Spamassassin

Submitted by azadmin on Tue, 06/26/2012 - 00:48

About 2 weeks ago spamassassin stopped checking email for spam. I've restarted spamassassin Dovcot and procmail. I am now at a loss. Thanks Harold

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Tue, 06/26/2012 - 04:24

Is spamassassin still putting headers starting with X-Spam into email messages that you receive on your system? If so, what headers is it adding for messages that look like spam?

Submitted by azadmin on Tue, 06/26/2012 - 09:58

No, Spamassassin is not adding headers to emails.

Submitted by andreychek on Tue, 06/26/2012 - 10:06

Do you see any errors in /var/log/maillog or /var/log/procmail.log relating to SpamAssassin?

Also, is it just one domain you're having problems with, or does it appear to be all the domains on your system?

Submitted by azadmin on Tue, 06/26/2012 - 13:59

Below are the texts from my current maillog and it appears to affect all domains.

Jun 24 12:17:49 muzictalk postfix/qmgr[9383]: E8AA095E0436: from=root@muzictalk.com, size=60005, nrcpt=1 (queue active) Jun 24 12:17:50 muzictalk postfix/qmgr[9383]: 04FF495E0437: from=root@muzictalk.com, size=572, nrcpt=1 (queue active) Jun 24 12:17:50 muzictalk postfix/qmgr[9383]: 07B4E95E043B: from=root@muzictalk.com, size=572, nrcpt=1 (queue active) Jun 24 12:17:52 muzictalk postfix/qmgr[9383]: E46B895E0429: removed Jun 24 12:17:52 muzictalk postfix/qmgr[9383]: E8AA095E0436: removed Jun 24 12:17:54 muzictalk postfix/qmgr[9383]: 04FF495E0437: removed Jun 24 12:17:55 muzictalk postfix/qmgr[9383]: 07B4E95E043B: removed Jun 24 12:19:50 muzictalk postfix/qmgr[9383]: 1186795E0429: from=root@muzictalk.com, size=12765, nrcpt=1 (queue active) Jun 24 12:19:52 muzictalk postfix/qmgr[9383]: 1186795E0429: removed Jun 24 12:20:50 muzictalk postfix/qmgr[9383]: 1578E95E0429: from=root@muzictalk.com, size=60005, nrcpt=1 (queue active) Jun 24 12:20:50 muzictalk postfix/qmgr[9383]: 1A97895E0436: from=root@muzictalk.com, size=60005, nrcpt=1 (queue active) Jun 24 12:20:50 muzictalk postfix/qmgr[9383]: 2D2B795E0437: from=root@muzictalk.com, size=572, nrcpt=1 (queue active) Jun 24 12:20:50 muzictalk postfix/qmgr[9383]: 3018A95E043B: from=root@muzictalk.com, size=572, nrcpt=1 (queue active) Jun 24 12:20:52 muzictalk postfix/qmgr[9383]: 1578E95E0429: removed Jun 24 12:20:53 muzictalk postfix/qmgr[9383]: 1A97895E0436: removed Jun 24 12:20:55 muzictalk postfix/qmgr[9383]: 2D2B795E0437: removed Jun 24 12:20:55 muzictalk postfix/qmgr[9383]: 3018A95E043B: removed Jun 24 12:23:51 muzictalk postfix/qmgr[9383]: F184295E041F: from=root@muzictalk.com, size=571, nrcpt=1 (queue active) Jun 24 12:23:54 muzictalk postfix/qmgr[9383]: F184295E041F: removed Jun 24 12:23:59 muzictalk postfix/master[9381]: terminating on signal 15

Submitted by JamieCameron on Tue, 06/26/2012 - 20:25

I would be interested to see what gets logged to /var/log/procmail.log as well when email arrives..

Submitted by azadmin on Tue, 06/26/2012 - 23:43

From root@muzictalk.com Tue Jun 26 21:28:04 2012 Subject: lfd on muzictalk.com: Excessive resource usage: ms_ssugah (31034) Folder: /root/Maildir/new/1340771286.17594_1.muzictalk.com 651 Time:1340771286 From:root@muzictalk.com To:root@muzictalk.com User:root Size:702 Dest:/root/Maildir/new/1340771286.17594_1.muzictalk.com Mode:None From root@muzictalk.com Tue Jun 26 21:30:11 2012 Subject: lfd on muzictalk.com: Excessive resource usage: chittlin (17798) Folder: /root/Maildir/new/1340771413.17841_1.muzictalk.com 721 Time:1340771413 From:root@muzictalk.com To:root@muzictalk.com User:root Size:772 Dest:/root/Maildir/new/1340771413.17841_1.muzictalk.com Mode:None From root@muzictalk.com Tue Jun 26 21:33:11 2012 Subject: lfd on muzictalk.com: Excessive resource usage: postfix (14688) Folder: /root/Maildir/new/1340771593.18087_1.muzictalk.com 661 Time:1340771594 From:root@muzictalk.com To:root@muzictalk.com User:root Size:712 Dest:/root/Maildir/new/1340771593.18087_1.muzictalk.com Mode:None From root@muzictalk.com Tue Jun 26 21:37:11 2012 Subject: lfd on muzictalk.com: Suspicious process running under user postfix Folder: /root/Maildir/new/1340771833.18264_1.muzictalk.com 12604 Time:1340771834 From:root@muzictalk.com To:root@muzictalk.com User:root Size:12654 Dest:/root/Maildir/new/1340771833.18264_1.muzictalk.com Mode:None

