Spam mails with score > 100 still being delivered

[casperbakker]

One DirectAdmin server from a client receives more than 100 spam mails a day from multiple servers. All with a spam score of > 100, while block level is on 3. Can anyone please help me? We've tried many things to make sure these mails are blocked, but nothing helps and it's very frustrating.

Here is one of the mails that finds it way through Exim:

Van: <[email protected]>
Datum: 13 oktober 2009 07:13:15 GMT+02:00
Aan: <--notimportant-->
Onderwerp: *****SPAM***** Не удается доставить: Новые технологии в строительстве

Spam detection software, running on the system "--ourserver--", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: îÅ ÕÄÁÌÏÓØ ×ÙÐÏÌÎÉÔØ ÄÏÓÔÁ×ËÕ ÓÌÅÄÕÀÝÉÍ ÐÏÌÕÞÁÔÅÌÑÍ ÉÌÉ ÌÉÃÁÍ
ÉÚ ÓÌÅÄÕÀÝÉÈ ÓÐÉÓËÏ× ÒÁÓÓÙÌËÉ: [email protected]<mailto:buhg%40as-stroy.ru>
áÄÒÅÓ ÜÌÅËÔÒÏÎÎÏÊ ÐÏÞÔÙ ÜÔÏÇÏ ÐÏÌÕÞÁÔÅÌÑ ÎÅ ÎÁÊÄÅÎ × ÐÏÞÔÏ×ÏÊ ÓÉÓÔÅÍÅ ÐÏÌÕÞÁÔÅÌÑ.
Microsoft Exchange ÎÅ ÂÕÄÅÔ ÐÏ×ÔÏÒÑÔØ ÐÏÐÙÔËÕ ÄÏÓÔÁ×ÉÔØ ÜÔÏ ÓÏÏÂÝÅÎÉÅ. ðÒÏ×ÅÒØÔÅ
ÁÄÒÅÓ ÜÌÅËÔÒÏÎÎÏÊ ÐÏÞÔÙ ÐÏÌÕÞÁÔÅÌÑ É ÐÏÐÙÔÁÊÔÅÓØ ÓÎÏ×Á ÏÔÐÒÁ×ÉÔØ ÜÔÏ ÓÏÏÂÝÅÎÉÅ
ÉÌÉ ÐÅÒÅÄÁÊÔÅ ÓÌÅÄÕÀÝÅÅ ÄÉÁÇÎÏÓÔÉÞÅÓËÏÅ ÓÏÏÂÝÅÎÉÅ ÓÉÓÔÅÍÎÏÍÕ ÁÄÍÉÎÉÓÔÒÁÔÏÒÕ.
[...]

Content analysis details: (102.6 points, 3.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
100 USER_IN_BLACKLIST From: address is in the user's black-list
0.8 MIME_BOUND_MANY_HEX Spam tool pattern in MIME boundary
1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
1.6 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
1.9 INVALID_MSGID Message-Id is not valid, according to RFC 2822
0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
-0.3 AWL AWL: From: address is in the auto white-list

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

 

[casperbakker]

Does nobody have a solution for this?

 

[smtalk]

Make sure you have SpamAssassin enabled in /etc/exim.conf: http://help.directadmin.com/item.php?id=36

 

[casperbakker]

Make sure you have SpamAssassin enabled in /etc/exim.conf: http://help.directadmin.com/item.php?id=36

This is already enabled. SpamAssassin says it has a spam score of 102.7, but Exim still delivers the message.

 

[casperbakker]

config file

I have attached our configuration file for exim. Nothing is changed since installation except for the blacklists configured around line 432. We've tried to recompile Exim from source but even this doesn't do any good.

 

[smtalk]

Go to "Spamassassin Setup", check "Delete the spam." and click "Save".

 

[casperbakker]

This setting is already set.

 

[nobaloney]

I have also seen this from time to time, and I have no idea why it happens. It might be a good question for the SpamAssassin mailing list.

