> Rob Brandt wrote, On 7/1/2009 9:09 AM:
>
>>
>> Excellent, I now get a match using postmap. If the spam doesn't cease,
>> I'll be back. Thanks everyone!
>>
>> Rob
>>
>
> Nuts. I am still getting spam. Is there any reason header_checks might
> not be enabled? Is header_checks being run before SA processes it?
You'll pretty much always get spam. The question is how spammy does
spamassassin think it is, is it being flagged with the spam header, and is
your header check macthing it?
>
> Here's my header_checks file:
> *********************************************
> # X-Spam-Flag
> /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag
>
> Here's my current main.cf:
> *********************************************
Without trying to be a "Master of the Obvious", are you actually getting the
X-Spam-Flag header in your messages? If you're using amavis, it may eat the
spam headers depending on configuration.
Also, you don't need the "$". at the end of the string.
FWIW, you might want to use X-Spam-Level instead of X-Spam-Flag, since it
gives you more control over how spammy something is before you take action:
/^X-Spam-Level.*\*\*\*\*\*/ HOLD
works nicely, for example.
When you fire up postfix are there any error messages in the log?
Terry
> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
>
>
> # Debian specific: Specifying a file name will cause the first
> # line of that file to be used as the name. The Debian default
> # is /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> readme_directory = no
>
> # TLS parameters
> smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
> smtpd_tls_key_file = /etc/ssl/private/smtpd.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> # information on enabling SSL in the smtp client.
>
> myhostname = mail.dom.ain
> alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = amd64.dom.ain, localhost.dom.ain,localhost
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_size_limit = 0
> recipient_delimiter = +
> virtual_alias_maps =
> hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
> home_mailbox = Maildir/
> content_filter = smtp-amavis:[127.0.0.1]:10024
> debug_peer_list = amd64.dom.ain
>
> unknown_local_recipient_reject_code = 550
> transport_maps = hash:/etc/postfix/transport
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth-client
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
> inet_interfaces = all
> smtpd_tls_auth_only = no
> smtpd_use_tls = yes
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> header_checks = regexp:/etc/postfix/header_checks
>
> Here's the headers from a very spammy email I just received:
> *************************************************************
> Return-Path: <ale...@52.red-88-5-123.dynamicip.rima-tde.net>
> X-Original-To: bronto-dom....@amd64.dom.ain
> Delivered-To: bronto-dom....@amd64.dom.ain
> Received: from localhost (localhost [127.0.0.1])
> by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
> for <bronto-dom....@amd64.dom.ain>; Wed, 1 Jul 2009 10:10:54 -0700
> (PDT)
> X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
> X-Spam-Flag: YES
> X-Spam-Score: 27.191
> X-Spam-Level: ***************************
> X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
> tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
> FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
> HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
> PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
> RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
> RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
> X-Spam-Report:
> * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> * [score: 1.0000]
> * 4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
> * 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
> * IP)
> * 3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
> * 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> * [88.5.123.52 listed in zen.spamhaus.org]
> * 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> * 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
> * [88.5.123.52 listed in dnsbl.sorbs.net]
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
> * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
> * above 50%
> * [cf: 100]
> * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> * [cf: 100]
> * 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
> * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
> * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
> * dynamic-looking rDNS
> Received: from mail.dom.ain ([127.0.0.1])
> by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id z1oE2BXbOpmz for <bronto-dom....@amd64.dom.ain>;
> Wed, 1 Jul 2009 10:10:49 -0700 (PDT)
> Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
> (52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
> by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
> for <bro...@dom.ain>; Wed, 1 Jul 2009 10:10:43 -0700 (PDT)
> Received: from localhost (nr.ru [127.0.0.1])
> by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
> Wed, 1 Jul 2009 18:10:21 +0100
> (envelope-from ly...@yandex.ru)
> To: Bronto <bro...@dom.ain>
> Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
> X-PHP-Script: nr.ru/index.php
> From: íÁÒË ûÁÒÏ× <ly...@yandex.ru>
> Auto-Submitted: auto-generated
> Message-ID: <4694156114.20090701181...@nr.ru>
> MIME-Version: 1.0
> Content-Type: text/html; charset="koi8-r"
> Content-Transfer-Encoding: 8bit
> X-Priority: 3
> X-Mailer: IPB PHP
>
>
--
CNY Support, LLC
Web. Database. Business
http://www.cnysupport.com
