Irritating amount of SPAM...

A

Ankh

Verified User
Joined
Feb 20, 2006
Messages
18
Hi!

Most of the time I can find a solution online for our problems with DA / Centos, but this time we have 1 client which has a irritating amount of spam. Normally we try to learn spamassassin that it is spam, we did that yesterday. But this morning the mail has been autolearned as HAM??

The mail being send:
pet
nop k sawadum http://zesound.ru/stupendous.html tog
Click to expand...
The mail header: (removed our info and the mailadres of the user)
Code: 
Received: from cc-server (192.168.50.2) by CC-SERVER.cc.local (192.168.50.2)
 with Microsoft SMTP Server id 8.1.340.0; Tue, 7 May 2013 22:51:32 +0200
Received: from mail by <blabla> with spam-scanned (Exim
 4.80.1)    (envelope-from <[email protected]>) id 1UZonp-0006Ak-8V    for
  <blabla>; Tue, 07 May 2013 22:48:02 +0200
Received: from srv1.okszi.net ([91.82.12.250])    by <blabla>
 with esmtp (Exim 4.80.1)    (envelope-from <[email protected]>) id
 1UZonp-0006AH-19    for <blabla>; Tue, 07 May 2013 22:48:01 +0200
Received: by srv1.okszi.net (Postfix, from userid 8)    id C0EE8803435; Tue,  7
 May 2013 22:48:08 +0200 (CEST)
Received: from fwvofjpvvq (sub-190-88-174ip176.rev.onenet.an [190.88.174.176])
    (Authenticated sender: [email protected])    by srv1.okszi.net (Postfix)
 with ESMTPA id 231B580342B;    Tue,  7 May 2013 22:48:02 +0200 (CEST)
Received: by MAPILab POP3 Connector 2.4.0.5; Tue, 07 May 2013 22:51:32 GMT
From: "[email protected]" <[email protected]>
To: "[email protected]" <[email protected]>, "[email protected]"
    <[email protected]>, "[email protected]" <[email protected]>,
    "[email protected]" <[email protected]>,
    "[email protected]" <[email protected]>, "[email protected]"
    <[email protected]>, "[email protected]"
    <[email protected]>, "[email protected]" <[email protected]>,
    "[email protected]" <[email protected]>
Date: Wed, 8 May 2013 07:44:15 +0200
Subject: DEV ONswi ng
Thread-Topic: DEV ONswi ng
Thread-Index: Ac5LZKfl/oBHV53uSV+g6CP9lm1XGw==
Message-ID: <[email protected]>
X-MS-Exchange-Organization-AuthSource: CC-SERVER.cc.local
X-MS-Has-Attach:
X-MS-Exchange-Organization-SenderIdResult: None
X-MS-Exchange-Organization-PRD: mokk.hu
X-MS-TNEF-Correlator:
envelope-to: <blabla>
delivery-date: Tue, 07 May 2013 22:48:02 +0200
x-antivirus-scanner: Clean mail though you should still use an Antivirus
x-spam-status: No, score=0.0 required=4.0
 tests=BAYES_00,DATE_IN_FUTURE_06_12,    URIBL_BLOCKED autolearn=ham
 version=3.3.2
x-spam-level:
x-spam-checker-version: SpamAssassin 3.3.2 (2011-06-06) on
    <blabla>
received-spf: None (CC-SERVER.cc.local: [email protected] does not
 designate permitted sender hosts)
Content-Type: text/plain; charset="iso-8859-7"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Allmost every mail has the same layout (gibrish) and has been learned as ham..
The problem is that the client uses pop3 connector from exchange, so the spam isn't on the server to make an autolearn rule..

Does someone have a (simple) solution to stop the 100+ spam mails a day for this user?
We are running SpamAssassin 3.3.2 with spamblocker config from DA on a Centos 6 box.
 
Last edited:
If the spam comes from one domain, from one IP#, or from one sender, then you can use the blocklist and/or bad_sender_hosts files to block it.

Jeff
 
I'm having the same problem. Lots of gibrish spam with quite a high score:
X-Spam-Flag: YES
X-Spam-Level: ***************
X-Spam-Status: Yes, score=15.7 required=4.6 tests=BAYES_99,FROM_12LTRDOM,
FSL_HELO_BARE_IP_1,FSL_HELO_BARE_IP_2,MISSING_MID,RCVD_IN_BRBL_LASTEXT,
RCVD_NUMERIC_HELO,RDNS_NONE,TO_NO_BRKTS_NORDNS autolearn=no version=3.3.2

The messages all start with something like: "News Corp. earnings are up by ...% its a ..." and offcourse all messages are sent from different IP's and senders . Also the both the subjects and bodytext varies a little.

