Help with BlacklistCheck and spam Assassin

ssgill

Verified User
Joined
May 9, 2012
Messages
164
Hello, i received an email to my inbox that should have been marked as junk. Other then that i have not seen any junk/spam most of the time its just ignored or bounced back. Here is the header section

Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from m2.mydomain.com
	by m2.mydomain.com (Dovecot) with LMTP id bfwhCSChJlWSDAAAGPd+5w
	for <[email protected]>; Thu, 09 Apr 2015 09:56:16 -0600
Return-path: <[email protected]>
Received: from 64-21-219-26.static-ip.telepacific.net ([64.21.219.26] helo=dc.gov)
	by m2.mydomain.com with esmtp (Exim 4.85)
	(envelope-from <[email protected]>)
	id 1YgEoI-0000pZ-Kj
	for [email protected]; Thu, 09 Apr 2015 09:56:16 -0600
Message-ID: <[email protected]>
Date: Thu, 09 Apr 2015 08:56:54 -0800
From: <[email protected]>
MIME-Version: 1.0
Subject: Annual Report
To: <[email protected]>
Content-Type: multipart/mixed;
 boundary="------------------------010609040309040904060908"
BlacklistCheck: Blacklisted address, +50 Spam score
X-Spam-Score: 3.5 (+++)
X-Spam-Report: Spam detection software, running on the system "matrix2.mydomain.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Annual Report as an attachment. [...] 
 
 Content analysis details:   (3.5 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 TVD_RCVD_IP            Message was received from an IP address
  2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                             [64.21.219.26 listed in psbl.surriel.com]
  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5000]
SpamTally: Final spam score: 85
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

I do realize that the spam score is only 3.5 but the "BlacklistCheck" shows it as blacklisted address and +50 Spam score. Shouldn't this raise the X-Spam-Score higher than 3.5 or am i missing something.

Thanks for all your help.

Sukh
 
Hello,

As for me this email was identified as spam. Spamassassin attaches report only if it identifies an email as spam, does not it? You probably have a typo here: has NOT identified. The "NOT" is by mistake there I'd rather say.
SpamTally: Final spam score: 85
 
Hello Alex, thanks for your reply. i totally agree that "Not" shouldn't be there, but i have not changed anything in spamassassin or exim that should change its behavior other then stock settings. With final spam tally of 85, shouldn't X-Spam-Score be higher than 5 but in this case it only calculated 3.5

Thanks
 
OK, they work differently I guess, easy_spam_fighter and SpamAssassin according to this:

About:

The Easy Spam Fighter (simplied wording from "Easy, Reliable, Spam Fighting, with Exim")
is a set of exim ACLs that do various checks, and any check that returns a result (possible spam)
it then increases the score (saved and incremented in $acl_m_easy69)
At the end of the DATA ACL, if the score is below the limit, run a basic smtp-time SpamAssassin call
and add the "int_score to acl_m_easy69. (eg: 2.7 has int score of 27)
If already above the limit, don't bother running SpamAssassin, as it will be spam already.
This last skip will save CPU processing.


After all that, if the score is above a threshold, the message is rejected, at SMTP-time, and it never enters your queue.
If it's below the threshold, multiple headers are added to explain each score.

Please see /etc/exim.easy_spam_fighter/README.txt for more information.

You can create a file /etc/exim.easy_spam_fighter/variables.conf.custom in order to set your own values for:


