Spam not being blocked again, low spam score???

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,558
Location
Maastricht
I do have RBL's activated, but it seems spam get's through with a low spam score??

This is from a mail which IS on the spamhaus blacklist.
Code:
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "server18.ourserver.nl",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.

Score 1.3?????

Code:
 Content analysis details:   (1.3 points, 7.5 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 T_SPF_HELO_PERMERROR   SPF: test of HELO record failed (permerror)
  0.0 T_SPF_PERMERROR        SPF: test of record failed (permerror)
  0.0 HTML_MESSAGE           BODY: HTML included in message
[b]  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS[/b]
SpamTally: Final spam score: 13
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Then from /var/log/messages:
Code:
Aug 24 21:36:01 server18 spamd[8316]: spamd: connection from localhost [127.0.0.1]:52194 to port 783, fd 5
Aug 24 21:36:01 server18 spamd[8316]: spamd: setuid to mydomain succeeded
Aug 24 21:36:01 server18 spamd[8316]: spamd: checking message <bddmBaXqvn8OcSoR_RVmTu2GY8GH0UP7qbODMxIZ0WU.0KmKAmEhS-E_1Ow1AevpymDcJ
[email protected]> for mydomain:503
Aug 24 21:36:02 server18 spamd[8316]: spamd: clean message (1.3/7.5) for mydomain:503 in 1.6 seconds, 12711 bytes.
Aug 24 21:36:02 server18 spamd[8316]: spamd: result: . 1 - HTML_MESSAGE,RDNS_NONE,T_SPF_HELO_PERMERROR,T_SPF_PERMERROR scantime=1.6,
size=12711,user=myuser,uid=503,required_score=7.5,rhost=localhost,raddr=127.0.0.1,rport=52194,mid=<bddmBaXqvn8OcSoR_RVmTu2GY8GH0
UP7qbODMxIZ0WU.0KmKAmEhS-E_1Ow1AevpymDcJ0Qc_c_App-vXGIuqJU@amisrue.website>,autolearn=no autolearn_force=no

Autolearn=no? Strange. And where is the RBL check? Because this would add a +100 to the spamscore.
This is from my easy spamfighter configuration file which I changed. Or do I need to make a custom one for changes?
Code:
EASY_LIMIT = 55
EASY_IS_SPAM = 20
EASY_HIGH_SCORE_DROP = 75
EASY_SPF_PASS = -30
EASY_SPF_SOFT_FAIL = 30
EASY_SPF_FAIL = 100
EASY_DKIM_PASS = -20
EASY_DKIM_FAIL = 100
[b]EASY_NO_REVERSE_IP = 100[/b]
EASY_FORWARD_CONFIRMED_RDNS = -10
[b]EASY_DNS_BLACKLIST = 100[/b]
EASY_SPAMASSASSIN_MAX_SIZE = 200K

I had a look at this post:
http://forum.directadmin.com/showthread.php?t=53179&p=272841#post272841

But I have razor2 and done like this:
yum install perl-YAML
yum install re2c

cpan -i Archive::Tar Digest::SHA Mail::SPF IP::Country Net::Ident Compress::Zlib Mail::DKIM LWP::UserAgent HTTP::Date Encode::Detect ExtUtils::MakeMaker NetAddr::IP Mail::SpamAssassin::plugin::Razor2 Razor2::Client::Agent IO::Socket::SSL DBI

cpan install Mail::SpamAssassin::plugin::Rule2XSBody Razor2::Client::Agent

Activate in v320pre:
loadplugin Mail::SpamAssassin::plugin::Rule2XSBody

Can anybody give me a clue? RBL not checked. rDNS not present but only 1.3 score instead of the 100 I configured, what is going on?
 
That looks more a scan from SpamAssasin, not ESF, you should have other header line for ESF, if you don't have them, ensure ESF it is correctly installed.

Best regards
 
ESF is installed correctly as far as I know. It's done via Custombuild a long time ago already.
What's the best way to check if it's installed correctly and/or working correctly?
 
Code:
Date: Thu, 31 Aug 2017 11:12:21 -0500
SPFCheck: Server passes SPF test, -30 Spam score
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 69.162.69.58, -10 Spam score
X-DKIM: signer='forum.directadmin.com' status='pass' reason=''
DKIMCheck: Server passes DKIM test, -20 Spam score
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "Orange01.CrazyNetwork.it",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Dear SeLLeRoNe, Richard G has just replied to a thread you
    have subscribed to entitled - Spam not being blocked again, low spam score???
    - in the SpamBlocker forum of DirectAdmin Forums. This thread is located
   at: https://forum.directadmin.com/showthread.php?t=55226&goto=newpost [...]
    
 
 Content analysis details:   (-1.9 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: directadmin.com]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
[B]SpamTally: Final spam score: -78[/B]
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

The marked line should be the output from ESF, actually I just noticed that you have it, but it says 13 which means it is basically just getting the results from SpamAssassin apparently without using the internal rules.

That's odd, you may want to try to run this:
Code:
/usr/local/directadmin/custombuild/build easy_spam_fighter

But I have no idea how manually test it to be honest
 
Thank you.
It's indeed strange, so I did a rebuild.
Code:
/usr/local/directadmin/custombuild/build easy_spam_fighter
2017-08-31 18:35:44 cwd=/usr/local/directadmin/custombuild 2 args: /usr/sbin/exim --version
2017-08-31 18:35:44 cwd=/usr/local/directadmin/custombuild 2 args: /usr/sbin/exim --version
Enabling Easy Spam Fighter...
Restarting exim.
Shutting down exim: 
Starting exim: 
Easy Spam Fighter is now enabled.

