-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
If the message is supposed to get SA headers always, but they're not there, your mail routing is borked or misconfigured. Please find all related logging for this message from the moment it entered your mail stack until the moment it was stored by cyrus. You seem to use 2 hosts, be sure to get full logging from both inet08.hamilton.harte-lyne.ca and inet07.hamilton.harte-lyne.ca Tom On 11-05-14 21:26, James B. Byrne wrote: > > CentOS-6.5 Postfix-2.6.6 Amavisd-new-2.8.0 Spamassassin-3.3.1 > OpenDKIM-2.9.0 pypolicyd-spf-1.2 > > We use Spamassassin through Amavisd-new with Postfix. Our Postfix > / Amavisd-new / Spamassassin setup has worked reliably for the past > 18 months or so. Recently we made changes to Postfix to enable SPF > policy checking and to have DKIM sign outgoing messages. Since > then we have noticed a considerable decline in spam but we have > also noticed that incoming mail no longer has any SPAM headers > applied by Spamassassin at all. > > This might be because the messages are in fact not triggering any > spam checks but in our experience even legitimate mail usually > trips at least one rule. In consequence we are concerned that > something is allowing messages to bypass SA and we need help in > determining if this is true and what can be done to correct the > problem. > > We have this in /etc/amavisd.amavisd.conf which previously ensured > that every check gets listed in the delivered headers. > > $sa_tag_level_deflt = -9999; # add spam info headers to > everything > > We added SPF policy checking to Postfix in master.cf in this > manner: > > # SPF policy check policyd-spf unix y n n - > - spawn user=nobody argv=/usr/libexec/postfix/policyd-spf # # > After-queue amavis spam/malware filter setup - # but see > before-queue setup options on smtp above # smtp-amavis unix - > - n - 6 smtp -o > smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o > disable_dns_lookups=yes -o max_use=20 > > Spamassassin appears to be working as we are still getting entries > in the quarantine directory. But the spam headers and scores are > not showing up in any messages that pass through our filters. This > is now an issue because we are getting the occasional spam message > delivered with no indication that they have been looked at by > Spamassasin at all. However, we see that they have been virus > scanned by amavisd so the absence of spam headers is somewhat > mystifying. > > This is an example of a phishing spam message that got through: > > Return-Path: <alert-boun...@aossystems.com> Received: from > inet07.hamilton.harte-lyne.ca ([unix socket]) by > inet07.hamilton.harte-lyne.ca (Cyrus > v2.3.16-Fedora-RPM-2.3.16-6.el6_2.5) with LMTPA; Fri, 09 May 2014 > 20:19:26 -0400 X-Sieve: CMU Sieve 2.3 Received: from > inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca > [216.185.71.28]) by inet07.hamilton.harte-lyne.ca (Postfix) with > ESMTP id 280278B2C6 for <byrnej...@harte-lyne.ca>; Fri, 9 May 2014 > 20:19:26 -0400 (EDT) Received: from localhost (localhost > [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP > id DC99E60EF3 for <byrnej...@harte-lyne.ca>; Fri, 9 May 2014 > 20:19:25 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca > Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by > localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) > (amavisd-new, port 10024) with ESMTP id R7F5tnPcOww4 for > <byrnej...@harte-lyne.ca>; Fri, 9 May 2014 20:19:24 -0400 (EDT) > Received-SPF: Pass (sender SPF authorized) identity=helo; > client-ip=198.57.229.237; helo=sof.softech.in; > envelope-from=alert-boun...@aossystems.com; > receiver=byrnej...@harte-lyne.ca Received: from sof.softech.in > (sof.softech.in [198.57.229.237]) (using TLSv1 with cipher > DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a > certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with > ESMTPS for <byrnej...@harte-lyne.ca>; Fri, 9 May 2014 20:19:22 > -0400 (EDT) Received: from localhost.localdomain ([127.0.0.1]:45354 > helo=sof.softech.in) by sof.softech.in with esmtp (Exim 4.80.1) > (envelope-from <alert-boun...@aossystems.com>) id 1WhHE3-0000Of-0L; > Mon, 05 May 2014 06:38:27 -0500 Received: from > bigbear.arvixevps.com ([108.175.145.28]:58594) by sof.softech.in > with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) > (envelope-from <ca...@bigbear.arvixevps.com>) id 1WhH4p-0000Mb-1H > for al...@aossystems.com; Mon, 05 May 2014 06:28:55 -0500 Received: > from cable by bigbear.arvixevps.com with local (Exim 4.82) > (envelope-from <ca...@bigbear.arvixevps.com>) id 1WhH4m-0008Cb-63 > for al...@aossystems.com; Mon, 05 May 2014 04:28:52 -0700 To: > al...@aossystems.com Subject: Changes to the Electronic Access > Agreements From: CIBC <nore...@cibc.net> MIME-Version: 1.0 > Content-Type: text/html Content-Transfer-Encoding: 8bit Message-Id: > <e1whh4m-0008cb...