Spamassassin is configured to put al spam in a separate users spambox, but it looks like all messages with a score above 15 are passed through to the normal mailbox. Even when the option "Yes, block all spam scoring higher than: 15" is set! I'm trying a minimum score of 25 now, because all scores under 15 do end up in the spambox so hopefully all these kind of meesages end up in the spambox now as well.

It looks like it's the same issue as http://www.directadmin.com/forum/showthread.php?t=40297 (empty returnpath). Only I don't run Spamblocker 4 but the "standard" Spamblocker 2, so I have to doublecheck which options to change in exim.conf (if possible).
As I read somewhere else, development and support of Spamblocker (4) is stopped...?

Regards,
Danny

Edit: as could be expected, adjusting the minimum level to 25 doesn't do the trick. Now I tried some spam rules in some of my own accounts: two enters and the first 6 words of the message (these are all the same in every e-mail).
 
Last edited:
I'm not sure I'm having the same problem but I'm certainly having a problem!

All of a sudden email messages marked as SPAM are not routing to the spam folder. The SA settings are set to "Send the spam to the appropriate users's spam folder."

* All I have set-up is sa-update every day.
* I have perhaps updated Exim, Dovecot via Custombuild. #spamcheck in exim.conf is still uncommented.
* I have checked the logs but cannot see anything out of the ordinary. Do I need to search for something specific?

Any advice?
 
Well, first of all: my trial for the spamfilter seems to work, so you might try that part.

What do you see when you look at the source of the e-mail? I bet the field "return-path" is empty (<>)!
If so, then this is the problem: e-mails with an empty return-path are not handled correctly and will be delivered in your normal mailbox, marked as spam.

In my post above I mentioned some people found a fix for this problem, but then you have to use SpamBlocker 4 and not version 2 that comes standard with DirectAdmin. But in another thread I recently read that Spamblocker 4 is no longer developed and supported because of new issues due to newer versions of Exim etc. But please let someone correct me if I'm wrong!

sa-update is nice, but there is no need to run it every day. Once a week or once a month will do fine. I never noticed any problems with it.
In this case updating SA is not the solution. The way e-mails with empty return-paths are handled through Exim however, is the problem.

Danny.
 
Hello.

Spam emails with a return path of <> or <[email protected]> are still coming through marked as spam but not being directed to the correct spam folder, just the inbox. I've gone through the logs with a fine tooth comb and there's nothing out of the ordinary!
 
Hello !
This is easy to fix this..

return path of <> in email is treated by exim as mail delivery error or bounced message.
in file /etc/virtual/DOMAIN/filter on top is condition

if error_message then finish endif

so the rest of settings are igonered.
Please remove that line and also removed it from template of directadmin /usr/local/directadmin/data/templates/filter_base

Piotr Kloc
linuxpl.com
 
I found another solution on cpanel forum, Instead of deleting the line they recommend to change it to

if not first_delivery and error_message then finish endif

Not sure about what it really does
 
Let's see what will happen. For 1 domain I changed the line into: if not first_delivery and error_message then finish endif

To me it sounds like it checks wether it is a bounce or original delivery. When it's a bounce, the handling is like we are used to now (so return to the mailbox), otherwise continue the filtering process. But I'm no expert (unfortunately).

I will report the results :)
 
it seems to work for me I didn't received any spam for 3 hours now

Waiting for your result

Do you think DA will update the template ?
 
Seems to work here too, although also no new spam is being written to the spamfolder at all. And if that's truly the case, this not really wanted either; I would like to check the spamfolder for false positives. I will keep my eye on this...!

Nice to keep in mind: after editing the template the only thing you have to do for each domain is to go to the spamassassin setting in DirectAdmin and save the configuration (without chaning anything). This way the new template is being used and you don't have to edit all domains using the shell :)

Let's hope DA will update the template if this is really the trick :D

Danny
 
I've recently encountered the same problem. Spam is not being sent to the users spam folder when the Return-Path is empty, no matter what the score is. As far as I can see now the only recent change is updating to DA 1.43.

I've found an earlier thread: http://forum.directadmin.com/showthread.php?t=15534&p=85322#post85322 where they said this:

I then started fiddling with the filter file in /etc/virtual/www.domain.com/ . After a while i discovered if i placed the : if $h_X-Spam-Status: contains "Yes," ... section BEFORE "if error_message then finish endif" then spam would then be transferred to the spam folder.
Click to expand...

