Spam score met but spam is NOT deleted and goes to inbox

[xema]

Hello,

I've set up ESF yesterday on my server, it blocks most spam that is listed but some spam is still passing through, even though the spam score reaches the threshold for deletion.

How can I fix this? I see in the log that most spam is blocked when the threshold is met.

I've set 55 to be the score limit in variables.conf as you can see this email has a spamscore of 90 but it's still not deleted.

P.s it also looks like rdns is not being checked, nor DKIM, spam that does have rdns and dkim checked and fail are deleted and i see it in the exim log

X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28)
X-Spam-Level: ****
X-Spam-Status: No, score=4.3 required=5.0 tests=BAYES_50,HELO_DYNAMIC_IPADDR,
HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE autolearn=no autolearn_force=no
version=3.4.1


SPFCheck: Server passes SPF test, -30 Spam score
BlacklistCheck: Blacklisted address, +120 Spam score
SpamTally: Final spam score: 90
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus


exim log:

2016-03-24 06:26:04 1aizeX-0007EW-A5 <= [email protected] H=(dynamic-user-cco-177-75-150-198.mhnet.com.br) [177.75.150.198] P=smtp S=15596 id=59h428z5ii0t$vd2q33e3$xm0026d2@LDOO39 T="Making Money Easy - Own Your Money" from <[email protected]> for
2016-03-24 06:26:04 cwd=/ 3 args: /usr/sbin/exim -Mc 1aizeX-0007EW-A5
2016-03-24 06:26:04 cwd=/ 4 args: /usr/sbin/exim -oMr spam-scanned -bS
2016-03-24 06:26:07 login authenticator failed for (User) [91.200.12.126]: 535 Incorrect authentication data (set_id=brown)
2016-03-24 06:26:09 1aizee-0007Ed-2W <= [email protected] U=mail P=spam-scanned S=16073 id=59h428z5ii0t$vd2q33e3$xm0026d2@LDOO39 T="Making Money Easy - Own Your Money" from <[email protected]> for
2016-03-24 06:26:09 cwd=/ 3 args: /usr/sbin/exim -Mc 1aizee-0007Ed-2W
2016-03-24 06:26:09 1aizee-0007Ed-2W => info <> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=16400 C="250 2.0.0 <> 6NWeFpGW81bZawAAjo929g Saved"
2016-03-24 06:26:09 1aizee-0007Ed-2W Completed
2016-03-24 06:26:09 1aizeX-0007EW-A5 => info <> F=<[email protected]> R=spamcheck_director T=spamcheck S=15949
2016-03-24 06:26:09 1aizeX-0007EW-A5 Completed

 

[harro]

I understand that the threshold 55 that you mention is only to determine whether Spamassassin is called:

EASY_LIMIT = 55 - max score before an email is considered spam before SA is rung (main purpose is just to decide if SpamAssassin run is needed)

And the next variable (default 100) should decide whether an email is deleted as obvious spam:

EASY_HIGH_SCORE_DROP = 100 - very high scoring spam is dropped at this score, and not allowed to enter.

Having said that, in my experience, ESF does not properly add up the scores (e.g. it always ignores the added score for no rDNS, even though in the logs it clearly performs the check), and as a result does not work properly.

It is also not very clear what the hierarchy is between ESF and Spamassassin - ESF calls Spamassassin at the threshold value (EASY_LIMIT) but then appears to stop doing anything. So if Spamassassin does not recognise an email as spam, ESF has no more added value (in my case and at least one other admin, see https://forum.directadmin.com/showthread.php?t=53249&p=273149 )

 

[SeLLeRoNe]

Are you managind exim conf via CustomBuild?
Have you enabled the DKIM check?
SpamAssassin is not setting that email as spam because the score (4.3) is lower than the required (5.0)

Please check what exim.conf and exim.pl versions are you using.

Regards

 

[harro]

Good day Sellerone,

Thank you for your reply. I use the Custombuild exim.conf and exim.pl version 21.

The ESF does do the blacklist check and I have now configured ESF to drop emails if sent from a blacklisted IP (which I really do not like, as the only condition to drop an email, but the amount of spam passing through was getting too much).

