Hello, Leonard den Ottolander schreef op za 13-07-2013 om 15:34 [+0200]: > Hello, > > Lately I see a lot of mails like these come in unfiltered by > spamassassin. > > System is CentOS 6.4, using amavisd-new-2.8.0-4.el6.noarch from EPEL. > Amavis configuration is mostly as shipped by Fedora, I can provide > details if needed, but I think the relevant part here is: > > $final_bad_header_destiny = D_BOUNCE;
The default is D_PASS, so did you change it or does Fedora supply amavis with this setting? If the later is the case, then a bugreport may be wise. Bouncing after an OK on the SMTP DATA phase will get you blacklisted sooner or later. I prefer sooner btw ;-) > Full mail header (edited names and IPs but not the X-Quarantine-ID): > > Return-Path: <> > X-Original-To: [email protected] > Delivered-To: [email protected] > Received: from localhost (localhost [127.0.0.1]) by mail.domain.nl > (Postfix) with ESMTP id D642542 for <[email protected]>; Fri, 14 > Jun 2013 12:51:54 +0200 (CEST) > X-Quarantine-ID: <Tw0-mNHoul_7> > X-Virus-Scanned: amavisd-new at domain.nl > X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: > "Date" Nice notification, but a lot of mailgenerators forget these headers. You may want to check your quarantine/logs to see if you don't lose any e-mail from say your cable or energy company. This is also the reason some checks in Postfix are not turned on as the do not solve a spam issue, but will may make some mails "disappear". > Received: from mail.domain.nl ([127.0.0.1]) by localhost > (mail.domain.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id > Tw0-mNHoul_7 for <[email protected]>; Fri, 14 Jun 2013 12:51:54 > +0200 (CEST) > X-Greylist: delayed 503 seconds by postgrey-1.34 at host.domain.nl; > Fri, 14 Jun 2013 12:51:54 CEST > Received: from remote.host.by (unknown > [1.1.1.1]) by mail.domain.nl (Postfix) with SMTP id 17C3440 for > <[email protected]>; Fri, 14 Jun 2013 12:51:53 +0200 (CEST) > Received: from unknown (HELO localhost) > ([email protected]@2.2.2.2) by 1.1.1.1 with ESMTPA; Source routing, haven't seen that one for years. You're willing to publish the IP? > Fri, 14 Jun 2013 13:47:38 +0200 > X-Originating-IP: 2.2.2.2 > From: [email protected] > To: [email protected] > Subject: It has the Potential to be a Major > Message-Id: <[email protected]> > Date: Fri, 14 Jun 2013 12:51:54 +0200 (CEST) > X-Evolution-Source: pop://user%[email protected]/ > Mime-Version: 1.0 > > > If the subject hadn't given it away yet > $ spamassassin -t mail.txt | tail -21 > identifies the mail as spam: > > Content analysis details: (14.1 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 1.1 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d > 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > [Blocked - see <http://www.spamcop.net/bl.shtml?1.1.1.1>] > 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL > [1.1.1.1 listed in zen.spamhaus.org] > 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, > https://senderscore.org/blacklistlookup/ > [1.1.1.1 listed in bl.score.senderscore.com] > 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT > [1.1.1.1 listed in bb.barracudacentral.org] > 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > [1.1.1.1 listed in dnsbl.sorbs.net] > 1.3 RDNS_NONE Delivered to internal network by a host with > no rDNS > 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP > addr > 1) > > > The missing date header puts the mail in quarantine and the missing > Return-Path breaks the bouncing so the mail gets sent without having > been scanned by spamassassin: Yes and no, the missing return-path is there to break the mail loop that otherwise could emerge. It is a special case, you may want to read RFC 2822 if I'm not mistaken. > <cut> > > And the mail gets delivered to my mailbox. You have setup amavis to use your address as an administrator address or something like it? > How can I assure that mail that fails to bounce at least gets scanned by > spamassassin? Reading your logs, your DKIM setup appears to be broken as it tries to sign a non-local domain, but doesn't has the right keys luckily. You may want to follow the submission port style signing if you mix a receiving MTA with a sending MTA on the same box. Hans
signature.asc
Description: This is a digitally signed message part
