Hamtrap and spamtrap aliases stopped working

Hello,

Sending mail to the hamtrap and spamtrap aliases to have them automatically added to allowed and banned addresses in Spamassassin was a very useful feature for me. It stopped working a while ago, and since then I've been doing it manually. Now that I've renewed my premium Virtualmin license, I'd like to see if I can get this fixed.

What is the first step in troubleshooting so I can provide the needed information to you to help me?

Thanks, Chris

Status: 
Active

Comments

Can you explain further what is going wrong? Is email to the spamtrap / hamtrap address bouncing, or does it just not get learned from?

Yes. When I first started using the ham and spam trap aliases, If sent a mis-identified email as an attachment to the addresses, the email address in the attached email would be automatically added to the allowed or denied address list in the spamassassin depending up which alias was used. Now, even after repeated emails to these aliases, no addresses are added to the list so I have to add them manually.

Make sure that on the Virtualmin Configuration page that the "Add senders of spam sent to spamtrap to blacklist?" option (and the one below it) are enabled.

Yes the options are enabled. To be very careful in answering you, here is a link to a screenshot of the spam filtering options set on the Virtualmin configuration page:

http://i.imgur.com/AGM4Oc2.png

Ok, let me see if I can re-produce this.

Can you check if email to spamtrap@domain.com is being delivered to files under /var/virtualmin-traps/spam ?

OK. Now I think we are getting some where. I have a screenshot in the link. My spam filters are dialed in well. So most of my activity is with hamtrap@domain.com, trying to stop messages going to spam. As you can see there are recent entries in file directory, but they are zero byte.

http://i.imgur.com/7Bg44FB.png

Are there any messages in /var/log/maillog that mention that directory? The cause may be that Postfix is unable to write to the directory.

I am most interested in stopping false positives. So I sent an email to the hamtrap alias as an attachment. I then grepped /var/log/maillog for virtualmin and traps with no hits.

What is the next step now?

Is there any mention of it in /var/log/procmail.log ?

I tried grepping for trap and virtualmin in the logs with no hits.

Is there even mention of email to spamtrap@yourdomain.com in /var/log/maillog ? There should at the very least be a message from Postfix when the mail was received..

I used the CyberDuck sFTP client to look at /var/log/. I see a problem. All the mail log logs are zero byte in size. http://i.imgur.com/8ZoDpiF.png

What do you suggest?

Is your system out of disk space on the filesystem that contains /var/log ? If not, try either rebooting or restarting the syslog server (at Webmin -> System -> Bootup and Shutdown).

The system is not out of space. When I check Webmin->System-> Bootup and Shutdown, I now see services for which the status is reported as unknown. I uploaded a screenshot: http://i.imgur.com/e0APCea.png Is that normal? I don't recall seeing unknown status reported previously. When I checked rsyslog, it was showing unknown as well. I restarted it. It now shows up. I am now seeing the maillog grow in size. I'll send some more emails to the aliases and check spamassassin allowed and denied addresses and the directories you listed and report back.

We are making progress. I grepped the maillog for references to virtualmin traps and now have some hits:

[root@ILMHost ~]# grep virtualmin /var/log/maillog Apr 12 16:48:35 ILMHost postfix/local[31454]: 48BAE4E0006: to=hamtrap-immigrationlawofmt.com@ILMHost.info, orig_to=hamtrap@immigrationlawofmt.com, relay=local, delay=0.46, delays=0.42/0.03/0/0.02, dsn=2.0.0, status=sent (delivered to file: /var/virtualmin-traps/ham/135459902318064) Apr 12 16:48:55 ILMHost postfix/local[31521]: 516D74E000B: to=hamtrap-immigrationlawofmt.com@ILMHost.info, orig_to=hamtrap@immigrationlawofmt.com, relay=local, delay=0.09, delays=0.05/0.02/0/0.02, dsn=2.0.0, status=sent (delivered to file: /var/virtualmin-traps/ham/135459902318064) Apr 12 20:08:33 ILMHost postfix/local[14142]: EABBB4E0006: to=hamtrap-immigrationlawofmt.com@ILMHost.info, orig_to=hamtrap@immigrationlawofmt.com, relay=local, delay=2.3, delays=2.2/0.03/0/0.01, dsn=2.0.0, status=sent (delivered to file: /var/virtualmin-traps/ham/135459902318064) Apr 12 20:08:34 ILMHost postfix/local[14148]: C8C7C4E000B: to=hamtrap-immigrationlawofmt.com@ILMHost.info, orig_to=hamtrap@immigrationlawofmt.com, relay=local, delay=0.8, delays=0.76/0.02/0/0.01, dsn=2.0.0, status=sent (delivered to file: /var/virtualmin-traps/ham/135459902318064) [root@ILMHost ~]#

