RBL lookups not working, spamassassin not scanning properly

P

pucky

Verified User
Joined
Sep 9, 2006
Messages
794
I installed everything for Spamassassin from CB2 as per the knowledge base articles 526 posted.

RBLs are not being queried. In fact, all the messages arriving to my server look like this.

SpamTally: Final spam score: -60 and - 20 etc in the header.

I have gone though multiple articles, recompiled everything over and over and nothing is working here.

All spam is getting though with minus final spam scores everywhere.

Spamd is running, mail is arriving and there are no errors in the logs. I dont see RBL lookups anywhere, not in the logs at least.

Already really annoyed with this as i have spent countless hours trying to work out why CB2 has failed to install everything properly.
 
And still you are one of many which are using it.

Can you please show us a header of an incoming email with that score? It may be important to see why the score has dropped so much but still you're not providing those informations.

More information we got, more lickely you'll have more support and hopefully a solution.

Guessing will not help, and tell you "test this" or "test that" will just waste time on both side don't you think? :)

Best regards
 
What i did

I followed this https://help.directadmin.com/item.php?id=577

1) First in installed spamassassin https://help.directadmin.com/item.php?id=36
2) Made sure spamd was running, it is.
3) Then i installed https://help.directadmin.com/item.php?id=142
4) Then ran this https://help.directadmin.com/item.php?id=576
5) Then i went in and enabled spamassassin for the domains that get spam

This is the result after 2 days.

Here is an example, final score -75 lol

Code: 
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from da.efastxxxxx.net
	by da.efastxxxxx.net (Dovecot) with LMTP id sQc5Hs2/AFnRGg8AmSYpYw
	for <[email protected]>; Wed, 26 Apr 2017 08:42:05 -0700
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 26 Apr 2017 08:42:05 -0700
Received: from mail78.buf194.sendlane.com ([192.186.128.78])
	by da.efastxxxxx.net with esmtp (Exim 4.89)
	(envelope-from <[email protected]>)
	id 1d3P4o-000nca-Rp
	for [email protected]; Wed, 26 Apr 2017 08:42:05 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=SLSV2; d=sendlane.com;
 h=Sender:Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe; [email protected];
 bh=zDHGda/sdQPhpWO+Htjb04KzeVQ=;
 b=lrfWmAT7i7POFnSZ0Tqq47WsZdkNzzakdVasbhFascBRwanrCJamD5t9C/gNlpsQMpFWRK2AE+fm
   EQyhRkLwSOE6Lpz2KQRtGOahDShEa5UtY97Zw3PSe8CgtE+HX+/mwXTw6mi8NkCYgKhinxNM+Ceg
   s1OAVqSXbg+CGLUfi9U=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=SLSV2; d=sendlane.com;
 b=OLjU7u61hJVDgU3em+NdgQpg1ldhXpR4kf80We6/SiT88T//Ai3UO4RVh+tXTSS8/XLch2JH+6wS
   zxR7hjbTwG/nni9X/OfEvlxKThoIHwzt9yGfrCy5b+lDqfaHWYxwibbQWyFiZadW10QU7XS++UUQ
   ZzduZ6yLo38QmU6p1tk=;
Sender: [email protected]
Message-ID: <000001451l6pqnjx-xuw9j4e2-0215-e6b3-239f-tzvgosji0qra-000000@optinlinks.sendlane.com>
Date: Wed, 26 Apr 2017 11:40:45 -0400
Subject: How he made 5 GRAND in a weekend...
From: Kevin Strong <[email protected]>
To: " " <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=14932212454ba412b3f9a663eac9779ec9c53f59c2
X-Subscription: Subscribed on 04/20/2017, via web form, from import
X-Mailer: Sendlane 1.0
List-Unsubscribe: <http://track.slsv2.com/uml/kcjUYRI8B4/230e41009413a5a96013ae108300afd2/577afd75e1bc305b85e8024a063e427b/optinlinks>
X-Complaints-To: [email protected]
SPFCheck: Server passes SPF test, -30 Spam score
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 192.186.128.78, -10 Spam score
X-DKIM: signer='sendlane.com' status='pass' reason=''
DKIMCheck: Server passes DKIM test, -20 Spam score
X-DKIM: signer='@mail78.buf194.sendlane.com' status='pass' reason=''
X-Spam-Score: 0.5 (/)
X-Spam-Report: Spam detection software, running on the system "da.efastxxxxx.net",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  So this just happened: http://i.imgur.com/E1QCSz6.jpg I helped
    him make over 5 grand in a weekend. [...] 
 