Submitted by andreychek on Tue, 06/26/2012 - 23:51

Although the subjects of those emails looks a little odd, I don't see any actual errors in the procmail logs that suggests that SpamAssassin is throwing errors or having communication problems.

Can you verify that in Edit Virtual Server -> Enabled Features, that the "Spam Filtering" feature is still enabled for that domain?

Also, if you look in Email Messages -> Spam and Virus Scanning, what is "SpamAssassin client program" set to? Thanks!

Submitted by azadmin on Wed, 06/27/2012 - 01:19

Spam filtering is enabled spamassassin (Standalone program) is checked

Submitted by JamieCameron on Wed, 06/27/2012 - 07:58

Could you also post the contents of your /etc/procmailrc file?

Submitted by azadmin on Wed, 06/27/2012 - 16:03

Hmmm, I do not have that file. Where else could it be? /etc/alaises.db is in group smmsp and not root

Submitted by andreychek on Wed, 06/27/2012 - 16:32

Ah, that's a bit unusual... that file should definitely exist.

What is the output of this command:

rpm -qa | grep procmail

Submitted by azadmin on Wed, 06/27/2012 - 16:40

login as: XXXX XXXX@XXXX's password: -sh-3.2$ su Password: [root@XXXX]# rpm -qa | grep procmail procmail-3.22-17.1.el5.centos procmail-wrapper-1.0-1.vm

Submitted by andreychek on Wed, 06/27/2012 - 17:15

Okay, it looks like procmail is installed, it's just the config that's missing.

What you can do is create the file "/etc/procmailrc", and in it, place the following:

LOGFILE=/var/log/procmail.log
TRAP=/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl $LOGNAME
EXITCODE=$?
:0
* ?/usr/bin/test "$EXITCODE" = "73"
/dev/null
EXITCODE=0
:0
* ?/usr/bin/test "$VIRTUALMIN" != ""
{
INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
ORGMAIL=$HOME/Maildir/
DEFAULT=$HOME/Maildir/
DROPPRIVS=yes

Submitted by azadmin on Wed, 06/27/2012 - 22:00

I added the /etc/procmailrc file with the contents you suggested.

I waited and my da-book domain got an email that was once tagged as spam:

(subject line) Pharmacy Store : Viagra + Cialis !

Submitted by azadmin on Thu, 06/28/2012 - 14:46

spamassassin is still not checking for Spam. Any more suggestions? Thanks

Submitted by azadmin on Fri, 06/29/2012 - 09:18

Can someone login to my server and see if they can correct my spamassassin issue? Thanks Azadmin

Submitted by andreychek on Fri, 06/29/2012 - 10:52

Hmm, I oddly didn't receive notifications for your last few updates... but yeah, we can log in to take a look.

We would need an example email address that we can use for sending test emails.

Then, you can either enable Remote Support using the Virtualmin Support Module, or you can send an email containing your root login details to eric@virtualmin.com.

Submitted by azadmin on Fri, 06/29/2012 - 12:18

Hmm, I used the remote support module once before but, I can't seem to find it now. Where is it? Thanks

Submitted by andreychek on Sat, 06/30/2012 - 10:58

I did get your email, thanks!

Do you happen to have an email address that I can use for sending tests to?

I don't want to flood a legitimate user with a bunch of test mails :-)

Thanks!

Submitted by azadmin on Mon, 07/02/2012 - 13:29

Are there any updates on the Spamassassin Issue? Thanks Azadmin

Submitted by JamieCameron on Mon, 07/02/2012 - 19:33

I'm looking into this now ..

Submitted by JamieCameron on Mon, 07/02/2012 - 19:44

Ok, this should be fixed now. The cause of the problem was that the mail directory /var/mail was a file on your system, which triggered odd behavior in procmail. Once I replaced that with an empty directory, everything started working.

Submitted by azadmin on Tue, 07/03/2012 - 01:17

Thank You, Thank You I can't see why anyone would want to use cPanel or any other "Brand X" system to manager their server (smile) You guys are just great

Submitted by Issues on Tue, 07/17/2012 - 01:46

Automatically closed -- issue fixed for 2 weeks with no activity.