bob D wrote:
>> I have an Ubuntu 18.04 server running Postfix, Clamav, Spamassassin, 
>> Dovecot with virtual hosts/emails.
>> I have spam sneaking in here and it is annoying. They all mostly come 
>> from the same IP. When I ban the IP, after a few hours, it just comes 
>> from another IP.
>> This garbage is obviously spam, no doubt. When I test any of the 
>> mails via the command-line, it always scores high.
>> The last one I checked scored 23.8 as spam using either:
>> $ su spamassassin -c "spamassassin -D < testmail"
>> $ su amavis -c " spamassassin -D < testmail"
>> This one showed .6 in the X-Header as it came in as shown here:
>> -------------------------------------------------------------------------------------------------------------------------------- 
>>
>> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
>>         MyServer1-2.mydomain.com
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.6 required=4.0 
>> tests=BAYES_99,BAYES_999,DKIM_SIGNED,
>>         DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_MESSAGE,
>>         T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE autolearn=no 
>> autolearn_force=no
>>         version=3.4.2
>
> strange, BAYES_99+BAYES_999 scores 3.7
> DKIM_VALID,DKIM_VALID_AU and DKIM_VERIFIED substract only 0.3 points
>
> try setting sa_tag_level_deflt to 'undef' and you can see scores of those
> rules...
>
Well, I changed the sa_tag_level_deflt to 'undef', it was at '-9999'.
A few got in and it appears no difference in the headers.
Here is one
----------------------------------------------------------------------------------------------

X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	myserver.mydomain.com
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=4.0 tests=BAYES_99,BAYES_999,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_FONT_LOW_CONTRAST,
	HTML_MESSAGE,KAM_SHORT,URIBL_BLACK autolearn=no autolearn_force=no
	version=3.4.2
Received: from arena.catherinepoolerink.com (arena.catherinepoolerink.com [65.181.122.153])
	by myserver.com (Postfix) with ESMTP id 23E2860B3A
	for<emailuser at domain.org>; Thu,  1 Aug 2019 09:32:08 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=a4ier; d=catherinepoolerink.com;
  h=From:MIME-Version:Message-ID:Reply-To:Subject:To:Content-Type:Date;
  i=henry at catherinepoolerink.com;

----------------------------------------------------------------------------------------------
when I ran the mail via:
$ su amavis -c "spamassassin -D < mailtest"
I get:
--------------------------
Content analysis details:   (18.0 points, 4.0 required)

  pts rule name              description
---- ---------------------- 
--------------------------------------------------
  3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                             [score: 1.0000]
  0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                             [score: 1.0000]
  2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the Spamhaus DBL
                             blocklist
                             [URIs: catherinepoolerink.com]
  1.2 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL
                             blocklist
                             [URIs: catherinepoolerink.com]
  1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                             [URIs: catherinepoolerink.com]
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
                             identical to background
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily
                             valid
  0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
  1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                             [cf: 100]
  5.0 KAM_VERY_BLACK_DBL     Email that hits both URIBL Black and Spamhaus
                              DBL
  0.8 FSL_BULK_SIG           Bulk signature with no Unsubscribe
  0.0 KAM_SHORT              Use of a URL Shortener for very short URL
  0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
-------------------------------------
Again clearly spam according to Spamhaus and others .
Something wrong not sure what.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20190801/0183b84b/attachment.html>

More information about the amavis-users mailing list