I've changed the filter file and waiting to see if spam is now redirected to the spam folder when Return-Path is empty. I still would like to know what has changed this behaviour of spam redirecting. Is this a new type of spam? Or has the redirecting mechanism changed?
 
rickh said:
I've recently encountered the same problem. Spam is not being sent to the users spam folder when the Return-Path is empty, no matter what the score is. As far as I can see now the only recent change is updating to DA 1.43.

I've found an earlier thread: http://forum.directadmin.com/showthread.php?t=15534&p=85322#post85322 where they said this:



I've changed the filter file and waiting to see if spam is now redirected to the spam folder when Return-Path is empty. I still would like to know what has changed this behaviour of spam redirecting. Is this a new type of spam? Or has the redirecting mechanism changed?
Click to expand...

Perhaps this should be raised as a bug? I'm fine with modifying the template myself however, I need to know that in doing so something like this will not happen in future and mess up the spam. I am more than happy to leave spam going to the inbox for now as loosing false positives could be rather drastic for me.
 
Well, my first thought was the spam didin't get delivered in the spamboxes, but I've seen everything is allright. Jocker's solution seems to be the right fix for me :)
 
Hi,

I'm having the same issue, since a few days, a sudden spike in SPAM getting through, in contrast with my spamassassin setup

this is the way I've set it up for a number of domains in DA :

Where do you want the spam to go? -> Inbox (don't block it)
What score threshold do you wish to use? -> Custom : 15
Would you like to delete high scoring spam? -> Yes, block all spam scoring higher than: 29
Do you wish to rewrite the subject of a spam email? -> Yes, set the subject to the following: **SPAM*LBT**_SCORE_/_REQD_

which worked fine :
- spam scored mail with a score up to 29 came in my inbox of my mailclient like I wanted
- higher scored spam was immediately deleted (anything above 29 could not contain false positives)

and as said, now since a few days or 2 weeks, I get mails with spam score of 50 and higher in my inbox
at first sight, they all seem to be releated to the same spam flood : "How to profit $1`000`000`000 in flicks field investment? ..." and similar.
Most of it from Ukrainian domains, although since mid last week it has become more 50/50 (UA domains, other domains)
(up to my unpleasant surprise, I even get this spam on mailadresses@domains I very rarely use on the internet?:()

because I have all spam with a score > 29 deleted and not stored on the server, I cannot see whether the bypassing of the antispam is related to only that latest spam flood, of for any spam.
the only spam I'm seeing in my inbox with a score > 29 are from that one "flood"

I've applied Jocker's fix to the domain suffering the most, and see tomorrow if that indeed is a fix or not, before applying it to all 100 domains on the server with DA

L.
 
You might need to enable logging in spamassassin and see what happens with that all, and check exim logs of course as well a reject logs.
 
@lightningbit: same here, although all spam is redirected to the users spambox and not the inbox. Setting the level to 15 or 29 doesn't matter for this spamflood, even if youset it at 100 these messages will be dropped in your inbox. Bu the sounds of it you suffer the same spamflood as I am.

I have used Jocker's solution for 4 domains and all seems fine for now. Can't say I'm looking forward to apply the fix for all domains by hand, but if that's the solution it has to be done :/

@Alex: using the standard DA configuration, I can see all of this in /var/log/exim/mainlog. But where did you setup SA for logging? Can't find an option for this in /etc/mail/spamassassin/local.cf

Danny
 
Update /etc/init.d/exim and replace

Code: 
if [ -e /usr/bin/spamd ]; then /usr/bin/spamd -d -c -m 15 1>/dev/null 2>/dev/null; fi

with

Code: 
if [ -e /usr/bin/spamd ]; then /usr/bin/spamd -d -c -m 5 -s /var/log/exim/spamd.log -r /var/run/spamd.pid 1>/dev/null 2>/dev/null; fi

and re-start exim. To test see:

Code: 
# ps aux | grep spam
root      2494  0.0  1.5 257008 61264 ?        SN   May12   0:21 spamd child
root      3902  0.0  1.4 254980 58744 ?        SN   May12   0:06 spamd child
root     13854  0.0  1.4 252108 56260 ?        SNs  May12   0:26 /usr/bin/spamd -d -c -m 5 -s /var/log/exim/spamd.log -r /var/run/spamd.pid
root     18952  0.0  0.0 103308   844 pts/3    SN+  00:21   0:00 grep spam

You might need to create /var/log/exim/spamd.log prior to exim restart and take care of it's rotation.
 
You must log in or register to reply here.
Back
Top