why is spam score 0?

P

pasamsin

Verified User
Joined
Feb 20, 2019
Messages
23
How does it end up in the box without spam? What should I do?

EASY_LIMIT = 55
EASY_IS_SPAM = 20
EASY_HIGH_SCORE_DROP = 100
EASY_SPF_PASS = -30
EASY_SPF_SOFT_FAIL = 30
EASY_SPF_FAIL = 100
EASY_DKIM_PASS = -20
EASY_DKIM_FAIL = 100
EASY_NO_REVERSE_IP = 100
EASY_FORWARD_CONFIRMED_RDNS = -10
EASY_DNS_BLACKLIST = 50
EASY_SPAMASSASSIN_MAX_SIZE = 200K

EASY_SKIP_SENDERS = /etc/virtual/esf_skip_senders
EASY_SKIP_RECIPIENTS = /etc/virtual/esf_skip_recipients
EASY_SKIP_HOSTS = /etc/virtual/esf_skip_hosts
EASY_SKIP_IPS = /etc/virtual/esf_skip_ips

.include_if_exists /etc/exim/rspamd/variables.conf
.include_if_exists /etc/exim.easy_spam_fighter/variables.dmarc.conf
.include_if_exists /etc/exim.easy_spam_fighter/variables.conf.custom => EASY_SPAMASSASSIN_MAX_SIZE == 200000K

addresslist esf_skip_senders = ${if exists{EASY_SKIP_SENDERS}{wildlsearch;EASY_SKIP_SENDERS}}
addresslist esf_skip_recipients = ${if exists{EASY_SKIP_RECIPIENTS}{wildlsearch;EASY_SKIP_RECIPIENTS}}
hostlist esf_skip_hosts = ${if exists{EASY_SKIP_HOSTS}{wildlsearch;EASY_SKIP_HOSTS}}
hostlist esf_skip_ips = ${if exists{EASY_SKIP_IPS}{EASY_SKIP_IPS}}


/etc/exim.strings.conf.custom ;
RBL_DNS_LIST==cbl.abuseat.org : bl.spamcop.net : b.barracudacentral.org : zen.spamhaus.org : combined.rbl.msrbl.net : dnsbl.sorbs.net


Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from server.server724092.com
by server.server724092.com with LMTP
id gNNUG9i9qmFSSgAAmRAMGA
(envelope-from <[email protected]>)
for <[email protected]>; Sat, 04 Dec 2021 04:01:12 +0300
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sat, 04 Dec 2021 04:01:12 +0300
Received: from [37.0.15.158] (helo=wiregreat.deals)
by server.server724092.com with esmtp (Exim 4.94.2)
(envelope-from <[email protected]>)
id 1mtJQN-000699-1Q
for [email protected]; Sat, 04 Dec 2021 04:01:12 +0300
Date: Fri, 03 Dec 2021 19:49:03 -0500
From: " Gloria" <[email protected]>
MIME-Version: 1.0
Precedence: bulk
To: <[email protected]>
Subject: Husband Offers His Wife To African Tribesmen To Find Elongation Secret
Message-ID: <q6CQJjLpc4XjLhuamEiaHz6SeicGaIYeqakBjb5mack.btTK4p9pncbcbPUVbO38sFP5isobaLdoTOULbyHUwWA@wiregreat.deals>
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.0 (/)
X-Spam-Report: Spam detection software, running on the system "server.server724092.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: This guy offered his white wife to the African tribesmen as
a gift in exchange for their secret manhood elongation ritual. And it WORKED!
Oh my God, you have to see this before this crazy dude takes off his documentary...
Content analysis details: (-0.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 FROMSPACE Idiosyncratic "From" header format
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: wiregreat.deals]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
blocklist
[URIs: wiregreat.deals]
0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)
[37.0.15.158 listed in bl.mailspike.net]
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
high trust
[37.0.15.158 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
1.0 FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
SpamTally: Final spam score: 0
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 
pasamsin said:
How does it end up in the box without spam? What should I do?
Click to expand...
I don't understand the question, is your question:
1.) This mail ends up in the spam box, how do I prevent that from happening?
2.) This mail arrives in the normal inbox, not in the spamfolder, how do i get this into the spam folder?

If your question is 1, then it's easy 37.0.15.158 is on a load of blacklists. So that's the reason it's still treated as spam, even if Final spam score seems 0.
 
2. Although it is spam, it does not go into the spam folder. Shouldn't the spam score be higher? over 5.
 
Most cerntainly, it should already be blocked by ESF for this reasons:
pasamsin said:
EASY_NO_REVERSE_IP = 100
Click to expand...
and
EASY_DNS_BLACKLIST = 50

And I also see that several things don't even get points, like this:
pasamsin said:
0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)
Click to expand...
so -5 but receives 0.0 score?

Also this is odd:
pasamsin said:
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
high trust
Click to expand...
When I check with dnswl.org it says that ip is not whitelisted. So this is odd too.

It might be some bug in rspamd, I don't know I don't use it.

However, with ESF this should already have a 150 score, enough to block the mail. I presume you restarted Exim already.

I guess somebody else or somebody from staff has to look at this.
 
Are the spam setting on in user account?

Spam Is Being Allowed Through Since Upgrade

Good evening everyone. I have a unique issue that I'm noticing and wanted to get feedback from everyone. Back in January I upgraded our primary hosting server to a new CentOS version and migrated all data across. The hosting for my own business website is stored on there as well and I'm...
forum.directadmin.com forum.directadmin.com
 
bdacus01 said:
Are the spam setting on in user account?

