Stop Exim from processing email after Spamassassin deems a message as spam

americanintel

americanintel

Verified User
Joined
Mar 1, 2004
Messages
133
Location
Granbury, TX
I have some of this posted in an older thread: http://forum.directadmin.com/showthread.php?t=33321

I need to stop this in it's tracks and it will require someone smarter than me with Exim and Spamassassin. I've munged this but myemail should be usamail.

1. I don't want it going to our archive server
2. I don't want an NDR sent back to the forged sender's address (backscatter).

Spamassassin may not catch and score all of these but at least when it does you can eliminate the backscatter/ndr type of spam without the fear of killing off normal NDR in case someone fat fingers a legitimate email address.

This is a prime example. Receiving tons of email with variations of 'victoror' or 'vict...' whatever.

Subject: A survey conducted by American pharmacists showed that 43% of men suffer from impotence.
From: [email protected]
To: [email protected]
Date: Fri, 18 Jul 2014 12:51:04 +0300

Notes:

This is a multi-part message in MIME format.


Spam detection software, running on the system "mail.myemail.us",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: This drug is the only medication that produced some positive
effect on my sexual performance! urltruncated-magdalenas.com/wp-admin/maint/canadianshop....
[...]

Content analysis details: (7.9 points, 4.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?188.53.0.230>]
2.5 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
1.3 URIBL_MW_SURBL Contains a Malware Domain or IP listed in the MW SURBL
blocklist
[URIs: magdalenas.com]
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
0.1 MISSING_MID Missing Message-Id: header
1.0 URI_WPADMIN WordPress login/admin URI, possible phishing

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
Click to expand...

Received: from mail by mail.myemail.us with spam-scanned (Exim 4.82.1)
(envelope-from <[email protected]>)
id 1X7stN-0002Qf-Kb
for [email protected]; Thu, 17 Jul 2014 16:07:10 -0500
Received: from localhost by mail.myemail.us
with SpamAssassin (version 3.4.0);
Thu, 17 Jul 2014 16:07:10 -0500
From: [email protected]
To: [email protected]
Subject: =?UTF-8?Q?A_survey_conducted_by_American_pharmacists_?=
=?UTF-8?Q?showed_that_43%_of_men_suffer_from_?= =?UTF-8?Q?impotence.?=
Date: Fri, 18 Jul 2014 12:51:04 +0300
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.myemail.us
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.9 required=4.0 tests=DATE_IN_FUTURE_12_24,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MIME_QP_LONG_LINE,
MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,URIBL_MW_SURBL,URI_WPADMIN autolearn=no
autolearn_force=no version=3.4.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_53C83AFE.27426C5C"
Message-Id: <[email protected]>
Click to expand...


So, as you can see we have a 7.9 which is above the 4.0 required to consider this as spam, it should stop right there and be deleted just as I have it set to do (not sent to a Spam folder).

I'd really appreciate any help in dealing with this whether it's modifying the template in directadmin, routers in exim or acl or ???
 
Last edited:
Also, my reference to the template is the /usr/local/directadmin/data/templates/filter_base file which is below. I know this was modified to it's current form last July but I'm wondering why it's not doing the trick in these cases.

# Exim Filter

# created by |NAME|, version |VERSION|
# Do not modify this file as any changes will be
# overwritten when the user makes a change.
# (data is only written to this file, not read)

|*if BLOCKLEVEL|
if
$h_X-Spam-Level: contains "|BLOCKLEVEL|"
then
seen finish
endif
|*endif|

|SPAMFILTERS|

if error_message then finish endif

|WORDFILTERS|

|ADULTFILTERS|

#end filter
Click to expand...
 
Check the file:
/etc/virtual/myemail.us/filter

this is where it should be dropped if the "drop high-scoring spam" option is turned on, eg:
Code: 
if
        $h_X-Spam-Level: contains "******"
then
        seen finish
endif

There have been a few recent updates to the exim.conf and exim.pl files.. for both the 2.1.x version, and 4.2.x version:
http://www.directadmin.com/features.php?id=1605


Also check:
/var/log/exim/mainlog
/var/log/exim/paniclog

to see if there might be any reason why the domain filter may not have been run (if the filter does have the needed code)

John
 
Thank you. I'm checking on all of this now. Keep in mind this is a pretty fresh install... 30 days or so.

First, in the /filter file:

Code: 
if
    $h_X-Spam-Status: contains "Yes,"
then
    seen finish
endif



if error_message then finish endif

Then all of the profane filters are below that code.

I have exim.conf 4.2.2.

I did notice that I had exim.pl 16 instead of 17 and updated that.
 
