Results 1 to 11 of 11

Thread: Spam not being blocked again, low spam score???

  1. #1
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,082

    Spam not being blocked again, low spam score???

    I do have RBL's activated, but it seems spam get's through with a low spam score??

    This is from a mail which IS on the spamhaus blacklist.
    Code:
    X-Spam-Score: 1.3 (+)
    X-Spam-Report: Spam detection software, running on the system "server18.ourserver.nl",
     has NOT identified this incoming email as spam.  The original
     message has been attached to this so you can view it or label
     similar future email.  If you have any questions, see
     the administrator of that system for details.
    Score 1.3?????

    Code:
     Content analysis details:   (1.3 points, 7.5 required)
     
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
      0.0 T_SPF_HELO_PERMERROR   SPF: test of HELO record failed (permerror)
      0.0 T_SPF_PERMERROR        SPF: test of record failed (permerror)
      0.0 HTML_MESSAGE           BODY: HTML included in message
      1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
    SpamTally: Final spam score: 13
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    Then from /var/log/messages:
    Code:
    Aug 24 21:36:01 server18 spamd[8316]: spamd: connection from localhost [127.0.0.1]:52194 to port 783, fd 5
    Aug 24 21:36:01 server18 spamd[8316]: spamd: setuid to mydomain succeeded
    Aug 24 21:36:01 server18 spamd[8316]: spamd: checking message <bddmBaXqvn8OcSoR_RVmTu2GY8GH0UP7qbODMxIZ0WU.0KmKAmEhS-E_1Ow1AevpymDcJ
    0Qc_c_App-vXGIuqJU@amisrue.website> for mydomain:503
    Aug 24 21:36:02 server18 spamd[8316]: spamd: clean message (1.3/7.5) for mydomain:503 in 1.6 seconds, 12711 bytes.
    Aug 24 21:36:02 server18 spamd[8316]: spamd: result: . 1 - HTML_MESSAGE,RDNS_NONE,T_SPF_HELO_PERMERROR,T_SPF_PERMERROR scantime=1.6,
    size=12711,user=myuser,uid=503,required_score=7.5,rhost=localhost,raddr=127.0.0.1,rport=52194,mid=<bddmBaXqvn8OcSoR_RVmTu2GY8GH0
    UP7qbODMxIZ0WU.0KmKAmEhS-E_1Ow1AevpymDcJ0Qc_c_App-vXGIuqJU@amisrue.website>,autolearn=no autolearn_force=no
    Autolearn=no? Strange. And where is the RBL check? Because this would add a +100 to the spamscore.
    This is from my easy spamfighter configuration file which I changed. Or do I need to make a custom one for changes?
    Code:
    EASY_LIMIT = 55
    EASY_IS_SPAM = 20
    EASY_HIGH_SCORE_DROP = 75
    EASY_SPF_PASS = -30
    EASY_SPF_SOFT_FAIL = 30
    EASY_SPF_FAIL = 100
    EASY_DKIM_PASS = -20
    EASY_DKIM_FAIL = 100
    EASY_NO_REVERSE_IP = 100
    EASY_FORWARD_CONFIRMED_RDNS = -10
    EASY_DNS_BLACKLIST = 100
    EASY_SPAMASSASSIN_MAX_SIZE = 200K
    I had a look at this post:
    http://forum.directadmin.com/showthr...841#post272841

    But I have razor2 and done like this:
    yum install perl-YAML
    yum install re2c

    cpan -i Archive::Tar Digest::SHA Mail::SPF IP::Country Net::Ident Compress::Zlib Mail::DKIM LWP::UserAgent HTTP::Date Encode::Detect ExtUtils::MakeMaker NetAddr::IP Mail::SpamAssassin::Plugin::Razor2 Razor2::Client::Agent IO::Socket::SSL DBI

    cpan install Mail::SpamAssassin::Plugin::Rule2XSBody Razor2::Client::Agent

    Activate in v320pre:
    loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
    Can anybody give me a clue? RBL not checked. rDNS not present but only 1.3 score instead of the 100 I configured, what is going on?
    Greetings, Richard.

  2. #2
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,684
    That looks more a scan from SpamAssasin, not ESF, you should have other header line for ESF, if you don't have them, ensure ESF it is correctly installed.

