Marked as SPAM mail, but not deleted: Spamassasin - over 100 points, 5.0 required

osxman

Verified User
Joined
Jan 3, 2011
Messages
8
Dear All DA-forum posters,

Problem: Mail is marked as *****SPAM***** and has over 100 SpamAssasin points, but is still been delivered. What to do?

All other spam workes well, it's only the Returned/Delivery type as mentoined below.

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06)
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=102.1 required=5.0 tests=DKIM_ADSP_NXDOMAIN,
MISSING_MID,RCVD_IN_BRBL_LASTEXT,RDNS_NONE,USER_IN_BLACKLIST autolearn=no version=3.3.2

sa-update version svn917659

spam like this:
*****SPAM***** Returned email
*****SPAM***** Mail delivery failed: returning message to sender
*****SPAM***** Undeliverable mail: Весь спе****************р ра********о******** **************** гра************************а ******** ********ра********ора
*****SPAM***** Undeliverable: ********ЕРЕЕЗЖАЕТЕ?
*****SPAM***** Returned mail: see transcript for details
*****SPAM***** Mail delivery failed: returning message to sender

First post, for the last couple of hapy DA using I was able to find everything on this usefull forum, but now this is something I can't solve.

Thanx for looking,
Frank. Amsterdam/The Netherlands

======MAIL========
Content preview: Failed to deliver to '[email protected]'
SMTP module(domain forum.exler.ru) reports: DNS Loop: MX-record mx2.exler.ru
points back to us Original-Recipient: rfc822;<[email protected]>
Final-Recipient: rfc822;<[email protected]> Action:
failed Status: 5.0.0 Remote-MTA: dns; forum.exler.ru Diagnostic-Code: smtp;DNS
Loop: MX-record mx2.exler.ru points back to us [...]

Content analysis details: (102.1 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
100 USER_IN_BLACKLIST From: address is in the user's black-list
1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[213.189.213.232 listed in bb.barracudacentral.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
2.6 MSGID_RANDY Message-Id has pattern used in spam

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
 
Code:
Where do you want the spam to go?
[ ]	Inbox (don't block it)
[ ]	Redirect it to the catch-all spam folder in your main imap account.
[ ]	Send the spam to the appropriate users's spam folder.
[x]	Delete the spam.

And what do you have for that domain on SpamAssasssin managing page in directadmin?
 
Hi zEitEr's,

x Delete the spam.

And that't working for allmost all of the SPAM, expect for the described 'Returned/Delivery failure' type of spam. Hopes someone knows a solution, it's over 100 spammessages a day for this type.
 
If you want I could take a look at your message headers for free. In this case do not hide anything and attach full RFC headers in PM.
What I want is to make sure, that it was incoming message marked as SPAM on your server. I doubt you are hosting forum.exler.ru, am I right?
 
I have the same problem on different machines in different accounts. In my case the problem is that I use the catch-all function (or even normal forwarder).

I believe that SpamAssassin does not work correctly if the recipient of the domain is NOT an actual POP3/IMAP account in DA. I guess it falls back on some default configuration where it says not to drop the e-mail and the required points is always 5.0.

If you try to change the "required points" to a different value, you will see that SpamAssassin will keep saying that 5.0 is required, am I right?
 
Can you post the output of:

cat /etc/exim.conf | grep -B 1 -A 21 'spamcheck_director:'
 
Last edited:
@TS I don't want to hijack your post but since I think we're on the same spot I guess it's cool I'm replying too?

Code:
                        {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
                        {<{$message_size}{100k}} \
                } {1}{0}}"
  retry_use_local_part
  transport = spamcheck
  no_verify

majordomo_aliases:
  driver = redirect
  allow_defer
  allow_fail
  data = ${if exists{/etc/virtual/${domain}/majordomo/list.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/list.aliases}}}}
  domains = lsearch;/etc/virtual/domainowners
  file_transport = address_file
  group = daemon
  pipe_transport = majordomo_pipe[code]
 
Hey you changed your post :cool: Well here it is:

# Spam Assassin
spamcheck_director:
driver = accept
condition = "${if and { \
{!def:h_X-Spam-Flag:} \
{!eq {$received_protocol}{spam-scanned}} \
{!eq {$received_protocol}{local}} \
{exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
{<{$message_size}{100k}} \
} {1}{0}}"
retry_use_local_part
transport = spamcheck
no_verify

majordomo_aliases:
driver = redirect
allow_defer
allow_fail
data = ${if exists{/etc/virtual/${domain}/majordomo/list.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/list.aliases}}}}
domains = lsearch;/etc/virtual/domainowners
file_transport = address_file
group = daemon
pipe_transport = majordomo_pipe

Thanks
 
For catch-all and forwarders, refer to this: http://help.directadmin.com/item.php?id=156

With this guide you can prevent SpamAssassin from scanning right? That's the opposite of what I want. I want SA to scan those e-mails using the settings of the recipient mailbox uses. Or at least I want to change those 'default' settings so I can make SA to delete it.


