CentOS-6.5
Postfix-2.6.6
Amavisd-new-2.8.0
Spamassassin-3.3.1
OpenDKIM-2.9.0
pypolicyd-spf-1.2
We use Spamassassin through Amavisd-new with Postfix. Our Postfix /
Amavisd-new / Spamassassin setup has worked reliably for the past 18 months or
so. Recently we made changes to Postfix to enable SPF policy checking and to
have DKIM sign outgoing messages. Since then we have noticed a considerable
decline in spam but we have also noticed that incoming mail no longer has any
SPAM headers applied by Spamassassin at all.
This might be because the messages are in fact not triggering any spam checks
but in our experience even legitimate mail usually trips at least one rule. In
consequence we are concerned that something is allowing messages to bypass SA
and we need help in determining if this is true and what can be done to
correct the problem.
We have this in /etc/amavisd.amavisd.conf which previously ensured that every
check gets listed in the delivered headers.
$sa_tag_level_deflt = -9999; # add spam info headers to everything
We added SPF policy checking to Postfix in master.cf in this manner:
# SPF policy check
policyd-spf unix y n n - - spawn
user=nobody argv=/usr/libexec/postfix/policyd-spf
#
# After-queue amavis spam/malware filter setup -
# but see before-queue setup options on smtp above
#
smtp-amavis unix - - n - 6 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
Spamassassin appears to be working as we are still getting entries in the
quarantine directory. But the spam headers and scores are not showing up in
any messages that pass through our filters. This is now an issue because we
are getting the occasional spam message delivered with no indication that they
have been looked at by Spamassasin at all. However, we see that they have
been virus scanned by amavisd so the absence of spam headers is somewhat
mystifying.
This is an example of a phishing spam message that got through:
Return-Path: <alert-boun...@aossystems.com>
Received: from inet07.hamilton.harte-lyne.ca ([unix socket])
by inet07.hamilton.harte-lyne.ca (Cyrus
v2.3.16-Fedora-RPM-2.3.16-6.el6_2.5) with LMTPA;
Fri, 09 May 2014 20:19:26 -0400
X-Sieve: CMU Sieve 2.3
Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca
[216.185.71.28])
by inet07.hamilton.harte-lyne.ca (Postfix) with ESMTP id 280278B2C6 for
<byrnej...@harte-lyne.ca>; Fri, 9 May 2014 20:19:26 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id DC99E60EF3 for
<byrnej...@harte-lyne.ca>; Fri, 9 May 2014 20:19:25 -0400 (EDT)
X-Virus-Scanned: amavisd-new at harte-lyne.ca
Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1])
by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id R7F5tnPcOww4 for <byrnej...@harte-lyne.ca>;
Fri, 9 May 2014 20:19:24 -0400 (EDT)
Received-SPF: Pass (sender SPF authorized) identity=helo;
client-ip=198.57.229.237; helo=sof.softech.in;
envelope-from=alert-boun...@aossystems.com; receiver=byrnej...@harte-lyne.ca
Received: from sof.softech.in (sof.softech.in [198.57.229.237])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPS
for <byrnej...@harte-lyne.ca>; Fri, 9 May 2014 20:19:22 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1]:45354 helo=sof.softech.in)
by sof.softech.in with esmtp (Exim 4.80.1)
(envelope-from <alert-boun...@aossystems.com>)
id 1WhHE3-0000Of-0L; Mon, 05 May 2014 06:38:27 -0500
Received: from bigbear.arvixevps.com ([108.175.145.28]:58594)
by sof.softech.in with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.80.1) (envelope-from <ca...@bigbear.arvixevps.com>)
id 1WhH4p-0000Mb-1H
for al...@aossystems.com; Mon, 05 May 2014 06:28:55 -0500
Received: from cable by bigbear.arvixevps.com with local (Exim 4.82)
(envelope-from <ca...@bigbear.arvixevps.com>) id 1WhH4m-0008Cb-63 for
al...@aossystems.com; Mon, 05 May 2014 04:28:52 -0700
To: al...@aossystems.com
Subject: Changes to the Electronic Access Agreements