@bigbear.arvixevps.com> Date: Mon, 05 May 2014 > 04:28:52 -0700 X-AntiAbuse: This header was added to track abuse, > please include it with any abuse report X-AntiAbuse: Primary > Hostname - bigbear.arvixevps.com X-AntiAbuse: Original Domain - > aossystems.com X-AntiAbuse: Originator/Caller UID/GID - [513 512] / > [47 12] X-AntiAbuse: Sender Address Domain - bigbear.arvixevps.com > X-Get-Message-Sender-Via: bigbear.arvixevps.com: authenticated_id: > cable/only user confirmed/virtual account not confirmed > X-BeenThere: al...@aossystems.com X-Mailman-Version: 2.1.15 > Precedence: list Reply-To: nore...@cibc.net List-Id: > <alert_aossystems.com.aossystems.com> List-Unsubscribe: > <http://aossystems.com/mailman/options/alert_aossystems.com>, > <mailto:alert-requ...@aossystems.com?subject=unsubscribe> > List-Archive: > <http://aossystems.com/pipermail/alert_aossystems.com/> List-Post: > <mailto:al...@aossystems.com> List-Help: > <mailto:alert-requ...@aossystems.com?subject=help> List-Subscribe: > <http://aossystems.com/mailman/listinfo/alert_aossystems.com>, > <mailto:alert-requ...@aossystems.com?subject=subscribe> Errors-To: > alert-boun...@aossystems.com Sender: "Alert" > <alert-boun...@aossystems.com> X-OutGoing-Spam-Status: No, > score=-0.3 X-AntiAbuse: This header was added to track abuse, > please include it with any abuse report X-AntiAbuse: Primary > Hostname - sof.softech.in X-AntiAbuse: Original Domain - > harte-lyne.ca X-AntiAbuse: Originator/Caller UID/GID - [47 12] / > [47 12] X-AntiAbuse: Sender Address Domain - aossystems.com > X-Get-Message-Sender-Via: sof.softech.in: > acl_c_authenticated_local_user: mailman/mailman X-Source: > X-Source-Args: X-Source-Dir: > > This message is attempting to pass itself off as being from the > Canadian Imperial Bank of Canada (CIBC). As you can see there are > no spam headers from our site in the delivered message. > > However, if I save this message to a text file and run it through > spamassassin manually on the same host that the original message > came through then this is what I see: > > spamassassin < spam-test.txt X-Spam-Checker-Version: SpamAssassin > 3.3.1 (2010-03-16) on inet08.hamilton.harte-lyne.ca X-Spam-Flag: > YES X-Spam-Status: Yes, score=7.3 required=4.5 > tests=BDY_PRES,MISSING_DATE, > MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE, > > NO_RECEIVED,NO_RELAYS,SPOOF_COM2COM autolearn=no version=3.3.1 > X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not > relayed via SMTP * 1.2 MISSING_HEADERS Missing To: header * 0.2 > BDY_PRES BODY: Body contains pres * 1.6 SPOOF_COM2COM URI: URI > contains ".com" in middle and end * 0.1 MISSING_MID Missing > Message-Id: header * 1.8 MISSING_SUBJECT Missing Subject: header * > 1.0 MISSING_FROM Missing From: header * -0.0 NO_RECEIVED > Informational: message has no Received headers * 1.4 MISSING_DATE > Missing Date: header * 0.0 NO_HEADERS_MESSAGE Message appears to > be missing most RFC-822 * headers X-Spam-DCC: : X-Spam-Level: > ******* X-Spam-Pyzor: Reported 0 times. > > RFC822 Message body Return-Path: <alert-boun...@aossystems.com> > Received: from inet07.hamilton.harte-lyne.ca ([unix socket]) by > inet07.hamilton.harte-lyne.ca (Cyrus > v2.3.16-Fedora-RPM-2.3.16-6.el6_2.5) with LMTPA; Fri, 09 May 2014 > 20:19:26 -0400 X-Sieve: CMU Sieve 2.3 Received: from > inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca > [216.185.71.28]) by inet07.hamilton.harte-lyne.ca (Postfix) with > ESMTP id 280278B2C6 for <byrnej...@harte-lyne.ca>; Fri, 9 May 2014 > 20:19:26 -0400 (EDT) Received: from localhost (localhost > [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP > id DC99E60EF3 for <byrnej...@harte-lyne.ca>; Fri, 9 May 2014 > 20:19:25 -0400 (EDT) . . . > > So, can some kind soul tell me what is going on here? Why is this > message getting through? Is this an artefact of messages passing > through the SPF policy milter then being reinjected from localhost > [127.0.0.1]? How do we handle this? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTb/SiAAoJEJPfMZ19VO/1hcwQAJlF18adBB7XDFlxKq1SmNJv OBUjkDoiADBRWy9W9lDaN1ey3cmsGVBURrwmzVItXB9r9ywVxlExVFL2DqJvdvnS 4XBq/BlS52Eqs8qa7HHv5EwjyrnfqhjvrsOAgez0XlToafCCuBxa44n5w10zGaJY 708NwqbbLxk+tX/v0Eq32ooKUZOw++LiDy+hK3skb1WyOn9LgpbdRqDm2FdG+xe2 nxUsRy7uvgniWGVnZ6MnxyaajgQ4LwrcfL7+YDz134B2n91YlPLFWVd+uoVyX1kf PEFjgxdhztjmBl1cb91unotePaN53XScAE22XhEB6ZgtEDhRn+esCZnR2t0iJM04 Qg1D1NtG2aNzXm4Oq5OItsAilvpDI5KVzWDpNd0IFjbPi1qc/E5GYETwIOx3FPk3 /Y1Gtn1ZQiX6CRXwxeU3PqoAbxoFDDOXMaSCB7Zk4WhR7SnjegsFttBjdBI4c4VK 2V/IYb/Nsxnw+aLgfsuUAqV7syvR5zDgwa7E6F1Vx+jNeoK6HAbtB/QKRrPTrnhy Wd4vpDJDmkG8MdtUezmfd8o8DAJ7nwlyPDb5pjDAe6KK5JnUdGHkiPrExnd4G9r6 OsVR3ay1lPt50ef18JyAxyT6rmR7YkmXcocqenBWeP7Dd931QnUAC1w9iURijkA9 kOdj1rg7jI8lDKF6DOX/ =rlts -----END PGP SIGNATURE-----
