On 04/10/2018 03:34 PM, Motty Cruz wrote:
Thanks for your help David,
https://pastebin.com/wsYRfM8K
That email is missing a lot of headers that are critical. Please post
the entire email including the Received: headers.
-Motty
On 04/10/2018 01:22 PM, David Jones wrote:
On 04/10/2018 03:05 PM, Motty Cruz wrote:
Thanks for your prompt reply:
https://pastebin.com/bLy3Jcqt
The Bayes setup looks good. Can you put a lightly redacted version of
that email on pastbin.com so we can run it through our SA instances?
Amavis should have blocked that message based on the score being 3.501
and the kill threshhold being 3.1. This sounds like an amavis config
issue.
Please post the output of 'grep 723EC1A1706 maillog' to get the full
message conversation from Postfix.
Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706:
from=<emily.thomp...@spontaneous-search-level.com>, size=16883,
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN
{RelayedInbound}, [127.0.0.1] [171.61.147.96]
<emily.thomp...@spontaneous-search-level.com> ->
<iu...@domainfq.com>, Message-ID:
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>,
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms
root@vm1
On 04/10/2018 12:34 PM, David Jones wrote:
On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get
low score.
zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <emily.thomp...@spontaneous-search-level.com>
X-Envelope-To: <iu...@domainfq.com>
X-Envelope-To-Blocked: <iu...@domainfq.com>
X-Quarantine-ID: <G71jMeOxz-Ha>
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id G71jMeOxz-Ha for <iu...@domainfq.com>;
Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com
[178.62.193.238])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
in local.cf
use_bayes 1
skip_rbl_checks 1
# Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0
bayes_path /var/amavis/.spamassassin/bayes
use_razor2 1
# Tell SA that we want to use Razor version 2
use_pyzor 0
# Tells SA that we don't want to use Pyzor
dns_available yes
# If you are sure you have DNS access set it to "yes"
#
score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59
score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0
Need more info:
- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep
-i bayes' run as the amavis user
--
David Jones