So let's say I have [email protected] as catch-all. So *@domain.com forwards to [email protected].

My SA is set to 4.0 required points and delete te spam.

A spam message with 6 points sent to [email protected] will get deleted just fine.

But a spam message sent to [email protected] will come in to my inbox and will show something like:

Code:
Content analysis details:   (18.7 points, 5.0 required)

So how can I get those messages to be deleted by SA :confused:
 
Do the opposite from what is mentioned in the guide, and remove lines in blue print and leave it as the following (as default):

Code:
# Spam Assassin
spamcheck_director:
  driver = accept
  condition = "${if and { \
			{!def:h_X-Spam-Flag:} \
			{!eq {$received_protocol}{spam-scanned}} \
			{!eq {$received_protocol}{local}} \
			{exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
			{<{$message_size}{500k}} \
		} {1}{0}}"
  retry_use_local_part
  transport = spamcheck
  no_verify


With this SA will scan all incoming emails for every existing domain/alias/pointer with has enabled SpamAssassin
 
Thanks for trying Alex but that piece of default config is already applied on my SA.

Please read my above topics again where I explain the problem.

SA works fine just not for the forwarders/catch-all
 
Then you should read /var/log/exim/mainlog and even might need to enable logging in SA

Open /etc/init.d/exim

find line

Code:
if [ -e /usr/bin/spamd ]; then /usr/bin/spamd -d -c -m 15 1>/dev/null 2>/dev/null; fi

and replace it with

Code:
if [ -e /usr/bin/spamd ]; then /usr/bin/spamd -d -c -m 5 -s /var/log/exim/spamd.log -r /var/run/spamd.pid 1>/dev/null 2>/dev/null; fi

Then restart exim as usual. Send email to a catch-all (or forwarder) address and see /var/log/exim/spamd.log (of course RFC header of such email might be also helpful). Without additional info I have nothing to suggest... for now.
 
Hi Alex,

I will send you the requested full RFC headers in PM, thanx for looking! No i'm not hosting forum.exler.ru ;-)

If you want I could take a look at your message headers for free. In this case do not hide anything and attach full RFC headers in PM.
What I want is to make sure, that it was incoming message marked as SPAM on your server. I doubt you are hosting forum.exler.ru, am I right?
 
Hello,

OK, I've looked at the headers, and it seems SA checked and marked the message as SPAM. Note, it is not SpamAssassin which route the email after Spam checking...

Code:
grep --before=1 --after=3 X-Spam-Level /etc/virtual/domain.com/filter

What you see with that?


it's still exim which take actions according user preferences:

Code:
# grep --before=1 --after=3 X-Spam-Level /etc/virtual/domain.com/filter
if
        $h_X-Spam-Level: contains "*******"
then
        seen finish
endif

In my example it says to block SPAM with 7 points.

Note, the message you've got as it seems to me is a bounce. And to investigate further you might need to find exim logs for that day and find lines related to the message, with this code:

Code:
exigrep 1TIfA5-0005ur-RG /var/log/exim/mainlog

Where 1TIfA5-0005ur-RG is message ID of that bounce
and /var/log/exim/mainlog actual log of exim, you might need to specify here another logfile which contains data for that period of time.
 
Hi Alex, Here are the answers. Great you're looking into this!!!

grep --before=1 --after=3 X-Spam-Level /etc/virtual/#####.nl/filter
I see this:

if
$h_X-Spam-Level: contains "**********"
then
seen finish
endif

exigrep 1TIfA5-0005ur-RG /var/log/exim/mainlog

-bash-3.2# exigrep 1TIfA5-0005ur-RG /var/log/exim/mainlog
2012-10-01 14:31:50 1TIfA5-0005ur-RG <= <> U=mail P=spam-scanned S=4952 T="*****SPAM***** Returned email" from <> for info@#####.nl
2012-10-01 14:31:50 1TIfA5-0005ur-RG => info <info@#####.nl> F=<> R=virtual_user T=virtual_localdelivery S=5042
2012-10-01 14:31:50 1TIfA5-0005ur-RG Completed
 
For what it's worth, the reason the filters are set to not filter bounces is that RFCs and good practices require that you know when systems won't accept your messages. In the opinion of many mailserver administrators, only spammers ignore bounces, so if you do, you're a spammer. Note that not ignoring bounces could get you on some spamblocker lists; even perhaps some of the ones we use.

(For example, if you don't remove from lists any addresses that bounce your emails.)

Jeff
 
Messages to mailing list are scanned but not blocked

Hi,

I run a few mailing lists on my DA server, some of them being moderated lists.

Recently I get dozens of 'bounce - Approval required' messages from the mailing-list server. Then when looking at the post-to-be-approved, I see that the message has been marked as high-scoring spam by SpamAssassin, but it is then sent to the mailing list system without blocking.

Is it possible to block high scoring spam before handing it to the mailing list system?
 
Back
Top