Why isn't spamassassin using my local.cf rules for some spam email?

12 posts / 0 new
Last post
#1 Mon, 02/04/2019 - 06:26
amityweb

Why isn't spamassassin using my local.cf rules for some spam email?

I started receiving loads more spam a few weeks ago. Something changed somewhere because it went from occasional to loads in one instant and has not stopped.

Spamassassin is running on the server.

I have updated the server with yum, so assume that should update it all.

So I added the following rules to my /etc/mail/spamassassin/local.cf file but as you can see in the mail headers below, the rules are not working on all emails, because the IP address 89.34.26.114 IS on a lot of the blacklists which I am adding into my rules. So looks like spamassassin is not filtering them as default anyway, then my rules not working.

On the other hand I can see some spam in my spam folder which do have the rules below in the header, so it may be working for some bit not others. The ones I receive below are forwarders, so sent to me at one domain, then forwarded to my new domain.

Anyone know why?

/etc/mail/spamassassin/local.cf file

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5
report_safe 0
rewrite_header subject [SPAM2]
add_header all Report _REPORT_

# CUSTOM SCORES OVERRIDES
score RCVD_IN_BRBL_LASTEXT 4
score URIBL_DBL_SPAM 5
score URIBL_DBL_ABUSE_SPAM 4
score URI_WP_HACKED 4
score URIBL_ABUSE_SURBL 4

header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal', 'b.barracudacentral.org.')
describe RCVD_IN_BARRACUDACEN Relay is listed in b.barracudacentral.org :(
tflags RCVD_IN_BARRACUDACEN net
score RCVD_IN_BARRACUDACEN 4.0

header RCVD_IN_SBLSPAMHAUS eval:check_rbl('sblspamhaus-lastexternal', 'sbl.spamhaus.org.')
describe RCVD_IN_SBLSPAMHAUS Relay is listed in sbl.spamhaus.org :(
tflags RCVD_IN_SBLSPAMHAUS net
score RCVD_IN_SBLSPAMHAUS 4.0

header RCVD_IN_ZENSPAMHAUS eval:check_rbl('zenspamhaus-lastexternal', 'zen.spamhaus.org.')
describe RCVD_IN_ZENSPAMHAUS Relay is listed in zen.spamhaus.org :(
tflags RCVD_IN_ZENSPAMHAUS net
score RCVD_IN_ZENSPAMHAUS 4.0

header RCVD_IN_BL_SPAMCOP_NET  eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)')
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net :(
tflags RCVD_IN_BL_SPAMCOP_NET net
score RCVD_IN_BL_SPAMCOP_NET 4.0

header RCVD_IN_RBL_DNS eval:check_rbl_txt('dnsrbl','dnsrbl.org.')
describe RCVD_IN_RBL_DNS Entries listed in dnsrbl.org RBL :(
tflags RCVD_IN_RBL_DNS net
score RCVD_IN_RBL_DNS 4.0


header RCVD_IN_ANONMAILS eval:check_rbl('anonmails-lastexternal', 'spam.dnsbl.anonmails.de.')
describe RCVD_IN_ANONMAILS Relay is listed in spam.dnsbl.anonmails.de :(
tflags RCVD_IN_ANONMAILS net
score RCVD_IN_ANONMAILS 4.0

header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL :(
tflags RCVD_IN_PSBL net
score RCVD_IN_PSBL 4.0

header RCVD_IN_WPBL eval:check_rbl('wpbl-lastexternal','db.wpbl.info.','127.0.0.2')
describe RCVD_IN_WPBL Listed in db.wpbl.info :(
tflags RCVD_IN_WPBL net
score RCVD_IN_WPBL 4.0

Message Headers:

