Results 1 to 13 of 13

Thread: Help with BlacklistCheck and spam Assassin

  1. #1
    Join Date
    May 2012
    Posts
    82

    Help with BlacklistCheck and spam Assassin

    Hello, i received an email to my inbox that should have been marked as junk. Other then that i have not seen any junk/spam most of the time its just ignored or bounced back. Here is the header section

    Code:
    Return-Path: <Wda.learning@dc.gov>
    Delivered-To: sgill@mydomain.com
    Received: from m2.mydomain.com
    	by m2.mydomain.com (Dovecot) with LMTP id bfwhCSChJlWSDAAAGPd+5w
    	for <sgill@mydomain.ca>; Thu, 09 Apr 2015 09:56:16 -0600
    Return-path: <Wda.learning@dc.gov>
    Received: from 64-21-219-26.static-ip.telepacific.net ([64.21.219.26] helo=dc.gov)
    	by m2.mydomain.com with esmtp (Exim 4.85)
    	(envelope-from <Wda.learning@dc.gov>)
    	id 1YgEoI-0000pZ-Kj
    	for sgill@mydomain.ca; Thu, 09 Apr 2015 09:56:16 -0600
    Message-ID: <5526A146.EB41EC57@dc.gov>
    Date: Thu, 09 Apr 2015 08:56:54 -0800
    From: <Wda.learning@dc.gov>
    MIME-Version: 1.0
    Subject: Annual Report
    To: <sgill@mydomain.ca>
    Content-Type: multipart/mixed;
     boundary="------------------------010609040309040904060908"
    BlacklistCheck: Blacklisted address, +50 Spam score
    X-Spam-Score: 3.5 (+++)
    X-Spam-Report: Spam detection software, running on the system "matrix2.mydomain.com",
     has NOT identified this incoming email as spam.  The original
     message has been attached to this so you can view it or label
     similar future email.  If you have any questions, see
     the administrator of that system for details.
     
     Content preview:  Annual Report as an attachment. [...] 
     
     Content analysis details:   (3.5 points, 5.0 required)
     
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
      0.0 TVD_RCVD_IP            Message was received from an IP address
      2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                                 [64.21.219.26 listed in psbl.surriel.com]
      0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                                 [score: 0.5000]
    SpamTally: Final spam score: 85
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    I do realize that the spam score is only 3.5 but the "BlacklistCheck" shows it as blacklisted address and +50 Spam score. Shouldn't this raise the X-Spam-Score higher than 3.5 or am i missing something.

    Thanks for all your help.

    Sukh

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,478
    Hello,

    As for me this email was identified as spam. Spamassassin attaches report only if it identifies an email as spam, does not it? You probably have a typo here: has NOT identified. The "NOT" is by mistake there I'd rather say.
    SpamTally: Final spam score: 85
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  3. #3
    Join Date
    May 2012
    Posts
    82
    Hello Alex, thanks for your reply. i totally agree that "Not" shouldn't be there, but i have not changed anything in spamassassin or exim that should change its behavior other then stock settings. With final spam tally of 85, shouldn't X-Spam-Score be higher than 5 but in this case it only calculated 3.5

    Thanks

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,478
    OK, they work differently I guess, easy_spam_fighter and SpamAssassin according to this:

    About:

    The Easy Spam Fighter (simplied wording from "Easy, Reliable, Spam Fighting, with Exim")
    is a set of exim ACLs that do various checks, and any check that returns a result (possible spam)
    it then increases the score (saved and incremented in $acl_m_easy69)
    At the end of the DATA ACL, if the score is below the limit, run a basic smtp-time SpamAssassin call
    and add the "int_score to acl_m_easy69. (eg: 2.7 has int score of 27)
    If already above the limit, don't bother running SpamAssassin, as it will be spam already.
    This last skip will save CPU processing.


    After all that, if the score is above a threshold, the message is rejected, at SMTP-time, and it never enters your queue.
    If it's below the threshold, multiple headers are added to explain each score.
    Please see /etc/exim.easy_spam_fighter/README.txt for more information.