From: CIBC <nore...@cibc.net>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <e1whh4m-0008cb...@bigbear.arvixevps.com>
Date: Mon, 05 May 2014 04:28:52 -0700
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - bigbear.arvixevps.com
X-AntiAbuse: Original Domain - aossystems.com
X-AntiAbuse: Originator/Caller UID/GID - [513 512] / [47 12]
X-AntiAbuse: Sender Address Domain - bigbear.arvixevps.com
X-Get-Message-Sender-Via: bigbear.arvixevps.com: authenticated_id: cable/only
user confirmed/virtual account not confirmed
X-BeenThere: al...@aossystems.com
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: nore...@cibc.net
List-Id: <alert_aossystems.com.aossystems.com>
List-Unsubscribe:
<http://aossystems.com/mailman/options/alert_aossystems.com>,
<mailto:alert-requ...@aossystems.com?subject=unsubscribe>
List-Archive: <http://aossystems.com/pipermail/alert_aossystems.com/>
List-Post: <mailto:al...@aossystems.com>
List-Help: <mailto:alert-requ...@aossystems.com?subject=help>
List-Subscribe: <http://aossystems.com/mailman/listinfo/alert_aossystems.com>,
<mailto:alert-requ...@aossystems.com?subject=subscribe>
Errors-To: alert-boun...@aossystems.com
Sender: "Alert" <alert-boun...@aossystems.com>
X-OutGoing-Spam-Status: No, score=-0.3
X-AntiAbuse: This header was added to track abuse, please include it with any
abuse report
X-AntiAbuse: Primary Hostname - sof.softech.in
X-AntiAbuse: Original Domain - harte-lyne.ca
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - aossystems.com
X-Get-Message-Sender-Via: sof.softech.in: acl_c_authenticated_local_user:
mailman/mailman
X-Source:
X-Source-Args:
X-Source-Dir:
This message is attempting to pass itself off as being from the Canadian
Imperial Bank of Canada (CIBC). As you can see there are no spam headers from
our site in the delivered message.
However, if I save this message to a text file and run it through spamassassin
manually on the same host that the original message came through then this is
what I see:
spamassassin < spam-test.txt
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
inet08.hamilton.harte-lyne.ca
X-Spam-Flag: YES
X-Spam-Status: Yes, score=7.3 required=4.5 tests=BDY_PRES,MISSING_DATE,
MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,
NO_RECEIVED,NO_RELAYS,SPOOF_COM2COM autolearn=no version=3.3.1
X-Spam-Report:
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
* 1.2 MISSING_HEADERS Missing To: header
* 0.2 BDY_PRES BODY: Body contains pres
* 1.6 SPOOF_COM2COM URI: URI contains ".com" in middle and end
* 0.1 MISSING_MID Missing Message-Id: header
* 1.8 MISSING_SUBJECT Missing Subject: header
* 1.0 MISSING_FROM Missing From: header
* -0.0 NO_RECEIVED Informational: message has no Received headers * 1.4
MISSING_DATE Missing Date: header
* 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 *
headers
X-Spam-DCC: :
X-Spam-Level: *******
X-Spam-Pyzor: Reported 0 times.
RFC822 Message body
Return-Path: <alert-boun...@aossystems.com>
Received: from inet07.hamilton.harte-lyne.ca ([unix socket])
by inet07.hamilton.harte-lyne.ca (Cyrus v2.3.16-Fedora-RPM-2.3.16-6.el6_2.5)
with LMTPA;
Fri, 09 May 2014 20:19:26 -0400
X-Sieve: CMU Sieve 2.3
Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca
[216.185.71.28])
by inet07.hamilton.harte-lyne.ca (Postfix) with ESMTP id 280278B2C6 for
<byrnej...@harte-lyne.ca>; Fri, 9 May 2014 20:19:26 -0400 (EDT) Received: from
localhost (localhost [127.0.0.1])
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id DC99E60EF3 for
<byrnej...@harte-lyne.ca>; Fri, 9 May 2014 20:19:25 -0400 (EDT) . . .
So, can some kind soul tell me what is going on here? Why is this message
getting through? Is this an artefact of messages passing through the SPF
policy milter then being reinjected from localhost [127.0.0.1]? How do we
handle this?
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