Hope it will work better now. Maybe SMTalk knows a way to test it.
I also discovered that the ESF custom file will not work (see other thread), so maybe there is something more going on with ESF.
 
It does work, you just need to use == to override settings already declared in the normal file.
Basically the custom file in that case can be filled just with the attributes you want to change as long as you declare them with ==

Best regards
 
Yep I found that out too. But that is not what it says in the help file, so that was confusing. ;)
 
Well I can confirm for some reason ESF is not running I do not get the line in the header and mail blocked by Spamhaus (RBL) and even a wrong helo is not blocked:
Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from server.company.nl
	by server.company.nl with LMTP id qCevHOO/vFk8FwAADNWw8g
	for <[email protected]>; Sat, 16 Sep 2017 08:08:35 +0200
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sat, 16 Sep 2017 08:08:35 +0200
Received: from mail by server.company.nl with spam-scanned (Exim 4.89)
	(envelope-from <[email protected]>)
	id 1dt6HJ-0001Zk-El
	for [email protected]; Sat, 16 Sep 2017 08:08:35 +0200
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	server.company.nl
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=7.5 tests=ALL_TRUSTED,
	HTML_IMAGE_RATIO_02,HTML_MESSAGE autolearn=no autolearn_force=no version=3.4.1
Received: from 542cf.something.dynamic.ziggo.nl ([84.30.xx.xxx] helo=AnitaPC)
	by server.company.nl with esmtpa (Exim 4.89)
	(envelope-from <[email protected]>)
	id 1dt6HI-0001Zf-VO; Sat, 16 Sep 2017 08:08:33 +0200
From: "Spirituele Wereld" <[email protected]>
To: 	"My receivers name" <[email protected]>
Subject: dat wisten we toch al ....
Date: Sat, 16 Sep 2017 08:08:21 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_007E_01D32EC2.F6540170"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdMusihV4AY95U8oR9qUY4SCkHtxcg==
Content-Language: nl
X-Antivirus: Avast (VPS 170915-2, 15-09-2017), Outbound message
X-Antivirus-Status: Clean

This is a multipart message in MIME format.

------=_NextPart_000_007E_01D32EC2.F6540170
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_007F_01D32EC2.F6540170"

So the messages should be blocked because the ip is a dynamic ip and present in the RBL Spamhaus, and it should also be blocked because of a wrong helo.

Nothing happened and I don't see the Content analysis details which should be in the header. :(
 
Ah I think I found the reason.

Senderdomain and receiver.org were both on the same server.
However the mail was send via the private computer via the own ISP's smtp, hence the RBL Spamhaus listing due to dynamic ip.

Luckily I have smtp authentication set. Otherwise this method might be abused to abuse the mail system and sending spam to a domain on that server, pretending it's coming from another domain on the same server.

Wouldn't it be better to just have -all- mail and headers checked, even if send through or originating from the same server?
 
Well, that's a good point for the "don't hide your data" :D
Anyway, the Authenticaded User Header line, will always show you the original account who sent, which helps you a lot in those scenarios to find compromised account.

If that email was coming from an external serve the antispam would have work, but, please also consider that ISPs for home connections have Dynamic IPs and it happen many (many many many) times that those IPs are in some blacklist, probably not because of the end-user fault, it may be some "previous" IP user fault, that's why you shouldn't check the original sender if the user is using Auth and not using port 25 (I am not 100% sure but on port 25 the RBLs check should have been started because in that case it is consider a server-to-server communications and therefore, blocked).

So, I am quite sure the setup it is fine, in fact, is the same I use for years now and except compromised account, it is quite safe :)

Best regards
 
Well, that's a good point for the "don't hide your data" :D
No it isn't in this case because it isn't a spammer, the sender was my sister.:)

If that email was coming from an external serve the antispam would have work, but,
Yes, most providers even have Dynamic IP's which are registered in Spamhaus so they should be blocked. This is the case with Ziggo.nl for example where the email was originating from.

I did make a wrong assumption:
However the mail was send via the private computer via the own ISP's smtp, hence the RBL Spamhaus listing due to dynamic ip.
The reason I thought this was because I got the mail in my Mailwasher and it stated the helo was AnitaPC instead of my servers hostname, which is normally the case.
But this was because something on the server went wrong somewhere.

My sister with the ziggo.nl hostname, uses port 587 to send email from her own domain senderdomain.nl.
This normally works great to send mail from her domain through our servers. I do it myselve the same way and we don't have bothers with the default Spamhaus blocks from our ISP for the dynamic ip ranges.

Now this is what happened, the server had a hickup.
For some reason, ESF did not check the mail, as you can see from the logs, there is no lines, no ESF statement.

I went to my sister's pc via Teamviewer and checked the outgoing port and indeed it was 587, I thought it was set to 25 because of the Spamhaus notice, but it wasn't.

I made new checks and now the ESF lines were present again in the headers and there were no Spamhaus issues anymore.

So it seemed it only happened once. However, I still can't understand this strange hickup where ESF was not working -and- it looked like the only helo was the AnitaPC (no this name is also faked), and not my serve's hostname which it normally is.

So it was a very odd hickup.
 
Back
Top