    You can create a file /etc/exim.easy_spam_fighter/variables.conf.custom in order to set your own values for:


    Code:
    If you want to customize the file, create your own file:
    -- variables.conf.custom, and set only the values in this file as desired, and they'll override the defaults.
    EASY_LIMIT = 55                 - max score before an email is considered spam before SA is rung (main purpose is just to decide if SpamAssassin run is needed)
    EASY_IS_SPAM = 20               - this is a nudge score. If SpamAssass determines it's spam (based on the User threshold), this extra score is added, on top of the spam_score_int
    EASY_HIGH_SCORE_DROP = 100      - very high scoring spam is dropped at this score, and not allowed to enter.
    EASY_SPF_PASS = -30             - If the SPF passes, the score drops by this amount
    EASY_SPF_SOFT_FAIL = 30         - If the SPF hits a softfail from ~all, this score is added.
    EASY_DKIM_PASS = -20            - If the DKIM Passes, the score drops by this amount
    EASY_DKIM_FAIL = 100            - If the DKIM Fails, the score is added.
    EASY_NO_REVERSE_IP = 100        - Sender IP must have a reverse IP lookup, or this score is added.
    EASY_DNS_BLACKLIST = 50         - IP that is in a dns black list (RBL) gets this score
    SpamTally: Final spam score: 85 was not enough so the email would be dropped.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  5. #5
    Join Date
    May 2012
    Posts
    82
    Thanks Alex, i had good look at the configuration values and looks like can make it work with few tweaks. I do have related question that i had asked in other thread may be it can be resolved by these settings. My server was rejecting emails if dkim failed with following message.
    Code:
    2015-04-16 13:35:45 1YipZh-0002Av-GU H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    2015-04-16 13:35:46 1YipZi-0002Aw-BB H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    2015-04-16 13:50:47 1YipoF-0002Td-AK H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    2015-04-16 13:50:48 1YipoG-0002Te-61 H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    My question is if i change the score for

    EASY_DKIM_FAIL = 100 - If the DKIM Fails, the score is added.

    to

    EASY_DKIM_FAIL = 0 - If the DKIM Fails, the score is added.

    Set it to 0 so no score is added, Will that work.

    For blocking BlacklistCheck

    EASY_DNS_BLACKLIST = 50 - IP that is in a dns black list (RBL) gets this score

    TO

    EASY_DNS_BLACKLIST = 75 - IP that is in a dns black list (RBL) gets this score

    Raise the score by 25, so that score is raised to 100 resulting in blocked email.

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,478
    According to this: http://files.directadmin.com/service...heck_dkim.conf

    Code:
      defer
        dkim_status = invalid
        log_message = DKIM: Deferred. reason='$dkim_verify_reason'
        message = DKIM Signature validation has failed. May be a temporary problem.
    This is your case, and here you won't achieve the desired by tweaking the scores.

    It is "defer" which ACL returns, and here is what exim docs say about it:

    defer:
    If all the conditions are true, the ACL returns “defer” which, in an SMTP session, causes a 4
    xx response to be given. For a non-SMTP ACL, defer is the same as deny, because there is no way of sending a temporary error. For a RCPT command, defer is much the same as using a redirect router and :defer: while verifying, but the defer verb can be used in any ACL, and even for a recipient it might be a simpler approach.


    http://www.exim.org/exim-html-curren...rol_lists.html

    So to skip emails you should use this:


    -- /etc/virtual/esf_skip_senders
    file to hold MAIL FROM addresses that ESF should skip checks for SPF, DKIM.
    Uses wildlsearch, so can use *
    Does not have to exist

    -- /etc/virtual/esf_skip_recipients
    file to hold RCPT TO addresses that ESF should skip checks for DKIM, RBL.
    Uses wildlsearch, so can use *
    Does not have to exist
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  7. #7
    Join Date
    Jul 2008
    Posts
    37
    is this whitelists really working?
    I have several domains in /etc/virtual/esf_skip_senders but keep filtered by dkim

    /etc/virtual/esf_skip_senders
    *portalinmobiliario.com
    amazonses.com
    and keep blocking
    2015-04-29 10:03:26 1YnRc7-00076P-T2 DKIM: d=amazonses.com c=relaxed/simple a=rsa-sha256 t=1430309250 [verification succeeded]
    2015-04-29 10:03:26 1YnRc7-00076P-T2 DKIM: d=portalinmobiliario.com c=relaxed/simple a=rsa-sha256 t=1430309250 [invalid - public key record (currently?) unavailable]
    2015-04-29 10:03:41 1YnRc7-00076P-T2 SMTP connection lost after final dot H=a10-192.smtp-out.amazonses.com [54.240.10.192] P=esmtps
    what i'm doing wrong?

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,478
    A check for exclusion is done in:

    http://files.directadmin.com/service...heck_mail.conf

    Code:
      # check for esf skip lists
      accept
        senders = +esf_skip_senders
        set acl_m_esf_skip = 1
        logwrite = $sender_address skipped via esf_skip_senders
    
      accept
        hosts = +esf_skip_hosts
        set acl_m_esf_skip = 1
        logwrite = $sender_address skipped via esf_skip_hosts
    So yes, it should work, unless there is a bug.