I am not sure about the DKIM test, I presume that it is included by default (didn't change any settings in this regard).

So ESF does do the rDNS check (it shows the results in the exim logs) however, the penalty for not having an rDNS is not added to the score, nor shown in the email header.

Basically, there is a problem with ESF taking only including the blacklisted IP penalty score into account and ignoring everything else.

Any thoughts/ideas on how to find out why and how to resolve this?

Harro

Are you managind exim conf via CustomBuild?
Have you enabled the DKIM check?
SpamAssassin is not setting that email as spam because the score (4.3) is lower than the required (5.0)

Please check what exim.conf and exim.pl versions are you using.

Regards

 

[SeLLeRoNe]

Hi Harro,

i think ESF has a bug with the rDNS function, not sure but i think DA Staff is working on it.

For DKIM on outgoing e-mail you can check this: http://help.directadmin.com/item.php?id=569

Than you may want to consider DMARC (still for outgoing mails): http://help.directadmin.com/item.php?id=596


For incoming DKIM check if you have thois:

>cat /etc/exim.conf | grep "/etc/exim.easy_spam_fighter/check_dkim.conf"
  .include_if_exists /etc/exim.easy_spam_fighter/check_dkim.conf
>ll /etc/exim.easy_spam_fighter/check_dkim.conf
-rw-r--r-- 1 root root 801 Apr  7 10:40 /etc/exim.easy_spam_fighter/check_dkim.conf

Also please confirm that you're running exim.conf v4.4.2

>head /etc/exim.conf
# SpamBlockerTechnology* powered exim.conf, Version 4.4.2
# Dec 5, 2015
# Exim configuration file for DirectAdmin
# Requires exim.pl as distributed by DirectAdmin here:
# http://files.directadmin.com/services/exim.pl version 21 or higher
# ClamAV optional
# SpamAssassin optional
# Dovecot/IMAP Mandatory
# *SpamBlockerTechnology is a Trademark of NoBaloney Internet Services:
# http://www.nobaloney.net

Best regards

 

[harro]

Good day SeLLeRoNe,

Thank you again for your feedback. I checked the DKIM with the cat/ll commands below and that is active and the same as the output you listed. I also have exim v4.4.2.

I will await to see whether some bug is recognised or a newer version is released. For now I have set the ESF threshod to delete spam from blacklisted IP-addresses (not a desirable 'sole condition', though), as a temporary fix. I will also wait before rolling ESF out to other servers for a while.

Kind regards,
Harro

Hi Harro,

For incoming DKIM check if you have thois:

>cat /etc/exim.conf | grep "/etc/exim.easy_spam_fighter/check_dkim.conf"
  .include_if_exists /etc/exim.easy_spam_fighter/check_dkim.conf
>ll /etc/exim.easy_spam_fighter/check_dkim.conf
-rw-r--r-- 1 root root 801 Apr  7 10:40 /etc/exim.easy_spam_fighter/check_dkim.conf

Also please confirm that you're running exim.conf v4.4.2

>head /etc/exim.conf
# SpamBlockerTechnology* powered exim.conf, Version 4.4.2
# Dec 5, 2015
# Exim configuration file for DirectAdmin
# Requires exim.pl as distributed by DirectAdmin here:
# http://files.directadmin.com/services/exim.pl version 21 or higher
# ClamAV optional
# SpamAssassin optional
# Dovecot/IMAP Mandatory
# *SpamBlockerTechnology is a Trademark of NoBaloney Internet Services:
# http://www.nobaloney.net

Best regards

 

[ViAdCk]

I'm seeing the same. ESF is configured with the following value: EASY_LIMIT = 55

But emails with a higher score that are clearly spam are still getting through: SpamTally: Final spam score: 70

Does someone know how to fix this?

 

[SeLLeRoNe]

If i'm not wrong the variable to drop the email is EASY_HIGH_SCORE_DROP, not sure what EASY_LIMIT would do, probably add some score to SpamAssassin but surely not dropping the email.

Best regards