Unfortunately, the trap referenced 135459902318064 is still a zero byte file: http://i.imgur.com/qNMjmzK.png

Also, the email address in the emails is not added to allowed addresses in Spamassassin either.

Please advise.

Those files do get periodically truncated when the spam or ham is processed - so make sure you check their sizes immediately after sending email.

OK. I conducted an experiment today that has narrowed the problem. I found a spam email that I received. I forwarded it as an attachment to the spamtrap alias. I saw the size of a file in the virtualmin-trap/spam folder increase in size. Using sftp, i downloaded that file. It was the spam email. I watched the file size for an hour by refreshing my sftp client. After 40 mins it was truncated to zero byte size. I then checked the denied address list in spamassassin. The spam email address was not added to this list.

What is the next step?

First. See above. In watching the timestamps in the virtualmin-trap directory, it looks like the cron job is running ever hour at twenty past that empties the file in these directories.

After sending an email, try running the same cron job manually as root with the --debug flag and post the output here.

How do i figure out which cron job is running that is emptying virtualmin-traps? I've had a look at scheduled cron jobs in Virtualmin, but don't see any candidates? If you tell me which one it is, or give me the code for it, I can run it with the debug flag.

My apologies, the command should be /etc/webmin/virtual-server/spamtrap.pl --debug

Thanks for that. Please see below:

[root@ILMHost ~]# /etc/webmin/virtual-server/spamtrap.pl --debug immigrationlawofmt.com: processing spam file immigrationlawofmt.com: 0 messages in /var/virtualmin-traps/spam/135459902318064 immigrationlawofmt.com: processing ham file immigrationlawofmt.com: 1 messages in /var/virtualmin-traps/ham/135459902318064 immigrationlawofmt.com: id=<014801d2b8f9$90a7f6e0$b1f7e4a0$@com> immigrationlawofmt.com: user=flann.immiglawofmt what=from immigrationlawofmt.com: flann.immiglawofmt: Good return path flann@immigrationlawofmt.com immigrationlawofmt.com: flann.immiglawofmt: Invalid received from ILMM6600PC (unknown [199.167.210.28]) by ILMHost.info (Postfix) with ESMTPA id D40964E0006 for hamtrap@immigrationlawofmt.com; Wed, 19 Apr 2017 04:41:55 -0600 (MDT) immigrationlawofmt.com: flann.immiglawofmt: subject=[SPAM 5.0] Welcome to your Best of the Web Account immigrationlawofmt.com: flann.immiglawofmt: OK Learned tokens from 1 message(s) (1 message(s) examined) immigrationlawofmt.com: ham_trap_white: 1 immigrationlawofmt.com: config: /etc/webmin/virtual-server/spam/135459902318064/virtualmin.cf immigrationlawofmt.com: sender: service@botw.org immigrationlawofmt.com: Adding service@botw.org to whitelist_from blog.immigrationlawofmt.com: spam filtering is not enabled [root@ILMHost ~]#

After this command is run the address is not added to the allowed address list in Webmin -> Servers -> Spamassassin -> Allowed Addresses.

Should I be looking somewhere else?

Make sure that on the Edit Virtual Server page for this domain that the "Spam Filtering" feature is enabled.

Yes. I can confirm that the "Spam Filtering" box is checked in the enabled features section of edit the virtual server for this domain.

Actually, from the log it looks like the address was added OK.

Does it appear in /etc/webmin/virtual-server/spam/135459902318064/virtualmin.cf ?