Re: Emails from gmail.com bypassing Spamassassin scoring

[Bill Cole]

On 2022-02-07 at 13:43:31 UTC-0500 (Mon, 07 Feb 2022 13:43:31 -0500)
Chad 
is rumored to have said:

> I have been getting numerous emails lately from various gmail.com accounts.   
>They are spam or phishing emails and today I got one that had a subject of 
> RECEIPT 5454 and only a JPG image of an invoice. There was no content in 
> the email.
>
>
>
> It bypassed Spamassassin scoring.  Do you know why or what setting I need 
> to set so EVERY email goes through Spamassassin scoring procedures?
>
>
>
> My email server is:mercury2022.mercuryemail.net
[...]
> Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com 
> [209.85.214.172])
>
> by mercury2022.mercuryemail.net (Postfix) with ESMTPS id 
> A5F7E8043D4A
>
> for ; Mon,  7 Feb 2022 10:44:18 -0500 
> (EST)

OK, so we know that your mail server is running Postfix but not how you've 
integrated SpamAssassin. There are many possibilities, with 2 independent 
attributes:


1. Interface to Postfix:
  a. content_filter setting to pipe mail to a bespoke script (maybe 
distro-provided)
  b. milter (amavis, spamass-milter, mimedefang, etc.)
  c. SMTP Proxy (usually amavis)
  d. FILTER action in an access map to a bespoke script.
  e. NONE: Integrated with a downstream delivery agent (e.g. Dovecot LMTP) or 
MUA.

2. Interface to SA:
  a. Load Mail::SpamAssassin Perl modules and use them directly
  b. Use a spamc binary built from the SA distribution to contact a local spamd 
instance
  c. Use a spamc binary built from the SA distribution to contact a remote 
spamd instance
  d. Use a custom implementation of the spamc protocol to contact a local spamd 
instance
  e. Use a custom implementation of the spamc protocol to contact a remote 
spamd instance
  f. Run the spamassassin script and handle its output.

So, yeah: 30 possible combinations. It is hard to say what is broken without 
knowing how you have SA working when it works. This sort of problem is never 
technically in SpamAssassin itself, as SpamAssassin itself doesn't include any 
software that could act as a gatekeeper.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Emails from gmail.com bypassing Spamassassin scoring

[Chad]

Thank you for responding
You were correct it was the size limit that bypassed the scanning

I created a spamc.conf in the spam assassin folder with the “-s option” and 
increased the scanning size to avoid bypassing on smaller attachments.  




On Feb 7, 2022, at 5:24 PM, David B Funk  wrote:

How big was the message? (attached images can be pretty big).

Depending on the "glue" you use to connect your mail MTA to SA, it may have 
some kind of size restriction.

For example, the 'spamc' client has a 'max-size' parameter (which defaults to 
500KB). Any message larger than that size will not be passed to SA (IE it will 
skip scanning).

Does your MTA log the SA processing? Can you see any logged errors associated 
with that particular message?

On Mon, 7 Feb 2022, Chad wrote:

> All of the other emails that were sent before and after this particular email 
> have the X-Spam-Status and X-spam-Report scoring,
> 
> So Spamassassin was running correctly.
> 
> 
> 
> -Original Message-
> From: Marc 
> Date: Monday, February 7, 2022 at 1:49 PM
> To: Chad , "users@spamassassin.apache.org" 
> 
> Subject: RE: Emails from gmail.com bypassing Spamassassin scoring
> 
>> I have been getting numerous emails lately from various gmail.com
>> accounts.  They are spam or phishing emails and today I got one that
>> had a subject of RECEIPT 5454 and only a JPG image of an invoice.
>> There was no content in the email.
>> 
>> 
>> 
>> It bypassed Spamassassin scoring.  Do you know why or what setting I
>> need to set so EVERY email goes through Spamassassin scoring procedures?
>> 
>> 
> 
> I do not see X-Spam headers[1], so your spamassassin was not working?
> 
> 
> [1]
> X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
>TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
>version=3.4.6
> X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
>4422b522-8a2b-4864-9498-4f2d06aca485
> 

-- 
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

smime.p7s
Description: S/MIME cryptographic signature

Re: Emails from gmail.com bypassing Spamassassin scoring

[David B Funk]

How big was the message? (attached images can be pretty big).

Depending on the "glue" you use to connect your mail MTA to SA, it may have some 
kind of size restriction.


For example, the 'spamc' client has a 'max-size' parameter (which defaults to 
500KB). Any message larger than that size will not be passed to SA (IE it will 
skip scanning).


Does your MTA log the SA processing? Can you see any logged errors associated 
with that particular message?


On Mon, 7 Feb 2022, Chad wrote:


All of the other emails that were sent before and after this particular email 
have the X-Spam-Status and X-spam-Report scoring,

So Spamassassin was running correctly.



-Original Message-
From: Marc 
Date: Monday, February 7, 2022 at 1:49 PM
To: Chad , "users@spamassassin.apache.org" 

Subject: RE: Emails from gmail.com bypassing Spamassassin scoring


I have been getting numerous emails lately from various gmail.com
accounts.  They are spam or phishing emails and today I got one that
had a subject of RECEIPT 5454 and only a JPG image of an invoice.
There was no content in the email.



It bypassed Spamassassin scoring.  Do you know why or what setting I
need to set so EVERY email goes through Spamassassin scoring procedures?




I do not see X-Spam headers[1], so your spamassassin was not working?


[1]
X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
4422b522-8a2b-4864-9498-4f2d06aca485



--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

RE: Emails from gmail.com bypassing Spamassassin scoring

[Marc]

> 
> All of the other emails that were sent before and after this particular
> email have the X-Spam-Status and X-spam-Report scoring,
> 
> So Spamassassin was running correctly.
> 

So something went wrong with this one. It should have headers, maybe some 
communication problem. I have configured the MTA to process the messages anyway 
if spamd is not available. You can also configure to bounce the message with an 
'Temporary unable to process'..

Re: Emails from gmail.com bypassing Spamassassin scoring

[Chad]

smime.p7m
Description: S/MIME encrypted message

RE: Emails from gmail.com bypassing Spamassassin scoring

[Marc]

> I have been getting numerous emails lately from various gmail.com
> accounts.  They are spam or phishing emails and today I got one that
> had a subject of RECEIPT 5454 and only a JPG image of an invoice.
> There was no content in the email.
> 
> 
> 
> It bypassed Spamassassin scoring.  Do you know why or what setting I
> need to set so EVERY email goes through Spamassassin scoring procedures?
> 
> 

I do not see X-Spam headers[1], so your spamassassin was not working?


[1]
X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
4422b522-8a2b-4864-9498-4f2d06aca485

Emails from gmail.com bypassing Spamassassin scoring

[Chad]

smime.p7m
Description: S/MIME encrypted message