Code:
If you want to customize the file, create your own file:
-- variables.conf.custom, and set only the values in this file as desired, and they'll override the defaults.
EASY_LIMIT = 55                 - max score before an email is considered spam before SA is rung (main purpose is just to decide if SpamAssassin run is needed)
EASY_IS_SPAM = 20               - this is a nudge score. If SpamAssass determines it's spam (based on the User threshold), this extra score is added, on top of the spam_score_int
EASY_HIGH_SCORE_DROP = 100      - very high scoring spam is dropped at this score, and not allowed to enter.
EASY_SPF_PASS = -30             - If the SPF passes, the score drops by this amount
EASY_SPF_SOFT_FAIL = 30         - If the SPF hits a softfail from ~all, this score is added.
EASY_DKIM_PASS = -20            - If the DKIM Passes, the score drops by this amount
EASY_DKIM_FAIL = 100            - If the DKIM Fails, the score is added.
EASY_NO_REVERSE_IP = 100        - Sender IP must have a reverse IP lookup, or this score is added.
EASY_DNS_BLACKLIST = 50         - IP that is in a dns black list (RBL) gets this score

SpamTally: Final spam score: 85 was not enough so the email would be dropped.
 
Thanks Alex, i had good look at the configuration values and looks like can make it work with few tweaks. I do have related question that i had asked in other thread may be it can be resolved by these settings. My server was rejecting emails if dkim failed with following message.
Code:
2015-04-16 13:35:45 1YipZh-0002Av-GU H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:35:46 1YipZi-0002Aw-BB H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:50:47 1YipoF-0002Td-AK H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2015-04-16 13:50:48 1YipoG-0002Te-61 H=mail32.*******.net [***.***.133.32] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'

My question is if i change the score for

EASY_DKIM_FAIL = 100 - If the DKIM Fails, the score is added.

to

EASY_DKIM_FAIL = 0 - If the DKIM Fails, the score is added.

Set it to 0 so no score is added, Will that work.

For blocking BlacklistCheck

EASY_DNS_BLACKLIST = 50 - IP that is in a dns black list (RBL) gets this score

TO

EASY_DNS_BLACKLIST = 75 - IP that is in a dns black list (RBL) gets this score

Raise the score by 25, so that score is raised to 100 resulting in blocked email.
 
According to this: http://files.directadmin.com/services/easy_spam_fighter/1.7/check_dkim.conf

Code:
  defer
    dkim_status = invalid
    log_message = DKIM: Deferred. reason='$dkim_verify_reason'
    message = DKIM Signature validation has failed. May be a temporary problem.

This is your case, and here you won't achieve the desired by tweaking the scores.

It is "defer" which ACL returns, and here is what exim docs say about it:

defer:
If all the conditions are true, the ACL returns “defer” which, in an SMTP session, causes a 4
xx response to be given. For a non-SMTP ACL, defer is the same as deny, because there is no way of sending a temporary error. For a RCPT command, defer is much the same as using a redirect router and :defer: while verifying, but the defer verb can be used in any ACL, and even for a recipient it might be a simpler approach.


http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html

So to skip emails you should use this:


-- /etc/virtual/esf_skip_senders
file to hold MAIL FROM addresses that ESF should skip checks for SPF, DKIM.
Uses wildlsearch, so can use *
Does not have to exist

-- /etc/virtual/esf_skip_recipients
file to hold RCPT TO addresses that ESF should skip checks for DKIM, RBL.
Uses wildlsearch, so can use *
Does not have to exist
 
is this whitelists really working?
I have several domains in /etc/virtual/esf_skip_senders but keep filtered by dkim

/etc/virtual/esf_skip_senders
*portalinmobiliario.com
amazonses.com

and keep blocking
2015-04-29 10:03:26 1YnRc7-00076P-T2 DKIM: d=amazonses.com c=relaxed/simple a=rsa-sha256 t=1430309250 [verification succeeded]
2015-04-29 10:03:26 1YnRc7-00076P-T2 DKIM: d=portalinmobiliario.com c=relaxed/simple a=rsa-sha256 t=1430309250 [invalid - public key record (currently?) unavailable]
2015-04-29 10:03:41 1YnRc7-00076P-T2 SMTP connection lost after final dot H=a10-192.smtp-out.amazonses.com [54.240.10.192] P=esmtps

what i'm doing wrong?
 