 Content analysis details:   (0.5 points, 7.5 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.5 FROM_DOMAIN_NOVOWEL    From: domain has series of non-vowel letters
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  0.0 HTML_MESSAGE           BODY: HTML included in message
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
  0.0 LOTS_OF_MONEY          Huge... sums of money
SpamTally: Final spam score: -75
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Look like no scores are being added and no RBL checks are being done
 
Last edited:
Ok,
The server have a valid DKIM Key
The server have a valid PTR record
The server have a valid SPT record
The server is not listed in any RBL
Checked:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist:192.186.128.78&run=toolpage
http://www.anti-abuse.org/multi-rbl-check-results/?host=192.186.128.78
https://www.spamhaus.org/query/ip/192.186.128.78
http://www.senderbase.org/lookup/?search_string=192.186.128.78

Why do you think the server would get this as Spam if all the check a server can do show that the server is "clean"?

If you base your decision on the text inside the email that will not happen unless you set some mail filter on that (like *viagra* *vi4gr4*, etc.) for mail subject and/or body.

For what i can see, the sender server IP is not in any RBL and there is no reason to block it.

Best regards
 
Because in two days every spam messages has failed to be recorded as spam. No lookups to RBL's that i can see. At least show us in the message header that RBL's were queried.

ASSP spam would have caught this long ago. But spamassassin cant?

So every message arriving has a negative score value? What do you think, every message arriving should have viagra in the header?
 
Also, i have this error, 2nd time iv seen it in the logs today;

2017-04-26 07:01:34 H=([103.47.66.214]) [103.47.66.214] Warning: ACL "warn" statement skipped: condition test deferred: failed to expand ACL string "${lookup dnsdb{ptr=$sender_host_address}{false}{true}}": lookup of "ptr=103.47.66.214" gave DEFER:
 
I know this is a old thread but i was testing some things because i got a plugin install in thunderbird to check the dkim and it keeps giving a error in DNS. So i did some googling on the error.
i saw this one https://major.io/2014/06/20/fixing-broken-dns-lookups-in-spamassassin/
and it said this
Net::DNS version 0.76 changed the field name holding a set of nameservers in a Net::DNS::Resolver object: it used to be ‘nameservers’, but is now split into two fields: ‘nameserver4’ and ‘nameserver6’.

Mail/SpamAssassin/DnsResolver.pm relied on the internal field name of a Net::DNS::Resolver object to obtain a default list of recursive name servers, so the change in Net::DNS broke that.
Click to expand...

so in the /etc/resolv.conf i changed the nameserver IP to nameserver4. and did a restart of spamD. It didnt gave any error. So i tried to send a email from my gmail to my mail server and it didnt got deliverd the log said.

2018-10-29 13:49:33 H=(mail-ed1-f45.google.com) [IP] Warning: ACL "warn" statement skipped: condition test deferred: failed to expand ACL string "${lookup dnsdb{ptr=$sender_host_address}{false}{true}}": lookup of "ptr=IP" gave DEFER:
2018-10-29 13:49:33 H=(mail-ed1-f45.google.com) [IP] Warning: ACL "warn" statement skipped: condition test deferred: host lookup deferred for reverse lookup check
2018-10-29 13:49:33 H=(mail-ed1-f45.google.com) [IP] sender verify defer for <[email protected]>: host lookup did not complete
2018-10-29 13:49:33 H=(mail-ed1-f45.google.com) [IP] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<[email protected]> temporarily rejected RCPT <owndomein>: Could not complete sender verify
2018-10-29 13:49:33 H=(mail-ed1-f45.google.com) [IP] incomplete transaction (QUIT) from <[email protected]>

so i changed it back removed the 4 and 6 and it worked again.

that fixed that error but it still gives the error in DNS for Dkim. so not sure where that problem is.

not that much of a big deal i setup everything nicely and everything is verified except for incomming mail it doesnt seem to check the dkim correctly. But not sure if that is a problem on my PC or on the mail server.
 
I'm also having these errors but changing nameservers in resolv.conf to nameserver4 and then back to nameserver is not a fix, it's having luck.

I'm still running 0.62 on the Centos 6 and 0.72 of Perl-Net-DNS.

Cpan is using 1.18 or something I believe, which has several bugfixed. I don't know if this is one of them.
On 1 of the Centos 6 servers I've got 1.17 running in Cpan, but same error occurs.
 
Your link points to another issue which is also important.
You can better not user Google nameservers in /etc/resolve.conf which is already known to me.

However this issue had to do with the Net::DNS perl module which had problems at that time.
It was fixed a bi tlater in 2018 when the module got an update.
 
You must log in or register to reply here.
Back
Top