    Best regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,082
    ESF is installed correctly as far as I know. It's done via Custombuild a long time ago already.
    What's the best way to check if it's installed correctly and/or working correctly?
    Greetings, Richard.

  4. #4
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,684
    Code:
    Date: Thu, 31 Aug 2017 11:12:21 -0500
    SPFCheck: Server passes SPF test, -30 Spam score
    Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 69.162.69.58, -10 Spam score
    X-DKIM: signer='forum.directadmin.com' status='pass' reason=''
    DKIMCheck: Server passes DKIM test, -20 Spam score
    X-Spam-Score: -1.9 (-)
    X-Spam-Report: Spam detection software, running on the system "Orange01.CrazyNetwork.it",
     has NOT identified this incoming email as spam.  The original
     message has been attached to this so you can view it or label
     similar future email.  If you have any questions, see
     the administrator of that system for details.
     
     Content preview:  Dear SeLLeRoNe, Richard G has just replied to a thread you
        have subscribed to entitled - Spam not being blocked again, low spam score???
        - in the SpamBlocker forum of DirectAdmin Forums. This thread is located
       at: https://forum.directadmin.com/showthread.php?t=55226&goto=newpost [...]
        
     
     Content analysis details:   (-1.9 points, 5.0 required)
     
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
      0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                                 See
                                 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                                  for more information.
                                 [URIs: directadmin.com]
     -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
     -0.0 SPF_PASS               SPF: sender matches SPF record
     -0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
     -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                                 [score: 0.0000]
      0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
     -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
    SpamTally: Final spam score: -78
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    The marked line should be the output from ESF, actually I just noticed that you have it, but it says 13 which means it is basically just getting the results from SpamAssassin apparently without using the internal rules.

    That's odd, you may want to try to run this:
    Code:
    /usr/local/directadmin/custombuild/build easy_spam_fighter
    But I have no idea how manually test it to be honest
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  5. #5
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,082
    Thank you.
    It's indeed strange, so I did a rebuild.
    Code:
    /usr/local/directadmin/custombuild/build easy_spam_fighter
    2017-08-31 18:35:44 cwd=/usr/local/directadmin/custombuild 2 args: /usr/sbin/exim --version
    2017-08-31 18:35:44 cwd=/usr/local/directadmin/custombuild 2 args: /usr/sbin/exim --version
    Enabling Easy Spam Fighter...
    Restarting exim.
    Shutting down exim: 
    Starting exim: 
    Easy Spam Fighter is now enabled.
    Hope it will work better now. Maybe SMTalk knows a way to test it.
    I also discovered that the ESF custom file will not work (see other thread), so maybe there is something more going on with ESF.
    Greetings, Richard.

  6. #6
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,684
    It does work, you just need to use == to override settings already declared in the normal file.
    Basically the custom file in that case can be filled just with the attributes you want to change as long as you declare them with ==

    Best regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,082
    Yep I found that out too. But that is not what it says in the help file, so that was confusing.
    Greetings, Richard.

  8. #8
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,082
    Well I can confirm for some reason ESF is not running I do not get the line in the header and mail blocked by Spamhaus (RBL) and even a wrong helo is not blocked:
    Code:
    Return-Path: <info@senderdomain.nl>
    Delivered-To: info@receiver.org
    Received: from server.company.nl
    	by server.company.nl with LMTP id qCevHOO/vFk8FwAADNWw8g
    	for <info@receiver.org>; Sat, 16 Sep 2017 08:08:35 +0200
    Return-path: <info@senderdomain.nl>
    Envelope-to: info@receiver.org
    Delivery-date: Sat, 16 Sep 2017 08:08:35 +0200
    Received: from mail by server.company.nl with spam-scanned (Exim 4.89)
    	(envelope-from <info@senderdomain.nl>)
    	id 1dt6HJ-0001Zk-El
    	for info@receiver.org; Sat, 16 Sep 2017 08:08:35 +0200
    X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
    	server.company.nl
    X-Spam-Level: 
    X-Spam-Status: No, score=-0.2 required=7.5 tests=ALL_TRUSTED,
    	HTML_IMAGE_RATIO_02,HTML_MESSAGE autolearn=no autolearn_force=no version=3.4.1
    Received: from 542cf.something.dynamic.ziggo.nl ([84.30.xx.xxx] helo=AnitaPC)
    	by server.company.nl with esmtpa (Exim 4.89)
    	(envelope-from <info@senderdomain.nl>)
    	id 1dt6HI-0001Zf-VO; Sat, 16 Sep 2017 08:08:33 +0200
    From: "Spirituele Wereld" <info@senderdomain.nl>
    To: 	"My receivers name" <info@receiver.org>
    Subject: dat wisten we toch al ....
    Date: Sat, 16 Sep 2017 08:08:21 +0200
    Message-ID: <007d01d32eb2$32c8e780$985ab680$@senderdomain.nl>
    MIME-Version: 1.0
    Content-Type: multipart/related;
    	boundary="----=_NextPart_000_007E_01D32EC2.F6540170"
    X-Mailer: Microsoft Outlook 14.0
    Thread-Index: AdMusihV4AY95U8oR9qUY4SCkHtxcg==
    Content-Language: nl
    X-Antivirus: Avast (VPS 170915-2, 15-09-2017), Outbound message
    X-Antivirus-Status: Clean
    