Return-Path: <14318-20883-391829-3821-me=mydomain.co.uk@mail.acraforfre.xyz>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
mail.mydomain.co.uk
X-Spam-Level: ***
X-Spam-Status: No, score=3.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE,SPF_PASS,URIBL_ABUSE_SURBL,URIBL_BLOCKED
autolearn=no version=3.3.1
X-Original-To: me@mydomain.co.uk
Delivered-To: me.mydomain@mail.mydomain.co.uk
Received: by mail.mydomain.co.uk (Postfix)
id 225DC4831; Mon,  4 Feb 2019 11:51:16 +0000 (GMT)
Delivered-To: me.mydomain@mail.mydomain.co.uk
Received: from gamma.acraforfre.xyz (unknown [89.34.26.114])
by mail.mydomain.co.uk (Postfix) with ESMTP id 96F5E4865
for <me@mydomain.co.uk>; Mon,  4 Feb 2019 11:51:13 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=acraforfre.xyz;
h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; i=GiftIdeas@acraforfre.xyz;
bh=KVleqPcsaSlhinYuooQHuyYOsRA=;
b=dc7B8R49U0qqHislu776kEpYX25nYscA1D+XYOiN7j5VMTZY0lNSwWigfpzGc2dekmj+VnO1Y5Qn
   lHjybseo4myH0XzZDobSbJFcvURY8MjUukWZGP7FiJQSEbowYE8Lw1S+1dzl8lt7z6NPwr6+3W3V
   lgIGl4fahLEBband5Yw=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=acraforfre.xyz;
b=YBK/0y98mNfOg8bp62AjsDcBpjTUDwxYPmYRTlYgMYdwzRkewhckflZfnYoXQU6VH4qhAAyezkAk
   NjTRgouzVV6OaQuVTS0c2V8ejphHa86qgulW7Kd4qX21tP80z8JDgdkDR7WwlWy9XGvE7aODRUZk
   w9FiqxoplLE/HmCA8PA=;
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="f373de478e17074275dc84bc628d208c_5193_5fa95"
Date: Mon, 4 Feb 2019 12:50:30 +0100
From: "Gift Ideas" <GiftIdeas@acraforfre.xyz>
Reply-To: "Gift Ideas" <GiftIdeas@acraforfre.xyz>
Subject: Personalized Frames, Canvas Art, Teddy Bears, Cards and More
To: <me@mydomain.co.uk>
Message-ID: <1q9jeoen88zhr2sp-kc8zupkgtt3qac7s-5193-5fa95@acraforfre.xyz>

Here are the headers in another message I received that have the checks in:

X-Spam-Level: ⁨*********⁩
X-Spam-Report: ⁨*  4.0 RCVD_IN_WPBL RBL: Listed in db.wpbl.info *      [173.232.227.166 listed in db.wpbl.info] *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block *      for more information. *      [URIs: specifitethos.icu] * -0.0 SPF_PASS SPF: sender matches SPF record *  4.0 RCVD_IN_RBL_DNS RBL: Entries listed in dnsrbl.org RBL *      [DNSRBL Active Listing -- For More Details Visit:] [<https://dnsrbl.org/lookup.cgi?ip=173.232.227.166>] *  0.0 HTML_MESSAGE BODY: HTML included in message *  0.7 MPART_ALT_DIFF BODY: HTML and text parts are different * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's *       domain * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily *      valid *  1.3 RDNS_NONE Delivered to internal network by a host with no rDNS⁩
Tue, 02/05/2019 - 03:25
amityweb

I have just noticed the spamassassin version in the header: SpamAssassin 3.3.1 (2010-03-16)

Could it be due to a really really old version? I often do yum updates on the server, why would it not be updated and be so old!

It is a CentOS 6 server, could it be its just not receiving updates any more?

I cant just upgrade or move to Centos 7, its a mail server with hundreds of email accounts, I would imagine it being a large job with disruption to move all the accounts.

Mon, 02/11/2019 - 03:49
amityweb

Just curious if anyone can help as I am getting loads of spam through from senders on blacklists, but the headers are not including the checks or the score. Yet I do have other mail coming in also which does have the checks and score and so is put into my junk.

Could it be to do with forwarding? I have two email address as follows:

laurence@myolddomain.co.uk which then forwards to laurence@mynewdomain.co.uk

The forwarding for myolddomain is created within that user usermin account, rather than my the server admin. This is because spam check works when its created in the user account, but if the admin creates it it skips it.

So just wondered if its related.

An email that failed all my custom rules and so classed as spam had this:

Delivered-To: ⁨laurence.mynewdomain@mail.mymailerver.co.uk⁩
Delivered-To: ⁨laurence.myolddomain@mail.mymailerver.co.uk⁩
X-Original-To: ⁨laurence@myolddomain.co.uk⁩⁩

But an email that did not use my custom checks had this:

X-Original-To: ⁨laurence@myolddomain.co.uk⁩

Sun, 09/29/2019 - 07:13
amityweb

Is it because this means the URIBL is blocked: URIBL_BLOCKED

So when I get blocked by the lookup spam gets through? I get spam in batches you see.

Update: I have subscribed to the commercial URIBL feed but it made no difference. The emails I get dont have links in the domain on the URIBL database yet, so I dont think this check is important. But the links are on other blacklists and the checks are not being called.

Tue, 10/01/2019 - 07:58
amityweb

If I run spamassassin from the command line it works.

So this works:

echo -e "Subject: test\n\nhttp://tonpool.icu\n\n" | spamassassin -D 2>&1

But I am getting emails from this domain and with links in this domain, and this domain is on blacklists and is on URIBL which I am using its commercial list for.

*** Email Received Headers ***

To: Laurence Cope <laurence@mydomain.co.uk>
Mime-Version: ⁨1.0⁩
X-Spam-Level: ⁨*⁩
Content-Type: ⁨multipart/alternative; boundary="------------82330258210166310002005"⁩
X-Spam-Status: ⁨No, score=1.3 required=5.0 tests=HTML_MESSAGE,RDNS_NONE, SPF_HELO_PASS,T_REMOTE_IMAGE autolearn=no version=3.3.1⁩
X-Spam-Checker-Version: ⁨SpamAssassin 3.3.1 (2010-03-16) on mail.mydomain.co.uk⁩
Return-Path: ⁨<laurence.mydomain@mail.mydomain.co.uk>⁩
X-Original-To: ⁨laurence@myotherdomain.co.uk⁩
X-Original-To: ⁨laurence@mydomain.co.uk⁩
⁨<KClISmfwcXdGlv-H9kJbKXOAdHAMVdf2TMkroTxzkas.9lzqYGErrZ9KTHgzpS79c9slyCJFNhfOL4xcqczuRcCt2Mu8YMwFgDWTLpn8SqV3@tonpool.icu>⁩
Received: ⁨by mail.mydomain.co.uk (Postfix, from userid 503) id 81F414352; Tue,  1 Oct 2019 13:11:12 +0100 (BST)⁩
Received: ⁨from tonpool.icu (unknown [193.35.155.17]) by mail.mydomain.co.uk (Postfix) with ESMTP id B97654352 for <laurence@mydomain.co.uk>; Tue,  1 Oct 2019 13:11:11 +0100 (BST)⁩
Delivered-To: ⁨laurence.myotherdomain@mail.mydomain.co.uk⁩
Delivered-To: ⁨laurence.mydomain@mail.mydomain.co.uk⁩

*** Command Line Headers ***

X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
mail.mydomain.co.uk
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.2 required=5.0 tests=BODY_SINGLE_URI,MISSING_DATE,
MISSING_FROM,MISSING_HEADERS,MISSING_MID,NO_HEADERS_MESSAGE,NO_RECEIVED,
NO_RELAYS,TVD_SPACE_RATIO,URIBL_DBL_SPAM autolearn=no version=3.3.1
X-Spam-Report:
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
*  1.2 MISSING_HEADERS Missing To: header
*  5.0 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
*      blocklist
*      [URIs: tonpool.icu]
*  0.1 MISSING_MID Missing Message-Id: header
*  1.0 MISSING_FROM Missing From: header
* -0.0 NO_RECEIVED Informational: message has no Received headers
*  0.0 TVD_SPACE_RATIO TVD_SPACE_RATIO
*  1.4 MISSING_DATE Missing Date: header
*  0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822
*      headers
*  2.5 BODY_SINGLE_URI Message body is only a URI
Subject: [SPAM2] test
X-Spam-Prev-Subject: test