Last edited:
Here's an example of another one:

Code: 
Received: from mail by mail.usamail.us with spam-scanned (Exim 4.82.1)
	(envelope-from <[email protected]>)
	id 1X97wm-0004zq-9s; Mon, 21 Jul 2014 02:23:49 -0500
Received: from localhost by mail.usamail.us
	with SpamAssassin (version 3.4.0);
	Mon, 21 Jul 2014 02:23:49 -0500
From: "Mr So Eiichiro"<[email protected]>
Subject: Re:From Mr So,                                             TTISHGRNJY
Date: Mon, 21 Jul 2014 14:20:35 +0700
Message-Id: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.usamail.us
X-Spam-Flag: YES
X-Spam-Level: ****************************************
X-Spam-Status: Yes, score=40.3 required=4.0 tests=ADVANCE_FEE_2_NEW_MONEY,
	ADVANCE_FEE_3_NEW,ADVANCE_FEE_3_NEW_MONEY,ADVANCE_FEE_4_NEW,
	ADVANCE_FEE_4_NEW_MONEY,ADVANCE_FEE_5_NEW,ADVANCE_FEE_5_NEW_MONEY,
	AXB_XMAILER_MIMEOLE_OL_024C2,DKIM_ADSP_CUSTOM_MED,FAKE_REPLY_C,
	FORGED_MUA_OUTLOOK,FREEMAIL_FROM,FREEMAIL_REPLYTO,FROM_MISSP_FREEMAIL,
	FROM_MISSP_MSFT,FROM_MISSP_REPLYTO,FROM_MISSP_USER,FSL_NEW_HELO_USER,
	LOTS_OF_MONEY,MISSING_HEADERS,MONEY_FRAUD_3,MONEY_FRAUD_5,MSOE_MID_WRONG_CASE,
	NML_ADSP_CUSTOM_MED,NSL_RCVD_FROM_USER,RCVD_IN_BL_SPAMCOP_NET,
	RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,RDNS_NONE,REPLYTO_WITHOUT_TO_CC,
	SPF_SOFTFAIL,TO_NO_BRKTS_MSFT,TRACKER_ID,T_FROM_MISSP_DKIM,
	T_HK_NAME_FM_MR_MRS autolearn=no autolearn_force=no version=3.4.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_53CCC005.748FE7EE"

This is a multi-part message in MIME format.


Spam detection software, running on the system "mail.usamail.us",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Hello, I am Mr. blah blah blah truncated spam message...
[...]

Content analysis details: (40.3 points, 4.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?211.32.143.101>]
2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
[211.32.143.101 listed in psbl.surriel.com]
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[211.32.143.101 listed in bb.barracudacentral.org]
0.0 NSL_RCVD_FROM_USER Received from User
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(so.eiichir[at]gmail.com)
0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
CUSTOM_MED
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
1.2 MISSING_HEADERS Missing To: header
1.1 TRACKER_ID BODY: Incorporates a tracking ID number
0.0 LOTS_OF_MONEY Huge... sums of money
1.9 REPLYTO_WITHOUT_TO_CC No description available.
0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 T_HK_NAME_FM_MR_MRS No description available.
0.0 FSL_NEW_HELO_USER Spam's using Helo and User
1.4 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
3.4 MSOE_MID_WRONG_CASE No description available.
0.0 FROM_MISSP_USER From misspaced, from "User"
0.0 FAKE_REPLY_C No description available.
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
freemails
0.0 FROM_MISSP_REPLYTO From misspaced, has Reply-To
1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
0.0 T_FROM_MISSP_DKIM From misspaced, DKIM dependable
2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
3.5 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
0.0 FROM_MISSP_FREEMAIL From misspaced + freemail provider
1.9 ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
1.2 ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
1.0 MONEY_FRAUD_5 Lots of money and many fraud phrases
3.5 ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
3.9 MONEY_FRAUD_3 Lots of money and several fraud phrases
0.1 ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
0.6 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
0.6 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
2.0 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
Click to expand...
 
A few other things:

1) Enable the "block high scoring spam" option, to give it another method to drop the email.. (although the above should be sufficient)

2) Check your /etc/exim.conf, and compare the spamcheck_director to this newer format:
http://files1.directadmin.com/services/exim.spamassassin.conf

this also shouldn't change much, as we are seeing the headers needed..
The issue seems to be with the filter not being run..

Perhaps there is a syntax error preventing it from working..
Are there any other areas in the file?

Exim does have the ability to test the filter with that give message:
http://www.exim.org/exim-html-curre...arding_and_filtering_in_exim.html#SECTtesting

John
 
I enabled the high scoring spam block for the domain at 7.0..actually surprised it wasn't as I usually do that first thing, but as you said it should really be a moot point since I have my spam scoring for that domain at 4.0.

Here is the new format you linked me to:
Code: 
#1.1
# Spam Assassin
spamcheck_director:
  driver = accept
  condition = "${if and { \
			{!eq {$received_protocol}{spam-scanned}} \
			{!eq {$received_protocol}{local}} \
			{exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
			{<{$message_size}{500k}} \
		} {1}{0}}"
  retry_use_local_part
  headers_remove = X-Spam-Flag:X-Spam-Report:X-Spam-Status:X-Spam-Level:X-Spam-Checker-Version
  transport = spamcheck
  no_verify

and mine:

Code: 
 spamcheck_director:
   driver = accept
   condition = "${if and { \
    {!def:authenticated_id} \
    {!def:h_X-Spam-Flag:} \
    {!eq {$received_protocol}{spam-scanned}} \
    {!eq {$received_protocol}{local}} \
    {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
    {<{$message_size}{100k}} \
    } {1}{0}}"
  retry_use_local_part
  transport = spamcheck
  no_verify

Obviously there are some differences. I'll replace mine with 1.1 and see how that works.

And I like the X headers remove in there now, I haven't been watching it too close but I suspect some are being forged.
 
Last edited:
You must log in or register to reply here.
Back
Top