No points for spam?? Spamassassin not working good enough?

[Richard G]

We got some spam messages pass by our system.
Now we understand that the sending system (mailgun.net) is in the dnswl.org whitelist so that part we do understand, but look at this:

 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no
                             trust
                             [143.55.225.30 listed in list.dnswl.org]
  1.2 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                             [URI: gopudgypenguins.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                             domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.0 BAYES_20               BODY: Bayes spam probability is 5 to 20%
                             [score: 0.1592]
  0.0 RCVD_IN_MSPIKE_L5      RBL: Very bad reputation (-5)
                             [143.55.225.30 listed in bl.mailspike.net]
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blocklisted
  1.4 PYZOR_CHECK            Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
  0.0 URIBL_RED              Contains an URL listed in the URIBL redlist
                             [URI: gopudgypenguins.com]

Now the last lines worry me the most, why are no spam points given to these lines:
SURBL blocklist only gives 1.2 but better than nothing, however...
0.0 RCVD_IN_MSPIKE_L5      RBL: Very bad reputation (-5)
                             [143.55.225.30 listed in bl.mailspike.net]
0 points while listed???

0.0 URIBL_RED              Contains an URL listed in the URIBL redlist

Also 0 points while listed. Why don't they get more points?

ESF let it go because DKIM and SPF was valid for the sending domain.

Also these days we are receiving more often spam from spammers using systems like mailgun and also sending spam in images instead of text/html, so source can't be easily used for spamreporting to Spamcop.

 

[zEitEr]

Hello Richard,

The default values are not always optimal. Are you sure those results are from SpamAssassin running on your server?

 

[Richard G]

Hello Alex.

Are you sure those results are from SpamAssassin running on your server?

I think so because it starts with;

Content analysis details:   (2.4 points, 7.5 required)
 
  pts rule name              description

And those 7.5 required for spam is a Spamassassin score.

 

[zEitEr]

Usually headers contain an indication on the server where the test was completed. For example:

X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on ******.poralix.***

Actually it does not much matter for me. The point is, if it is your server you can assign different and more strict values for those tests.

There is a directory /etc/mail/spamassassin with a list of default files, that can be used for a customization.

 

[Richard G]

For example:

Unfortunately it does not say "SpamAssassin 4.x etc" on my header in my case it looks like this:

X-Spam-Score: 2.4 (++)
X-Spam-Report: Spam detection software, running on the system "server.mydomain.nl"

There is a part above that, but due to the score settings I think this is from ESF.

Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 143.55.225.30, -10 Spam score
SPFCheck: Server passes SPF test, -30 Spam score
X-DKIM: signer='autoserve1.com' status='pass' reason=''
DKIMCheck: Server passes DKIM test, -30 Spam score
X-Spam-Score: 2.4 (++)
X-Spam-Report: Spam detection software, running on the system "server.mydomain.nl",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.

I do have the files in theh /etc/mail/spamassassin directory, as far as I know they are almost all default and normally they do their work, or at least I see spamd working in the maillog. I just don't understand the low values while things are listed in those lists.

 

[zEitEr]

The default values are too low:

score RCVD_IN_MSPIKE_BL                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_H2                     0.001 -0.001 0.001 -0.001
score RCVD_IN_MSPIKE_H3                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_H4                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_H5                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L2                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L3                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L4                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L5                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_WL                     0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_ZBI                    0.001 0.001 0.001 0.001

you will need to adjust them and set higher, if you want to see an effect.

 

[Richard G]

The default values are too low:

Maybe I'm missing someting but I have these files:
init.pre
local.cf
v310.pre
v312.pre
and some other vXXX.pre files which only load plugins.

I don't have a file containing scores as you do.

Or do I need to create those myself? Are there some good examples somewhere in that case?
And how do I get it like you have that the spamassassin version running is shown also?

 

[zEitEr]

Defaults are saved under /var/lib/spamassassin/
Customized settings should be saved under /etc/mail/spamassassin

Post in thread 'Default SpamAssassin Scores'

May 29, 2013

Just add them into /etc/mail/spamassassin/local.cf with your scores and restart exim/spamd.
By the way you might want to run

sa-update

daily with cron in order to have all rules updated. Note to-restart exim/spamd every time you update rules.

Related: http://spamassassin.apache.org/tests_3_3_x.html

• zEitEr

And how do I get it like you have that the spamassassin version running is shown also?

Upgrade SA to 4.x?

 

[Richard G]

Upgrade SA to 4.x?

Euh...
drwxr-xr-x. 3 root root 4.0K 2024-04-15 03:11 4.000000
drwxr-xr-x 3 root root 4.0K 2025-01-05 03:43 4.000001

I thought custombuild was keeping this up to date anyway. So if I see it correctly, I should be allready on version 4?

I did sa-update, no difference. Thought DA also put the sa-update cron in /etc/cron.daily but at least there is one there.
And the thread you're pointing to is 11 years old and only contains 404 links unfortunately.

I also don't really understand how those values are created. When I'm looking in /var/lib/spamassassin/4.00001/mailspike.cf for example, it all looks like this, not like you shown:

## Spam sources
header __RCVD_IN_MSPIKE_B eval:check_rbl('mspikeb-lastexternal', 'bl.mailspike.net.')
tflags __RCVD_IN_MSPIKE_B net
reuse __RCVD_IN_MSPIKE_B

## Ham sources
header __RCVD_IN_MSPIKE_L eval:check_rbl('mspikeg-firsttrusted', 'wl.mailspike.net.')
tflags __RCVD_IN_MSPIKE_L net
reuse __RCVD_IN_MSPIKE_L

##### Reputation compensations
# Definitions - Bad senders
header __RCVD_IN_MSPIKE_Z eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.2')
describe __RCVD_IN_MSPIKE_Z Spam wave participant
tflags __RCVD_IN_MSPIKE_Z net
reuse __RCVD_IN_MSPIKE_Z

header RCVD_IN_MSPIKE_L5 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.10')
describe RCVD_IN_MSPIKE_L5 Very bad reputation (-5)
tflags RCVD_IN_MSPIKE_L5 net
reuse RCVD_IN_MSPIKE_L5

 

[zEitEr]

And the thread you're pointing to is 11 years old and only contains 404 links unfortunately.

A way to customize SpamAssassin scoring did not change through years. That's the core reason I posted a link to my 11 years old post.

For more understanding kindly read official docs.

General information:

- https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html
- https://spamassassin.apache.org/old/tests_3_3_x.html

MailSpike defaults:

- https://apache.googlesource.com/spamassassin/+/trunk/rules/20_mailspike.cf (you can find it under /var/lib/spamassassin/4.000001/updates_spamassassin_org/20_mailspike.cf)
- https://apache.googlesource.com/spamassassin/+/trunk/rules/50_scores.cf (you can find it under /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf)

it all looks like this, not like you shown:

Sorry do not have time to persuade) Probably later, but not now I will write a guide on how to customize scoring in SpamAssassin. And I already posted lines, that you need to customize in the post https://forum.directadmin.com/threa...sin-not-working-good-enough.72460/post-382175

I thought custombuild was keeping this up to date anyway. So if I see it correctly, I should be allready on version 4?

Found the same report here https://forum.directadmin.com/threads/x-spam-checker-version-spamassassin-header-not-added.30922/ without a solution. I have no idea on why the header is not added on your server. And I don't have instructions on how to troubleshoot it. So if you want to fix it, it will be fully up to you.

 

[Richard G]

That's the core reason I posted a link to my 11 years old post.

Oke thank you very much for the help so far. I will check further in the docs.

Just before I came here I also found the 50_score.cf and it seems the mailspike score was lowered because of some bug:

# MAILSPIKE RBL ENABLED FOR SA3.4 and above - BUG 6400
if (version >= 3.004000)
  # FLOATING SCORES FOR GA - adjust after GA to make L3 - L5 linear
  # Probably adjust up slightly to make up for the "reuse" imperfection
# <gen:mutable>
  score RCVD_IN_MSPIKE_ZBI     2.7
  score RCVD_IN_MSPIKE_L5      2.5
  score RCVD_IN_MSPIKE_L4      1.7
  score RCVD_IN_MSPIKE_L3      0.9
# </gen:mutable>
  # FIXED SCORES
  # TEMPORARILY LOWERED - adjust these higher after GA is done
  # (pending discussion: Welcomelists need scores, but they shouldn't effect the scoring of spam detection rules.)
  score RCVD_IN_MSPIKE_H3      -0.01
  score RCVD_IN_MSPIKE_H4      -0.01
  score RCVD_IN_MSPIKE_H5      -1.0
  # FIXED SCORES - informational rules, useful only for statistical comparisons
  score RCVD_IN_MSPIKE_BL      0.01
  score RCVD_IN_MSPIKE_WL      -0.01

So it says "temporarily lowered. No clue what GA is or if this bug is now fixed in 4.x. but I will check the threads and docs and see what I can do about this.
Thanks!

 

[zEitEr]

By the way:

- https://docs.directadmin.com/other-...gn-different-score-to-a-spamassassin-variable

on per user level or server-wide the syntax is still the same