    Code:
    EASY_SKIP_SENDERS = /etc/virtual/esf_skip_senders        - file to hold MAIL FROM addresses that ESF should skip checks for SPF, DKIM.
    EASY_SKIP_RECIPIENTS = /etc/virtual/esf_skip_recipients        - file to hold RCPT TO addresses that ESF should skip checks for DKIM, RBL.
    And if a sender is whitelisted it should be skipped for DKIM check:

    Code:
    acl_check_dkim:
    
      accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}
              
      .include_if_exists /etc/exim.easy_spam_fighter/check_dkim.conf
      accept
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  9. #9
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    153
    So I tried understand
    If I add host to esf_skip_host it should be pass via dkim filter?

    Code:
    2015-11-09 09:37:51 postmaster@aplikacje.pracuj.pl skipped via esf_skip_senders
    2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW DKIM: d=aplikacje.pracuj.pl s=def c=relaxed/simple a=rsa-sha256 t=1446973766 [invalid - syntax error in public key record]
    2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW H=wysylka1.pracuj.pl [176.119.42.24] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_syntax'
    Still I have DKIM: Defferd.

  10. #10
    Join Date
    Nov 2015
    Posts
    2
    Quote Originally Posted by remikk View Post
    So I tried understand
    If I add host to esf_skip_host it should be pass via dkim filter?

    Code:
    2015-11-09 09:37:51 postmaster@aplikacje.pracuj.pl skipped via esf_skip_senders
    2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW DKIM: d=aplikacje.pracuj.pl s=def c=relaxed/simple a=rsa-sha256 t=1446973766 [invalid - syntax error in public key record]
    2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW H=wysylka1.pracuj.pl [176.119.42.24] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_syntax'
    Still I have DKIM: Defferd.

    I spend the same, I followed all the steps. And still Deferred DKIM

    2015-11-24 13:55:53 aj16418-ovh@undelivered.ovh.net skipped via esf_skip_senders
    2015-11-24 13:55:53 aj16418-ovh@undelivered.ovh.net skipped via esf_skip_senders
    2015-11-24 13:55:53 1a1D8T-0000rm-9Q DKIM: d=ovh.es s=mailout c=simple/simple a=rsa-sha256 t=1448369417 [invalid - public key record (currently?) unavailable]
    2015-11-24 13:55:53 1a1D8T-0000rm-9Q H=mo195.mail-out.ovh.net [178.32.228.195] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'


    What can I do??

    Thank you!!

  11. #11
    Join Date
    Nov 2015
    Posts
    2
    I spend the same, I followed all the steps. And still Deferred DKIM

    2015-11-24 13:55:53 aj16418-ovh@undelivered.ovh.net skipped via esf_skip_senders
    2015-11-24 13:55:53 aj16418-ovh@undelivered.ovh.net skipped via esf_skip_senders
    2015-11-24 13:55:53 1a1D8T-0000rm-9Q DKIM: d=ovh.es s=mailout c=simple/simple a=rsa-sha256 t=1448369417 [invalid - public key record (currently?) unavailable]
    2015-11-24 13:55:53 1a1D8T-0000rm-9Q H=mo195.mail-out.ovh.net [178.32.228.195] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'


    What can I do??

    Thank you!!

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,478
    There is NO DKIM key for ovh.es with name mailout

    Code:
    # dig TXT mailout._domainkey.ovh.es
    
    
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> TXT mailout._domainkey.ovh.es
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7864
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    
    ;; QUESTION SECTION:
    ;mailout._domainkey.ovh.es.     IN      TXT
    
    
    ;; AUTHORITY SECTION:
    ovh.es.                 1782    IN      SOA     dns.ovh.net. tech.ovh.net. 2015072200 86400 3600 3600000 86400
    
    
    ;; Query time: 10 msec
    ;; SERVER: 2001:4860:4860::8844#53(2001:4860:4860::8844)
    ;; WHEN: Fri Nov 27 15:12:36 2015
    ;; MSG SIZE  rcvd: 95

    http://dkimcore.org/c/keycheck
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  13. #13
    Join Date
    Nov 2010
    Location
    Alezio - Lecce- Apulia - South Italy
    Posts
    105
    Quote Originally Posted by compa24 View Post
    I spend the same, I followed all the steps. And still Deferred DKIM
    ...
    What can I do??

    Thank you!!
    I solved inserting the IP of the sender mailserver in /etc/virtual/whitelist_hosts_ip

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •