Amavis doesn't mark messages as spam

Discussion in 'Help Desk' started by ychaouche, Nov 29, 2017.

  1. ychaouche

    ychaouche Valued Member

    Joined:
    Mar 22, 2016
    Messages:
    15
    Likes Received:
    2
    Hello EQ community,

    I received an email for raybans, which was 300% spam (14.0 score, threshold set at 5.0), and it didn't get marked by amavis.

    Here's how amavis is configured :

    Code:
    root@messagerie[10.10.10.19] /etc/amavis/conf.d # removeblanks 50-user
    use strict;
    $myhostname = "mailhost.mytld.";
    $virus_admin = "it_sys\@$mydomain";
    $sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
    $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
    $sa_kill_level_deflt = 999; # triggers spam evasive actions
    $sa_dsn_cutoff_level = 5.0;   # spam level beyond which a DSN is not sent
    $final_spam_destiny       = D_PASS;
    $final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
    1;  # ensure a defined return
    root@messagerie[10.10.10.19] /etc/amavis/conf.d #   
    In particular, this line caught my attention :

    Code:
    $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
    I also have grepped for SPAM to check where amavis rewrites the subject and found this line in 20-debian_defaults :

    Code:
    root@messagerie[10.10.10.19] /etc/amavis/conf.d # grep SPAM *
    ...
    20-debian_defaults:$sa_spam_subject_tag = '***SPAM*** ';
    ...
    root@messagerie[10.10.10.19] /etc/amavis/conf.d # 
    So reading this configuration files it seems that amavis is supposed to
    1) add a spam detected headers ("at that level" I don't know what that means)
    2) add a ***SPAM*** tag in the subject



    Here's my spamassassin

    Code:
    root@messagerie[10.10.10.19] /etc/spamassassin # removeblanks local.cf
    rewrite_header Subject *****SPAM*****
    ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
    endif # Mail::SpamAssassin::Plugin::Shortcircuit
    root@messagerie[10.10.10.19] /etc/spamassassin # 
    It also seems, reading from this config file, that spamassassin should add a *****SPAM***** tag in the subject.


    Here are the mail logs :

    Code:
    Nov 28 16:33:14 messagerie postfix/smtpd[42277]: 738D73A80088: client=unknown[101.55.71.90]
    Nov 28 16:33:14 messagerie postfix/cleanup[46611]: 738D73A80088: message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
    Nov 28 16:33:15 messagerie postfix/qmgr[37877]: 738D73A80088: from=<bounce-3308-19491836-3512-248@frdww.com>, size=46200, nrcpt=1 (queue active)
    Nov 28 16:33:16 messagerie postfix/smtpd[42277]: disconnect from unknown[101.55.71.90]
    Nov 28 16:33:16 messagerie postfix/smtpd[46615]: connect from localhost[127.0.0.1]
    Nov 28 16:33:16 messagerie postfix/smtpd[46615]: 6609E3A8008E: client=localhost[127.0.0.1]
    Nov 28 16:33:16 messagerie postfix/cleanup[46611]: 6609E3A8008E: message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
    Nov 28 16:33:16 messagerie postfix/smtpd[46615]: disconnect from localhost[127.0.0.1]
    Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6609E3A8008E: from=<bounce-3308-19491836-3512-248@frdww.com>, size=46717, nrcpt=1 (queue active)
    Nov 28 16:33:16 messagerie amavis[46130]: (46130-07) Passed SPAMMY {RelayedOpenRelay}, [101.55.71.90]:53783 [101.55.71.90] <bounce-3308-19491836-3512-248@frdww.com> -> <a.chaouche@mydomain.tld>, Queue-ID: 738D73A80088, Message-ID: <bf680addabf683575f7cc153be8a9094@101.55.71.3>, mail_id: lBrIu_4QeHCa, Hits: 11.386, size: 46197, queued_as: 6609E3A8008E, 736 ms
    Nov 28 16:33:16 messagerie postfix/smtp[46612]: 738D73A80088: to=<a.chaouche@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, delays=1.2/0.01/0/0.74, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6609E3A8008E)
    Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 738D73A80088: removed
    Nov 28 16:33:16 messagerie postfix/pickup[45522]: 6AD523A80092: uid=1001 from=<bounce-3308-19491836-3512-248@frdww.com>
    Nov 28 16:33:16 messagerie postfix/cleanup[46611]: 6AD523A80092: message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
    Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6AD523A80092: from=<bounce-3308-19491836-3512-248@frdww.com>, size=47174, nrcpt=1 (queue active)
    Nov 28 16:33:16 messagerie postfix/lmtp[46616]: 6609E3A8008E: to=<a.chaouche@mydomain.tld>, relay=mailhost.tl[dprivate/dovecot-lmtp], delay=0.03, delays=0/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 <a.chaouche@mydomain.tld> uTNQGbyBHVrKtQAArJM0yg Saved)
    Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6609E3A8008E: removed
    
    In particular, we have this line :

    Code:
    Nov 28 16:33:16 messagerie amavis[46130]: (46130-07) Passed SPAMMY {RelayedOpenRelay}, [101.55.71.90]:53783 [101.55.71.90] <bounce-3308-19491836-3512-248@frdww.com> -> <a.chaouche@mydomain.tld>, Queue-ID: 738D73A80088, Message-ID: <bf680addabf683575f7cc153be8a9094@101.55.71.3>, mail_id: lBrIu_4QeHCa, Hits: 11.386, size: 46197, queued_as: 6609E3A8008E, 736 ms
    So we know amavis detected that the email was spammy, but didn't rewrite the subject ! see this screeshot :

    upload_2017-11-29_10-17-19.png

    Here's what spamc says about the email :

    Code:
    root@messagerie[10.10.10.19] /etc/amavis/conf.d # cat /tmp/spamreport
    14.1/5.0
    Spam detection software, running on the system "messagerie.algerian-radio.dz",
    has identified this incoming email as possible spam.  The original
    message has been attached to this so you can view it or label
    similar future email.  If you have any questions, see
    the administrator of that system for details.
    
    Content preview:  Untitled document SHOP ONLINE AVIATOR WAYFARER CUSTOMIZE PRESCRIPTION
       SUN Back with a hero's welcome, General is the latest iconic style to the
       revived by Ray-Ban. SHOP NOW RAY-BAN CUSTOMER CARE 12 Harbor Park Drive Port
       Washington, NY 11050 [...]
    
    Content analysis details:   (14.1 points, 5.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                                [101.55.71.90 listed in psbl.surriel.com]
     2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                                [URIs: rbwayn.com]
     1.3 URI_HEX                URI: URI hostname has long hexadecimal sequence
     1.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
     0.0 HTML_IMAGE_RATIO_06    BODY: HTML has a low ratio of text to image area
     0.0 HTML_MESSAGE           BODY: HTML included in message
     0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                                background
     1.6 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
                                [101.55.71.90 listed in bb.barracudacentral.org]
     1.9 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                                [URIs: frdww.com]
     0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
    -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                                domain
    -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
     1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                                [URIs: rbwayn.com]
     1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
    
    root@messagerie[10.10.10.19] /etc/amavis/conf.d # 

    Any tips on how to troubleshoot this appreaciated.

    Yassine.
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,215
    Likes Received:
    137
    Does your spamassassin rewrite any subject lines? I think you're missing this from your local.cf:

    rewrite_subject 1

    Add it on the next line below the rewrite_header line.
     

  3. ychaouche

    ychaouche Valued Member

    Joined:
    Mar 22, 2016
    Messages:
    15
    Likes Received:
    2
    Hello popowich,

    This is deprectaed in spamassassin 3.X. I am using SpamAssassin version 3.4.0. SubjectRewrite - Spamassassin Wiki

    Besides, that same source also says that the header rewrite is performed at the amavis level.

    Yassine.
     
  4. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,215
    Likes Received:
    137
    OK, I don't have my hands on the freeware to test with at the moment. I think you'll get faster help from the amavis mailing list - amavis-users Info Page
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...