On 04/10/2018 03:49 PM, Motty Cruz wrote:
I apologize here is the email headers and body
https://pastebin.com/bgXrfKaQ
Thanks,
Content analysis details: (16.0 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
4.2 RCVD_IN_IVMBL_LASTEXTERNAL RBL: No description available.
[178.62.193.238 listed in sip.invaluement.com]
5.2 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 0.9996]
3.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 0.9996]
1.2 ENA_RELAY_IN Relayed through India
0.0 MISSING_MIME_HB_SEP BODY: Missing blank line between MIME
header and
body
2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on
whitelists
0.0 ENA_BAD_SPAM Spam hitting really bad rules.
BAYES and IVM RBL would have blocked this on my SA platform. My Postfix
MTA setup with weighted postscreen RBLs might have blocked this before SA.
http://multirbl.valli.org/lookup/178.62.193.238.html
IVM is a subscription-based RBL that is very cheap and accurate.
I train my bayes DB daily by splitting a copy of all email to a iRedMail
hidden mail server that does the initial sort of ham/spam based on
scores and rule hits while filtering some email from mailing lists and
facebook/twitter/etc.
# sa-learn --dump magic
0.000 0 3 0 non-token data: bayes db version
0.000 0 6115847 0 non-token data: nspam
0.000 0 18374916 0 non-token data: nham
So what's the real problem? Do you feel that amavis is letting through
too much junk? You have to tune/tweak your SA rules and plugins to get
the best accuracy for your specific mail flow. Everyone's mail flow is
different so I couldn't give you my config and it work perfectly.
We have mentioned general tuning on this mailing list over the past
year. Also spam characteristics change over time as the spammers are
constantly having to change their tactics as filtering catches up to them.
On 04/10/2018 01:40 PM, David Jones wrote:
On 04/10/2018 03:34 PM, Motty Cruz wrote:
Thanks for your help David,
https://pastebin.com/wsYRfM8K
That email is missing a lot of headers that are critical. Please post
the entire email including the Received: headers.
-Motty
On 04/10/2018 01:22 PM, David Jones wrote:
On 04/10/2018 03:05 PM, Motty Cruz wrote:
Thanks for your prompt reply:
https://pastebin.com/bLy3Jcqt
The Bayes setup looks good. Can you put a lightly redacted version
of that email on pastbin.com so we can run it through our SA instances?
Amavis should have blocked that message based on the score being
3.501 and the kill threshhold being 3.1. This sounds like an amavis
config issue.
Please post the output of 'grep 723EC1A1706 maillog' to get the full
message conversation from Postfix.
Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706:
from=<emily.thomp...@spontaneous-search-level.com>, size=16883,
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN
{RelayedInbound}, [127.0.0.1] [171.61.147.96]
<emily.thomp...@spontaneous-search-level.com> ->
<iu...@domainfq.com>, Message-ID:
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>,
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms
root@vm1
On 04/10/2018 12:34 PM, David Jones wrote:
On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get
low score.
zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <emily.thomp...@spontaneous-search-level.com>
X-Envelope-To: <iu...@domainfq.com>
X-Envelope-To-Blocked: <iu...@domainfq.com>
X-Quarantine-ID: <G71jMeOxz-Ha>
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id G71jMeOxz-Ha for <iu...@domainfq.com>;
Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com
[178.62.193.238])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
in local.cf
use_bayes 1
skip_rbl_checks 1
# Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0
bayes_path /var/amavis/.spamassassin/bayes
use_razor2 1
# Tell SA that we want to use Razor version 2
use_pyzor 0
# Tells SA that we don't want to use Pyzor
dns_available yes
# If you are sure you have DNS access set it to "yes"
#
score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59
score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0
Need more info:
- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep
-i bayes' run as the amavis user
--
David Jones
