Spam with cc to other virtual users on server. Anyone else seeing this?

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,114
I'm seeing a lot of spam with CCs to other users on same server. Anyone else seeing this?

Thanks!
 
Hello,

I see it from time to time... up to ~10 emails per day in my private email box. Do you see much more?
 
I'd say ~10 emails a day is about right, and to many unrelated virtual users on the same server, with CCs to each other. Their domains change every day as well as where they come from. GEO blocking doesn't work on these because they are coming from within the US this time, and a few from Canada.
 
And it seems that SpamAssassin does not analyze them. Or it is only this way on my end, and it differs by yours?
 
And it seems that SpamAssassin does not analyze them. Or it is only this way on my end, and it differs by yours?
I'm not sure.

This is what happens on my end. SpamAssassin Bayes is a very slow learner. I have a SpamAssassin Bayes database that I have taught over time. I set up the user's SpamAssassin, then I delete the new Bayes and copy in mine. That's a huge head start for them. From there, the user fine tunes with TeachIsSpam and TeachIsNotSpam. When they teach using the inter-server messages, they never hear from them again. However, spammers have a daily rotation of a new name and place from which to send spam from. The reason I said I'm not sure in the beginning, is normally SpamAssassin Bayes kills them even if they haven't heard of them before, and under these conditions it doesn't seem to be anymore effective than blocking by the source, which of course changes every day.

On the desktop side, nothing beats POPFile. However, POPFile only works well on POP3, which does nothing for you mobile devices, and their IMAP plugin proved limited, and more trouble than it was worth. One thing some users have done is setting up Outlook with POP3 and IMAP for the same account. They use the consolidated POP3 inbox with its superior POPFile E-Mail classification, and view and teach the IMAP side where they can view what was lassoed by SpamAssassin, and teach based on what got lassoed by POPFile, to keep it off their phone. Spam and Trash get cleaned by cron after the time period you set.

On the mobile side, I haven't found the equivalent of POPFile for POP E-Mail, and mobile devices are so vulnerable to getting lost or trashed you wouldn't want that to be your only record of E-Mails anyway, so only IMAP makes sense there. It also allows them to teach Bayes and check the on-server spam folder. I haven't proven any Anti-Spam highly effective for mobile IMAP yet, but admittedly I haven't spent a lot of time experimenting.

Other:
The output queue doesn't look bad for frozen messages, but then it shouldn't. There is one user that seems like a common recipient. I went to his Maildir and there are few things that I don't understand with what I see that you may be able to help me with. In the Maildir directory structure for the vUser:
- There is nothing unusual about Maildir/.Drafts, Maildir/.INBOX.*, Maildir/.Sent, Maildir/.Trash, or Maildir/Junk E-mail.
- Maildir/cur is 2.5GB. I assume is his Inbox. However, I really don't see any crap in stored in there.
- I'm not getting any messages about too many E-Mails sent by anyone.

So the bottom line is I'll look at it as another spam problem to solve.

Thanks!
 
Last edited:
OK, I see. As for disk space, try and see where are the emails stored at most with:

Code:
du -h --max-depth=1 ./

you should change directory to Maildir first.

I also teach SpamAssassin, and I don't see much SPAM in my personal inbox, but those emails with CC do not seem to be checked with SA, if to believe email headers. Usually even if HAM was checked it contains headers like the following:

Code:
[/COLOR]X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on server.example.comX-Spam-Level: 
X-Spam-Status: No,

The emails delivered as CC do not have the headers, though I use the default exim.conf with no customization which would affect SA. So I'm wondering do you have the same, i.e. no X-Spam-* headers in such emails?

Regards,
Alex.
 
OK, It seems I was wrong. Probably it was true earlier with an older exim.conf, but now SPAM delivered to me as CC was checked by SA:

Code:
Received: from mail by [COLOR=#333333]server.example.com[/COLOR] with spam-scanned (Exim 4.87)
    (envelope-from <[email protected]>)
    id 1c2ZSa-0004ZK-JB
    for [email protected]; Fri, 04 Nov 2016 15:02:50 +0700
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on [COLOR=#333333]server.example.com[/COLOR]
X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=10.0 tests=BAYES_99,BAYES_999,
    HTML_IMAGE_ONLY_24,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RP_MATCHES_RCVD
    autolearn=no autolearn_force=no version=3.4.1

Regards,
Alex.
 
OK, It seems I was wrong. Probably it was true earlier with an older exim.conf, but now SPAM delivered to me as CC was checked by SA
They are checked, but always fall under the radar until they TeachIsSpam, but the next day, the same message from a different source gets in.

I wish SpamAssassin would copy POPFile's algorithm. SpamBayes for Outlook claims they started with POPFle's code and made "improvements". I wish they would quit pretending they are smart and just copy POPFile's algorithm. SpamAssassin and SpamBayes don't even come close.

I have some ideas to try. I'll let you know if they work.
 
Back
Top