Spamassassin and SPFCheck/ReverseDNS

M

Mario

Verified User
Joined
Dec 18, 2025
Messages
6
Hello,

I receive a lot of spam emails that are obvious spam (like just html with a big photo with some product) and they get a pass from spamassassin because they pass the SPFCheck/ReverseDNS check as you can see below.
So because ReverseDNS is ok it gets -10 score, and because SPF is ok another -30 score.


so I edited the file vim /home/***username***/.spamassassin/user_prefs

add the lines:
Score SPF_PASS -2.0
Score RDNS_PASS -3.0
between the safe areas like that:

#SAFE AREA start
Score SPF_PASS -2.0
Score RDNS_PASS -3.0
#SAFE AREA end

and restarted the services:

# systemctl restart spamassassin
# systemctl restart spamassassin

and then I was waiting to receive a new spam email and I received the one below.
Still they get -10 and -30 Score .. like the rules I've added do not exist.

Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 145.249.115.52, -10 Spam score
SPFCheck: Server passes SPF test, -30 Spam score
X-Spam-Score: 2.1 (++)
X-Spam-Report: Spam detection software, running on the system "z***.pr*******.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.


Content analysis details: (2.1 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to
dbl.spamhaus.org was blocked due to usage of an
open resolver. See
https://www.spamhaus.org/returnc/pub/
[URI: s.sonhub.pila.pl]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-2.0 SPF_PASS SPF: sender matches SPF record
2.0 BAYES_80 BODY: Bayes spam probability is 80 to 95%
[score: 0.8520]
0.0 T_TVD_MIME_EPI BODY: No description available.
2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge
0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
SpamTally: Final spam score: -19

Any ideas?
 
Mario said:
So because ReverseDNS is ok it gets -10 score, and because SPF is ok another -30 score.
Click to expand...

Those scores are from Easy Spam Fighter and have nothing to do with SpamAssassin. The latest uses its own scoring system.

Bash: 
# cat /etc/exim.easy_spam_fighter/variables.conf
EASY_LIMIT = 55
EASY_IS_SPAM = 20
EASY_HIGH_SCORE_DROP = 100
EASY_SPF_PASS = -30
EASY_SPF_SOFT_FAIL = 30
EASY_SPF_FAIL = 100
EASY_DKIM_PASS = -20
EASY_DKIM_FAIL = 100
EASY_NO_REVERSE_IP = 100
EASY_FORWARD_CONFIRMED_RDNS = -10
EASY_DNS_BLACKLIST = 50
EASY_SPAMASSASSIN_MAX_SIZE = 200K
 
Thank you so much!!

Do I have to rebuild exim after I change a value in the /etc/exim.easy_spam_fighter/variables.conf file ?
 
Mario said:
Do I have to rebuild exim after I change a value in the /etc/exim.easy_spam_fighter/variables.conf file ?
Click to expand...

What is the reason to modify them? The values have no effect on SpamAssassin, and are counted only by Easy Spam Fighter.

p.s. and you should not edit the file directly
 
I thought because this spam email got a highly negative score
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 145.249.115.52, -10 Spam score
SPFCheck: Server passes SPF test, -30 Spam score
Click to expand...

of -40 and spamassassin need 5 to label an email as spam, then the email would never be identified by SA as spam..
But now that I read a little about how Easy Spam Fighter works , it doesnt affect SA's scoring and it only blocks emails at SMTP level.

So the problem with this spam message like this one:
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 145.249.115.52, -10 Spam score
SPFCheck: Server passes SPF test, -30 Spam score
X-Spam-Score: 2.1 (++)
X-Spam-Report: Spam detection software, running on the system "z***.pr*******.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.


Content analysis details: (2.1 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to
dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [URI: s.sonhub.pila.pl]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-2.0 SPF_PASS SPF: sender matches SPF record
2.0 BAYES_80 BODY: Bayes spam probability is 80 to 95% [score: 0.8520]
0.0 T_TVD_MIME_EPI BODY: No description available.
2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_SIZE_HUGE BODY: HTML font size is huge
0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
SpamTally: Final spam score: -19
Click to expand...
Is not the score of Easy Spam Fighter but only the scoring of SpamAssassin.. Am Icorrect?

I also don't understand the final "SpamTally: Final spam score: -19"

 
The header "SpamTally" is also added by Easy Spam Fighter.

Code: 
add_header = SpamTally: Final spam score: $acl_m_easy69

check /etc/exim.easy_spam_fighter/check_message.conf

SpamAssassin scored the email as 2.1 points:

Code: 
X-Spam-Score: 2.1 (++)
Content analysis details: (2.1 points, 5.0 required)

For better scoring you might teach SpamAssassin and add KAM Ruleset Channel to SA:

- https://mcgrail.com/template/kam.cf_channel
 
You must log in or register to reply here.
Back
Top