Spam Is Being Allowed Through Since Upgrade

Good evening everyone. I have a unique issue that I'm noticing and wanted to get feedback from everyone. Back in January I upgraded our primary hosting server to a new CentOS version and migrated all data across. The hosting for my own business website is stored on there as well and I'm...
forum.directadmin.com forum.directadmin.com
Click to expand...
Yes enabled.
 

Attachments

  • Ekran Resmi 2021-12-04 20.50.47.png
    Ekran Resmi 2021-12-04 20.50.47.png
    359.6 KB · Views: 8
Whats the OS and version?
Is the a new or old install?
Are you using Rspamd or Spam-assassin?
Have you fully updated the server and DA lately?
 
Linux server.server724092.com 3.10.0-1160.21.1.el7.x86_64 #1 SMP Tue Mar 16 18:28:22 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
It's a very old setup.
Using spam-assassin.
Seeing that it didn't go to the spam folder. I updated the DA today.
 
Also check your custom_versions.txt file if you have one..
 
SpamBlockerTechnology* powered exim.conf, Version 4.5.35
exim.pl #VERSION=31

/usr/local/directadmin/custombuild/custom_versions.txt is empty.
 
spam score is 17 but it didn't go to spam folder. arrived in your inbox. 2.58.148.174 ip addresses are in almost all blacklists.

//When I look at the records in the file, it sees that it is whitelisted but not actually?
/var/log/exim/mainlog; 2021-12-05 10:34:50 2.58.148.174 whitelisted in list.dnswl.org


Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from server.server724092.com
by server.server724092.com with LMTP
id gLTxGuFrrGFNUwAAmRAMGA
(envelope-from <[email protected]>)
for <[email protected]>; Sun, 05 Dec 2021 10:36:01 +0300
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sun, 05 Dec 2021 10:36:01 +0300
Received: from tumbledeer.rocks ([2.58.148.174])
by server.server724092.com with esmtp (Exim 4.95)
(envelope-from <[email protected]>)
id 1mtm3u-0005bK-GB
for [email protected];
Sun, 05 Dec 2021 10:36:01 +0300
Date: Sun, 05 Dec 2021 02:22:22 -0500
From: " Pat Singleton" <[email protected]>
MIME-Version: 1.0
Precedence: bulk
To: <[email protected]>
Subject: Husband Offers His Wife To African Tribesmen To Find Elongation Secret
Message-ID: <RlJkDN5B_MrBxePMUKCWUQ5iD26UO8WLn5rI7Jng3IU.2J54JndGXcBKVO3GccwVLOyKoexUMHOtKP1g64kTpdI@tumbledeer.rocks>
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 2.58.148.174, -10 Spam score
X-Spam-Score: 2.7 (++)
X-Spam-Report: Spam detection software, running on the system "server.server724092.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: This guy offered his white wife to the African tribesmen as
a gift in exchange for their secret manhood elongation ritual. And it WORKED!
Oh my God, you have to see this before this crazy dude takes off his documentary...
Content analysis details: (2.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 FROMSPACE Idiosyncratic "From" header format
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: tumbledeer.rocks]
1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
blocklist
[URIs: tumbledeer.rocks]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag
SpamTally: Final spam score: 17
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 
Last edited:
I understand why we are getting the "whitelisted in list.dnswl.org" error. I have defined it as 8.8.8.8 8.8.4.4 in /etc/resolve.conf file.

I removed the nameserver lines in my /etc/resolve.conf file and edited it as nameserver 127.0.0.1 so that it can perform dig queries on my local name server.

/etc/resolve.conf
Code: 
search google.com
nameserver 127.0.0.1
nameserver 208.67.222.222

I edited the following lines from the /etc/named.conf file to query the local name server.
/etc/named.conf
//listen-on port 53 { 127.0.0.1; };
//allow-query { localhost; };

edited;
listen-on port 53 { 127.0.0.1; };
allow-query { localhost; };

I no longer see bad whitelist lines in /var/log/exim/mainlog. "whitelisted in list.dnswl.org"

How to subscribe – dnswl.org

www.dnswl.org www.dnswl.org

Users doing more than 100’000 DNS queries per 24 hours on our public nameserver infrastructure or reselling our data as part of a commercial service need to get a subscription.

Since 8.8.8.8 dns servers are used by everyone, you will be involved in the use of other people and you will have made more than 100,000 queries.

But still this is a mistake. If you are using a dns server that has reached the 100,000 query limit instead of being on the white list, the service should be bypassed instead of being on the white list.
 
pasamsin said:
I have defined it as 8.8.8.8 8.8.4.4 in /etc/resolve.conf file.
Click to expand...
You might want to change that to 1.1.1.1 and use 8.8.8.8 as secondary.
However, if you run your own nameservers, it's best to use 127.0.0.1 and 1.1.1.1 as secondary.

Since 8.8.8.8 dns servers are used by everyone, you will be involved in the use of other people and you will have made more than 100,000 queries.
Exactly for that reason. And it is indeed bypassed, maybe they only use the "whitelist" notification to just bypass it, because as we all know, in fact it is -not- on the white list.

pasamsin said:
edited;
listen-on port 53 { 127.0.0.1; };
allow-query { localhost; };
Click to expand...
There is no reason to remove the remark // lines in front if your resolv.conf is correct. I would advise to put them back and just restart named.
 
You must log in or register to reply here.
Back
Top