Jeff

 

[Tom C]

Well, I have the same problem. The thing is, it is only happing for non-delivery reports. If someone is sending spam using my emailadress as sender, any non-deliverable mail is routed back to my address. Spamassassin scans them, flags them as spam, but exim still delivers them. Other spam above the threshold is deleted as expected.

The only real difference between the emails that I can see, is that the NDRs have an empty return-path.

Here is a part of the exim log file. The first email is a NDR that gets delivered, the seconde email is a spam email sent directly to my address, and gets discarded.

2009-11-25 15:45:15 1NDJ7L-0001Ld-5L <= <> H=gvo14028.gvodatacenter.com [12.68.140.28] P=esmtps X=TLSv1:AES256-SHA:256 S=2525 [email protected] T="Mail delivery failed: returning message to sender" from <> for [email protected]
2009-11-25 15:45:19 1NDJ7L-0001Lk-KT <= <> U=mail P=spam-scanned S=5622 [email protected] T="**SPAM-24.8** Mail delivery failed: returning message to sender" from <> for [email protected]
2009-11-25 15:45:19 1NDJ7L-0001Lk-KT => myusername <[email protected]> F=<> R=localuser T=local_delivery S=5732
2009-11-25 15:45:19 1NDJ7L-0001Lk-KT Completed
---second email---
2009-11-25 15:45:20 1NDJ7Q-0001M9-LA <= [email protected] H=dslb-094-223-232-114.pools.arcor-ip.net [94.223.232.114] P=smtp S=3208 T="Dear [email protected] 75% 0FF on Pfizer." from <[email protected]> for [email protected]
2009-11-25 15:45:24 1NDJ7Q-0001MC-T7 <= [email protected] U=mail P=spam-scanned S=7787 T="**SPAM-40.8** Dear [email protected] 75% 0FF on Pfizer." from <[email protected]> for [email protected]
2009-11-25 15:45:24 1NDJ7Q-0001MC-T7 => discarded <[email protected]> R=domain_filter
2009-11-25 15:45:24 1NDJ7Q-0001MC-T7 Completed

 

[scsi]

And you emailed the mailing list as posted above? What was their answer?

 

[americanintel]

I'm going to dig this out of the gutter as it's a problem I'm having as well. Noticing these in our MailPiler archive server, really prefer these were all deleted and not passed on for us to archive...then there's the backscatter/NDR issues and getting blacklisted.

Spamassassin is running. Set to delete spam. As you can see below it's being flagged and scored at 20 pts which is 5x enough to be considered spam.

Example 1: Exim is still delivering this even though SA has scored it high and should be deleted.

Received: from mail by mail.usamail.us with spam-scanned (Exim 4.82.1)
(envelope-from <[email protected]>)
id 1X7GBN-0003et-5b
for [email protected]; Tue, 15 Jul 2014 22:47:11 -0500
Received: from localhost by mail.usamail.us
with SpamAssassin (version 3.4.0);
Tue, 15 Jul 2014 22:47:11 -0500
From: =?koi8-r?B?8MzB1M/O?= <[email protected]>
Subject: =?koi8-r?B?78bJ09kg0yDQz9TPzMvBzckgz9QgNCDNLiA=?=
Date: Wed, 16 Jul 2014 07:46:35 +0400
Message-Id: <C9CC7A2922F6D87BA7A2EB5501E060E1@voct>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.usamail.us
X-Spam-Flag: YES
X-Spam-Level: *******************
X-Spam-Status: Yes, score=20.0 required=4.0 tests=HK_RANDOM_ENVFROM,
HK_RANDOM_FROM,HTML_IMAGE_ONLY_08,HTML_IMAGE_RATIO_02,HTML_MESSAGE,
MIME_HTML_MOSTLY,MISSING_HEADERS,MPART_ALT_DIFF,RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L4,RCVD_IN_PSBL,RCVD_IN_SORBS_WEB,
REPLYTO_WITHOUT_TO_CC,SPF_FAIL,SPF_HELO_PASS,TO_NO_BRKTS_MSFT autolearn=spam
autolearn_force=no version=3.4.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_53C5F5BF.7050EDFD"