    This is a multipart message in MIME format.
    
    ------=_NextPart_000_007E_01D32EC2.F6540170
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_001_007F_01D32EC2.F6540170"
    So the messages should be blocked because the ip is a dynamic ip and present in the RBL Spamhaus, and it should also be blocked because of a wrong helo.

    Nothing happened and I don't see the Content analysis details which should be in the header.
    Greetings, Richard.

  9. #9
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,082
    Ah I think I found the reason.

    Senderdomain and receiver.org were both on the same server.
    However the mail was send via the private computer via the own ISP's smtp, hence the RBL Spamhaus listing due to dynamic ip.

    Luckily I have smtp authentication set. Otherwise this method might be abused to abuse the mail system and sending spam to a domain on that server, pretending it's coming from another domain on the same server.

    Wouldn't it be better to just have -all- mail and headers checked, even if send through or originating from the same server?
    Greetings, Richard.

  10. #10
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,684
    Well, that's a good point for the "don't hide your data"
    Anyway, the Authenticaded User Header line, will always show you the original account who sent, which helps you a lot in those scenarios to find compromised account.

    If that email was coming from an external serve the antispam would have work, but, please also consider that ISPs for home connections have Dynamic IPs and it happen many (many many many) times that those IPs are in some blacklist, probably not because of the end-user fault, it may be some "previous" IP user fault, that's why you shouldn't check the original sender if the user is using Auth and not using port 25 (I am not 100% sure but on port 25 the RBLs check should have been started because in that case it is consider a server-to-server communications and therefore, blocked).

    So, I am quite sure the setup it is fine, in fact, is the same I use for years now and except compromised account, it is quite safe

    Best regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  11. #11
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,082
    Well, that's a good point for the "don't hide your data"
    No it isn't in this case because it isn't a spammer, the sender was my sister.

    If that email was coming from an external serve the antispam would have work, but,
    Yes, most providers even have Dynamic IP's which are registered in Spamhaus so they should be blocked. This is the case with Ziggo.nl for example where the email was originating from.

    I did make a wrong assumption:
    However the mail was send via the private computer via the own ISP's smtp, hence the RBL Spamhaus listing due to dynamic ip.
    The reason I thought this was because I got the mail in my Mailwasher and it stated the helo was AnitaPC instead of my servers hostname, which is normally the case.
    But this was because something on the server went wrong somewhere.

    My sister with the ziggo.nl hostname, uses port 587 to send email from her own domain senderdomain.nl.
    This normally works great to send mail from her domain through our servers. I do it myselve the same way and we don't have bothers with the default Spamhaus blocks from our ISP for the dynamic ip ranges.

    Now this is what happened, the server had a hickup.
    For some reason, ESF did not check the mail, as you can see from the logs, there is no lines, no ESF statement.

    I went to my sister's pc via Teamviewer and checked the outgoing port and indeed it was 587, I thought it was set to 25 because of the Spamhaus notice, but it wasn't.

    I made new checks and now the ESF lines were present again in the headers and there were no Spamhaus issues anymore.

    So it seemed it only happened once. However, I still can't understand this strange hickup where ESF was not working -and- it looked like the only helo was the AnitaPC (no this name is also faked), and not my serve's hostname which it normally is.

    So it was a very odd hickup.
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •