Spam sneaking in.

Lambert Rots lambert.rots at gmail.com
Wed Aug 28 10:38:50 CEST 2019


Op di 27 aug. 2019 om 15:09 schreef Matus UHLAR - fantomas <
uhlar at fantomas.sk>:

> On 27.08.19 14:50, Lambert Rots wrote:
> >Time difference between amavisd-new and spamassassin checks are +30
> minutes.
> >
> >I don't reject spam, spam is set to be discarded:
>
> >$final_spam_destiny       = D_DISCARD;  #!!!  D_DISCARD / D_REJECT
>
> so, you don't know of spam that gets discarded, and it's quite possible
> that
> much of spam is dropped before you can scan it again using spamassassin,
> correct?
>
> Well, I know which spam mail gets through ;-)
Looking at the logs I don't see a lot of messages about discards on
amavisd-new but postfix is doing a good job on the blacklist checks
(+90/day mails blocked)


> that way, it's quite possible that spam that sneaks in, is "early recipient
> based", so it would be rejected half hour later.
>
> >~amavis/.spamassissin contains:
> >-rw------- 1 amavis amavis   40960 Aug 27 07:45 bayes_seen
> >-rw------- 1 amavis amavis 1310720 Aug 27 07:45 bayes_toks
> >-rw-r--r-- 1 amavis amavis    1869 Aug 16 13:23 user_prefs
>
> btw, how do you check spam by spamassassin?
> for comparing to amavis scores I use
>
> (cd /tmp; su -s /bin/sh -c 'spamassassin -x' amavis) < file | less
>
> I configured postfix to save all email messages (dont_remove = 1) so I can
work with the 'original' email.
I copy a message from the saved directory to /tmp using: postcat -hb
/var/spool/postfix/saved/<ID> > /tmp/<ID>
Then I run spamassassin as user amavis: su amavis -c 'spamassassin -D -t <
/tmp/<ID>'


> >The user_prefs is just a sample file with only commented/blank lines
>
> ...so the results aren't flawed due to amavis' user_prefs.
>
> >$ ls -lh /etc/amavisd/
> >total 88K
> >-rw-r--r-- 1 root root 37K Aug 22 12:22 amavisd.conf
> >-rw-r--r-- 1 root root 37K Jul 19 12:32 amavisd.conf.rpmsave
> >-rw-r--r-- 1 root root  19 Jul  5  2016 sender_scores_sitewide
> >-rw-r--r-- 1 root root  95 Jul 21  2018 whitelist_sender
> >
> >sender_scores_sitewide contains one specific domain with score -5.0 to
> >prevent mail from that domain to be accidentally identified as spam.
> >whitelist_sender contains my logwatch sender to prevent my logwatch
> reports
> >to be seen as spam.
>
> I put those into SA's local.cf, this way they get the same score when
> checked by SA or by amavis.
>
> Good idea, thanks


>
> >> >Op zo 18 aug. 2019 om 11:59 schreef Matus UHLAR - fantomas <
> >> >uhlar at fantomas.sk>:
> >> >> this is also a different issue.  Many sites and webs get into
> blacklist
> >> >> after the spam starte spreading, so first (early) recipients don't
> see
> >> >> the mail in blacklist, while late recipients or later checks shows
> >> >> blacklists.
>
> >> On 26.08.19 11:22, Lambert Rots wrote:
> >> >Comparing debug logs between Amavisd-new (debug-sa) and spamassassin
> >> >directly shows that blacklist checks score 0 with NXDOMAIN replies when
> >> >the mail arrives the first time where spamassassin scores +3 with
> >> >several hits on blacklist checks.
>
> >Op ma 26 aug. 2019 om 15:50 schreef Matus UHLAR - fantomas <
> >uhlar at fantomas.sk>:
> >> this shows early recipient issue. What's the time difference
> >> between amavis and spamassassin checks?
> >> Are there any differences in rules hit than blacklits?
>
> >> >I just cannot imagine that all spam I receive is early recipient based,
> >>
> >> do you reject any spam?
> >>
> >> >besides, postfix is already taking care of most blacklist checking.
> >>
> >> postfix does only check blacklists on direct sending machine.  SA does
> deep
> >> header checks, which is why SA blacklist checks have more hits than
> >> postfix.
> >>
> >> >Most spam mail is coming from the same email domains, share the same
> >> >subject and a lot of other stuff on which amavisd-new should be able to
> >> >identify it as spam. Bayes scores some mail but not all.
> >>
> >> train what you can. bayes training is one the best antispam tools
> >> available.
> >>
> >> >Spam senders try a lot to bypass anti spam but in my opinion
> amavisd-new
> >> >should be able to do better than marking less than 1 percent of spam
> mail
> >> >as spam.
> >>
> >> what does ~amavis/.spamassassin contain?
> >> what does /etc/amavis/conf.d/ contain?
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Saving Private Ryan...
> Private Ryan exists. Overwrite? (Y/N)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20190828/f963a53f/attachment.html>


More information about the amavis-users mailing list