Received: from mail by mail.usamail.us with spam-scanned (Exim 4.82.1)
(envelope-from <[email protected]>)
id 1X7FFh-0002yQ-Ea
for [email protected]; Tue, 15 Jul 2014 21:47:45 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.usamail.us
X-Spam-Level: **
X-Spam-Status: No, score=3.0 required=4.0 tests=HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MIME_QP_LONG_LINE,RCVD_IN_BL_SPAMCOP_NET
autolearn=no autolearn_force=no version=3.4.0
Received: from hivede2-1887.fornex.org ([5.187.0.213])
by mail.usamail.us with esmtps (TLSv1HE-RSA-AES256-SHA:256)
(Exim 4.82.1)
(envelope-from <[email protected]>)
id 1X7FFg-0002xU-So
for [email protected]; Tue, 15 Jul 2014 21:47:29 -0500
Received: from WIN7-UTI-PC (localhost [123.26.196.5] (may be forged))
(authenticated bits=0)
by hivede2-1887.fornex.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id s6G2lQoc017962
for <[email protected]>; Wed, 16 Jul 2014 06:47:28 +0400
Message-Id: <[email protected]>
From: [email protected]
To: [email protected]
Subject: =?UTF-8?Q?Re=3A_We_over_eat_in_this_country?=
Date: Wed, 16 Jul 2014 09:47:25 +0700
MIME-Version: 1.0 (produced by Synapse)
X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer
Content-type: Multipart/mixed; boundary="00599F85_22C3310A_Synapse_boundary"
Content-Description: Multipart message
X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner

Example 2: you will notice that victozuk@ address. I am receiving dozens of emails with variations of this address... backscatter/ndr.

Received: from mail by mail.usamail.us with local (Exim 4.82.1)
id 1X7FFy-00030E-7X
for [email protected]; Tue, 15 Jul 2014 21:47:46 -0500
X-Failed-Recipients: [email protected]
Auto-Submitted: auto-replied
From: Mail Delivery System <[email protected]>
To: [email protected]
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Tue, 15 Jul 2014 21:47:46 -0500

Not necessarily spam per se (well, it is) but simply a Failed Recip... I'd prefer these weren't archived as well as I'm getting waaaay too many of these per day.

I've read over a ton of threads here with no real clear cut answer for my pointy head.

Seems I had this issue a few years back with an Atmail server which used a modified version of Exim and addressed some of this via Helo.

Something like this:

deny message = HELO not allowed
condition = ${if eq{$sender_helo_name}{ourmailserver.net}{yes}{no}}

Jeff? Any thoughts?

 

[americanintel]

Received: from mail by mail.usamail.us with spam-scanned (Exim 4.82.1)
(envelope-from <[email protected]>)
id 1X7Q8G-0001b8-3u
for [email protected]; Wed, 16 Jul 2014 09:24:42 -0500
Received: from localhost by mail.usamail.us
with SpamAssassin (version 3.4.0);
Wed, 16 Jul 2014 09:24:42 -0500
From: [email protected]
To: [email protected]
Subject: =?UTF-8?Q?Check_out_our_discount_prices_for_?=
=?UTF-8?Q?erectile_dysfunction_medications!?=
Date: Wed, 16 Jul 2014 23:20:29 -0700
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.usamail.us
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.7 required=4.0 tests=DATE_IN_FUTURE_12_24,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,IMPOTENCE,MIME_HTML_ONLY,MIME_QP_LONG_LINE,
MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L3,
RDNS_NONE autolearn=no autolearn_force=no version=3.4.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_53C68B2A.BEA41CED"
Message-Id: <[email protected]>

Partial body.

This is a multi-part message in MIME format.


Spam detection software, running on the system "mail.usamail.us",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Huge savings is our gift for you! We want you to enjoy
your life and have awesome sex! ....geowasser.at/wp-includes/js/canadi.....
[...]

These need to be deleted...full stop, end of process... not routed back through Exim then archived. How to stop that from happening?