A check for exclusion is done in:

http://files.directadmin.com/services/easy_spam_fighter/1.7/check_mail.conf

Code:
  # check for esf skip lists
  accept
    senders = +esf_skip_senders
    set acl_m_esf_skip = 1
    logwrite = $sender_address skipped via esf_skip_senders

  accept
    hosts = +esf_skip_hosts
    set acl_m_esf_skip = 1
    logwrite = $sender_address skipped via esf_skip_hosts

So yes, it should work, unless there is a bug.

Code:
EASY_SKIP_SENDERS = /etc/virtual/esf_skip_senders        - file to hold MAIL FROM addresses that ESF should skip checks for SPF, DKIM.
EASY_SKIP_RECIPIENTS = /etc/virtual/esf_skip_recipients        - file to hold RCPT TO addresses that ESF should skip checks for DKIM, RBL.

And if a sender is whitelisted it should be skipped for DKIM check:

Code:
acl_check_dkim:

  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}
          
  .include_if_exists /etc/exim.easy_spam_fighter/check_dkim.conf
  accept
 
So I tried understand
If I add host to esf_skip_host it should be pass via dkim filter?

Code:
2015-11-09 09:37:51 [email protected] skipped via esf_skip_senders
2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW DKIM: d=aplikacje.pracuj.pl s=def c=relaxed/simple a=rsa-sha256 t=1446973766 [invalid - syntax error in public key record]
2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW H=wysylka1.pracuj.pl [176.119.42.24] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_syntax'

Still I have DKIM: Defferd.
 
So I tried understand
If I add host to esf_skip_host it should be pass via dkim filter?

Code:
2015-11-09 09:37:51 [email protected] skipped via esf_skip_senders
2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW DKIM: d=aplikacje.pracuj.pl s=def c=relaxed/simple a=rsa-sha256 t=1446973766 [invalid - syntax error in public key record]
2015-11-09 09:37:53 1ZvhxZ-0008Ir-NW H=wysylka1.pracuj.pl [176.119.42.24] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_syntax'

Still I have DKIM: Defferd.


I spend the same, I followed all the steps. And still Deferred DKIM

2015-11-24 13:55:53 [email protected] skipped via esf_skip_senders
2015-11-24 13:55:53 [email protected] skipped via esf_skip_senders
2015-11-24 13:55:53 1a1D8T-0000rm-9Q DKIM: d=ovh.es s=mailout c=simple/simple a=rsa-sha256 t=1448369417 [invalid - public key record (currently?) unavailable]
2015-11-24 13:55:53 1a1D8T-0000rm-9Q H=mo195.mail-out.ovh.net [178.32.228.195] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'


What can I do??

Thank you!!
 
I spend the same, I followed all the steps. And still Deferred DKIM

2015-11-24 13:55:53 [email protected] skipped via esf_skip_senders
2015-11-24 13:55:53 [email protected] skipped via esf_skip_senders
2015-11-24 13:55:53 1a1D8T-0000rm-9Q DKIM: d=ovh.es s=mailout c=simple/simple a=rsa-sha256 t=1448369417 [invalid - public key record (currently?) unavailable]
2015-11-24 13:55:53 1a1D8T-0000rm-9Q H=mo195.mail-out.ovh.net [178.32.228.195] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'


What can I do??

Thank you!!
 
There is NO DKIM key for ovh.es with name mailout

Code:
# dig TXT mailout._domainkey.ovh.es


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> TXT mailout._domainkey.ovh.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7864
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


;; QUESTION SECTION:
;mailout._domainkey.ovh.es.     IN      TXT


;; AUTHORITY SECTION:
ovh.es.                 1782    IN      SOA     dns.ovh.net. tech.ovh.net. 2015072200 86400 3600 3600000 86400


;; Query time: 10 msec
;; SERVER: 2001:4860:4860::8844#53(2001:4860:4860::8844)
;; WHEN: Fri Nov 27 15:12:36 2015
;; MSG SIZE  rcvd: 95


http://dkimcore.org/c/keycheck
 
Back
Top