http://tonpool.icu
Tue, 10/01/2019 - 08:03
amityweb

In Email Settings the program is "spamc". I have changed it to "spamassassin" to see if that makes it work seen as the command line spamassassin works.

Fri, 10/04/2019 - 03:34
amityweb

That change did not help, I am still getting emails sent to me which is either by passing local.cf OR bypassing other checks. The command line mentioned above always catches the spam, yet in my Inbox are emails that have not had the same checks as the command line and contain blacklisted domains!

Fri, 10/04/2019 - 08:26
noisemarine

I'm not sure what is wrong with your set up, but to get some relief for now you could try using header_checks (or even body_checks).

Add something like the following to /etc/postfix/header_checks. Be careful with your regexps in there as they can catch more than you might expect. There's plenty of examples online.

/tonpool.icu/ DISCARD Not this jerk again. This drops the message. Use REJECT and more appropriate text if you want the sender to know you aren't interested.

Add this to /etc/postfix/main.cf. I usually put it just above the rest of my checks so it gets looked at first. You may want to use it later as a last resort. Up to you.

header_checks = regexp:/etc/postfix/header_checks

Don't forget to restart postfix.

Mon, 10/07/2019 - 05:09
amityweb

Thank you but its not feasible to add in every spam domain into my own server files, and therefore become a balcklist database myself, and then spam would get thorugh first before I put it in there. It would be a full time job adding every sender to our own file.

I would ideally like Virtualmin fixed so it uses local.cf because the domains are already in spam databases, and spamassassin from the command line checks that and marks them as spam.

But spamassassin when running normally on incoming mail does not seem to be doing it, it seems to be doing something totally different because spam headers are added, just not the same ones as the command line.

Think I will have to report it as a big seen as there is no reply from Virtuamin team here.

Thanks

Tue, 10/08/2019 - 02:37
noisemarine

Is it possible an update or admin activities have broken a path somewhere and that particular local.cf isn't being read? For example, /etc/mail/spamassassin is a symlink to /etc/spamassassin on my debian systems which tends to indicate that /etc/spamassassin/local.cf is the real file.

Grasping at straws here - sorry if it isn't helping.

Tue, 10/08/2019 - 12:37
Dibs

I had something similar - tons of spam arriving. Some getting marked as spam but a great deal more getting thru. I chose to alter postfix to deal with spam and RBL's rather than SpamAssassin.

I implemented a nbr of things mentioned in the following webpage - https://www.linuxbabe.com/mail-server/block-email-spam-postfix and they made a huge difference. Tip 6 gives the changes necessary to check against RBL's.

I appreciate they isn't SA related but they did cut down spam for me. And the resulting backscatter. I checked the mail logs and the rejections due to being on RBL's were there.

HIH

Thu, 11/14/2019 - 06:19
amityweb

I would just like to keep this thread alive as its not resolved. I added an issue here https://www.virtualmin.com/node/67412

It seems to work most times, as I have changed the rewrite_header subject to [SPAM2] and I am getting spam caught with subject [SPAM2] so local.cf must be working sometimes.

but occasionally its not used, its skipped? I have the same spam email in junk with subject [SPAM2] as I often get in my inbox not marked as spam (but then it is marked as spam when using command line spamassassin).

Also, when I do get spam, its in batches, many come in the same time. I wonder if could a service like spamassassin be stopping, spam gets through, then starting up again? Cant see any messages on the logs relating to spam about any service failing though, I dont think its that.

Topic locked