RE: Tons of spam getting through
On Tue, 12 Aug 2014, Greg Ledford wrote: They may take a couple of different forms depending on how SA is hooked into your mail infrastructure. Basic SA headers start with "X-Spam", like X-Spam-Status and X-Spam-Report. If you're using Amavis, then there would be some Amavis headers. (Note that the mention of Amavis in the Received header that the sender added - "Received: by 02942887.pygmyweed.somedaystoday.in" - is irrelevant.) How is SpamAssassin hooked into your email infrastructure? It should just be called by Amavis directly. Sometimes it scans and sometimes it doesn't. Bummer. That, however, is probably an issue in Amavis rather than SA. I just found another obvious piece of email that SA and Amavis scanned and missed. I note that the tagged/required score has been increased from the SA default. Was that done intentionally? The SA base rules are scored with the assumption that the "spam" threshold score is 5; if you increase that then FNs will necessarily increase. I tried to attach the headers but they are so blatant that the list kicked it back! I'll try to modify it to get them through for info purposes. Best practice is to paste the entire message to something like pastebin and post the URL for that to the list. Maybe there's a timeout issue between Amavis and SA that won't allow it time to scan? If that was the case I'd still expect to see Amavis headers - for example, the virus scan isn't related to SA. There may be an upper limit to the size of messages Amavis will scan, check for that being set to an unrealistically small value. X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com X-Spam-Flag: NO X-Spam-Score: 5.945 X-Spam-Level: * X-Spam-Status: No, score=5.945 tagged_above=5.5 required=6 tests=[DCC_CHECK=1.1, RDNS_NONE=1.274, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, THIS_AD=1.073, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- 3 days until the 69th anniversary of the end of World War II
Re: Tons of spam getting through
On Tue, Aug 12, 2014 at 1:27 PM, Greg Ledford wrote: > > It should just be called by Amavis directly. Sometimes it scans and > sometimes it doesn't. I just found another obvious piece of email that SA > and Amavis scanned and missed. I tried to attach the headers but they are > so blatant that the list kicked it back! I'll try to modify it to get them > through for info purposes. Maybe there's a timeout issue between Amavis and > SA that won't allow it time to scan? > Take a look at the "sa_tag_level_deflt" in your amavisd configuration file. Karl
RE: Tons of spam getting through
>They may take a couple of different forms depending on how SA is hooked into >your mail infrastructure. >Basic SA headers start with "X-Spam", like X-Spam-Status and X-Spam-Report. >If you're using Amavis, then there would be some Amavis headers. (Note that >the mention of Amavis in the Received header that the sender added - >"Received: by 02942887.pygmyweed.somedaystoday.in" - is irrelevant.) >How is SpamAssassin hooked into your email infrastructure? It should just be called by Amavis directly. Sometimes it scans and sometimes it doesn't. I just found another obvious piece of email that SA and Amavis scanned and missed. I tried to attach the headers but they are so blatant that the list kicked it back! I'll try to modify it to get them through for info purposes. Maybe there's a timeout issue between Amavis and SA that won't allow it time to scan? Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com (10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Tue, 12 Aug 2014 10:14:54 -0500 Received: from localhost (localhost [127.0.0.1])by smtp.phhwtechnology.com (Postfix) with ESMTP id BDF9B1946D25 for ; Tue, 12 Aug 2014 10:03:44 -0500 (CDT) X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com X-Spam-Flag: NO X-Spam-Score: 5.945 X-Spam-Level: * X-Spam-Status: No, score=5.945 tagged_above=5.5 required=6 tests=[DCC_CHECK=1.1, RDNS_NONE=1.274, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, THIS_AD=1.073, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no Received: from smtp.phhwtechnology.com ([127.0.0.1])by localhost (smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024)with ESMTP id Dogs62WB5R0G for ;Tue, 12 Aug 2014 10:03:38 -0500 (CDT) Received-SPF: pass (impvewidowutters.mobi: 162.222.193.53 is authorized to use 'appeal@iproindowtters.mobi' in 'mfrom' identity (mechanism 'a' matched)) receiver=spamfilter; identity=mailfrom; envelope-from=" appeal@imprwinwshters.mobi"; helo=imovewdowshute.rmobi; client-ip=162.222.193.53 Received: from impovewinoshuers.mobi (unknown [162.222.193.53]) by smtp.phhwtechnology.com (Postfix) with ESMTP id 190631946D2C for ; Tue, 12 Aug 2014 10:03:37 -0500 (CDT) Date: Tue, 12 Aug 2014 08:04:42 -0700 Message-ID: <0-615491d8b09c8278d9b65c2d2ffacba7-2529668-2014-08...@impvewiowshuers.mobi> Subject: Re: Tiberae - The World???s Fist Hadcrted Shutt Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Tberne-ofer.17779 To: Content-Type: text/plain; charset="utf-8" Return-Path: appeal@impvewiowshers.mobi X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com X-MS-Exchange-Organization-AuthAs: Anonymous
RE: Tons of spam getting through
On Tue, 12 Aug 2014, Greg Ledford wrote: Can someone tell me why Spamassassin/Amavis are missing these types of very obvious emails? I'm still trying to figure all of this out and I know I missed something somewhere. Thanks. Those headers don't seem to claim that message was even scanned by SA. Do messages that SA *does* properly identify have headers indicating things like SA version, which rules hit, and the score? What should the headers look like if SA scanned them? I just assumed it was working. They may take a couple of different forms depending on how SA is hooked into your mail infrastructure. Basic SA headers start with "X-Spam", like X-Spam-Status and X-Spam-Report. If you're using Amavis, then there would be some Amavis headers. (Note that the mention of Amavis in the Received header that the sender added - "Received: by 02942887.pygmyweed.somedaystoday.in" - is irrelevant.) How is SpamAssassin hooked into your email infrastructure? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The reason it took so long to get Bin Laden is that it took the SEALs five years to swim that far into the desert. -- anon --- 3 days until the 69th anniversary of the end of World War II
RE: Tons of spam getting through
>> Can someone tell me why Spamassassin/Amavis are missing these types of >> very obvious emails? I'm still trying to figure all of this out and I >> know I missed something somewhere. Thanks. >Those headers don't seem to claim that message was even scanned by SA. >Do messages that SA *does* properly identify have headers indicating things >like SA version, which rules hit, and the score? What should the headers look like if SA scanned them? I just assumed it was working.
Re: Tons of spam getting through
On Tue, 12 Aug 2014, Greg Ledford wrote: Can someone tell me why Spamassassin/Amavis are missing these types of very obvious emails? I'm still trying to figure all of this out and I know I missed something somewhere. Thanks. Those headers don't seem to claim that message was even scanned by SA. Do messages that SA *does* properly identify have headers indicating things like SA version, which rules hit, and the score? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The reason it took so long to get Bin Laden is that it took the SEALs five years to swim that far into the desert. -- anon --- 3 days until the 69th anniversary of the end of World War II
