Spam sneaking in.

Lambert Rots lambert.rots at gmail.com
Tue Aug 27 14:50:43 CEST 2019 

Time difference between amavisd-new and spamassassin checks are +30 minutes.

I don't reject spam, spam is set to be discarded:

$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_DISCARD;  #!!!  D_DISCARD / D_REJECT
$final_bad_header_destiny = D_BOUNCE;

~amavis/.spamassissin contains:
-rw------- 1 amavis amavis   40960 Aug 27 07:45 bayes_seen
-rw------- 1 amavis amavis 1310720 Aug 27 07:45 bayes_toks
-rw-r--r-- 1 amavis amavis    1869 Aug 16 13:23 user_prefs

The user_prefs is just a sample file with only commented/blank lines

$ ls -lh /etc/amavisd/
total 88K
-rw-r--r-- 1 root root 37K Aug 22 12:22 amavisd.conf
-rw-r--r-- 1 root root 37K Jul 19 12:32 amavisd.conf.rpmsave
-rw-r--r-- 1 root root  19 Jul  5  2016 sender_scores_sitewide
-rw-r--r-- 1 root root  95 Jul 21  2018 whitelist_sender

sender_scores_sitewide contains one specific domain with score -5.0 to
prevent mail from that domain to be accidentally identified as spam.
whitelist_sender contains my logwatch sender to prevent my logwatch reports
to be seen as spam.

Approximately a month ago I uninstalled both amavisd-new and spamassassin
en reinstalled both packaged again to get the most default config as
possible. I changed $mydomain as well as the $syslog_facility to get the
debug logs in a separate log.

Best regards,

Lambert



Op ma 26 aug. 2019 om 15:50 schreef Matus UHLAR - fantomas <
uhlar at fantomas.sk>:

> >> On 16.08.19 13:51, Lambert Rots wrote:
> >> >Did you get a solution for the issue about spam sneaking in?  I think I
> >> >have the same issue about spam being scored differently between
> >> >spamassassin and amavisd-new.
>
> >Op zo 18 aug. 2019 om 11:59 schreef Matus UHLAR - fantomas <
> >uhlar at fantomas.sk>:
> >> did you also change the DKIM_VERIFIED score to -3?
> >> If not, you don't have the same issue.
>
> On 26.08.19 11:22, Lambert Rots wrote:
> >Sorry for the delayed response, I was first debugging/fetching logs for a
> >few days...
> >
> >No I did not change the DKIM_VERIFIED score so apparently I have a
> >different issue ;-)
>
> >> >It looks like DNS blacklist checks are not scored as most spam is found
> >> >on blacklists when parsing the mail through spamassassin but debugging
> >> >amavisd-new shows that DNS checks are being performed.
> >>
> >> this is also a different issue.  Many sites and webs get into blacklist
> >> after the spam starte spreading, so first (early) recipients don't see
> >> the mail in blacklist, while late recipients or later checks shows
> >> blacklists.
>
> >Comparing debug logs between Amavisd-new (debug-sa) and spamassassin
> >directly shows that blacklist checks score 0 with NXDOMAIN replies when
> the
> >mail arrives the first time where spamassassin scores +3 with several hits
> >on blacklist checks.
>
> this shows early recipient issue. What's the time difference
> between amavis and spamassassin checks?
> Are there any differences in rules hit than blacklits?
>
> >I just cannot imagine that all spam I receive is early recipient based,
>
> do you reject any spam?
>
> >besides, postfix is already taking care of most blacklist checking.
>
> postfix does only check blacklists on direct sending machine.  SA does deep
> header checks, which is why SA blacklist checks have more hits than
> postfix.
>
> >Most spam mail is coming from the same email domains, share the same
> >subject and a lot of other stuff on which amavisd-new should be able to
> >identify it as spam. Bayes scores some mail but not all.
>
> train what you can. bayes training is one the best antispam tools
> available.
>
> >Spam senders try a lot to bypass anti spam but in my opinion amavisd-new
> >should be able to do better than marking less than 1 percent of spam mail
> >as spam.
>
> what does ~amavis/.spamassassin contain?
> what does /etc/amavis/conf.d/ contain?
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> If Barbie is so popular, why do you have to buy her friends?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20190827/9ac8290e/attachment.html>

More information about the amavis-users mailing list