Cotinuing the thread where I originally asked: https://www.howtoforge.com/communit...modify-headers-on-ispconfig-centos-7-1.70164/ Spamassassin seams like not been working since email messages headers are not modified and not blocking spam email, for instance, the following email is Spam for sure (confirmed at http://spamcheck.postmarkapp.com/ with Spam Score of 5.2): From - Tue May 26 09:12:50 2015 X-Account-Key: account3 X-UIDL: 000000b55546d392 X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <p-lcfm9a8w39vdvc4amzqpuvph2cvhhly8lalx66efw3yjrtsglncx2hz-5V4DJ@newsletter.cluboferting.net> Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by ns1.domain.mx (Postfix) with ESMTP id 7153F450BC for <[email protected]>; Tue, 26 May 2015 07:15:31 -0500 (CDT) X-Virus-Scanned: Debian amavisd-new at ns1.domain.mx Received: from ns1.domain.mx ([127.0.0.1]) by localhost (ns1.domain.mx [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rojtlvklhSIe for <a.b.com>; Tue, 26 May 2015 07:14:53 -0500 (CDT) Received: from evo1mta1a97.emstechnology2.net (evo1mta1a97.emstechnology2.net [178.248.184.97]) by ns1.domain.mx (Postfix) with ESMTP id 6C1804503F for <[email protected]>; Tue, 26 May 2015 07:14:22 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20132014; d=newsletter.cluboferting.net; h=From:Reply-To:To:Message-IDate:Subject:MIME-Version:Content-Type; i=[email protected]; bh=bG9h5IwuAewctLsRnnZRzLrf5ug=; b=YNU/D/90Vu4KToo+2zX1t4esTL6LGhm+Q5DQ1VKpOAJk9Tj4TBgtPc4jc821KiDc76I9vfFs88N2 bzMp+vGytIoLb0NiAFF6rypVR9li+MXaZY1wV58d1yH1eg875unONH2S7E8CFFT6eNP5TX1h5+bX pP0ccHLjkQSVBLea9eGSnULw6vRRoedMpc2YQhGfyzPvK8gPGeYkBvFGZ87oU+39gTQEl/6L39Bh 4fFaP8HOi+rxFdr/8Q8DmJmEV2p+eF1LUm0EV48UqlnlwRnr/wn6JwLsDgLazi7K+LuVJF1zOGTC 2C21wOAJUqpIqZXgNdoq1vIo+7fDkV31taMnQg== Received: by evo1mta1a96.emstechnology2.net id hchhrq18c0kd for <[email protected]>; Tue, 26 May 2015 14:14:21 +0200 (envelope-from <p-lcfm9a8w39vdvc4amzqpuvph2cvhhly8lalx66efw3yjrtsglncx2hz-5V4DJ@newsletter.cluboferting.net>) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20132014; d=newsletter.cluboferting.net; h=From:Reply-To:To:Message-IDate:Subject:MIME-Version:Content-Type; i=[email protected]; ... ... Both domain and email addresses spam have filter policy set to Normal since weeks. And Normal policy was updated with following Tag-Levels values: SPAM tag level 3 SPAM tag2 level 4.5 SPAM kill level 5 SPAM modifies subject YES SPAM subject tag2 ***SPAM*** So, as I said, it seems to be some kind of error since server was configured using Perfect Server guide. Thanks in advance.
This line means that the emailw as scanned by spamassassin, as spamassassin is part of amavisd. The above email is most likely not reaching the spam tag level, so no headers get written into the mail header. set: SPAM tag level -100 SPAM tag2 level 3
Hello Till, I am afraid that settings do not work. Have a new email message, a lot worst with Spam Socore of 13.9 points. And SpamAssassin still does not block it. Is there some way to check some log or how do I know what is exactly SpamAssassin or Amavis doing? What else can we do?
When you see a spam score, then spamassassin is working correctly, as this score is assigned by spamassassin.
What????? Are you even trying to read my post and understand it? Is anybody else who can help me with this please? Perfect Server guide seems to be wrong about Amavis and Spamassassin setup, or may be it is something we did, but have no clue how to identify it.
Please post the exact amavis line of that messag from mail.log. And you can set the amavis log level to a higher value t get more output in the log. The perfect server guide has no error in the amavis setup, asl long as you follow it to the letter and did not any manual changes in the mail setup, then the resulting server will work out of the box.
After digging on Debian machine and looking for some clues, it looked like there was some kind of virus, and found this: http://serverfault.com/questions/483650/how-to-find-which-script-on-my-server-is-sending-spam-emails After following the solution, spam was stoped and Spamassassin started to work flowlessly. In matter of fact, it has been adding X-Spam flags on headers since then. The only thing i wonder is how the Virus could get in the server, it is supposed to be a very secure setup. Thanks anyway.
Do you use it for hosting? Do you host any CRMs like WPress or Drupal, Joomla and so on.. There are so many ways to get in when software is not updated or patched. I'm glad you found a solution but remember if you use "maldet" make sure you change the config to alert and show you where the problem is and not quarantine the files/remove them because you'll run in more trouble. I'm sure we're all curious if it was a CMS and which plugin was the issue, or was it a user upload?
Hello, Yes, we use our servers for hosting but now not using Joomla nor any other CRM. We are planning to start using Jommla by the end of the year. Most of content is static but PHP is heavy used for several systems on that server. I read at some page that the error could mean a problem with PHP precisely. But for now we have not changed anything else. The maldet output on that time was: After that we removed the threat using maldet -q ... We have fixed also logjam problem. And planning to do several things in following months: Install clamav or maldet to monitor server automatically from time to time. Also, we are going to place a pfSense firewall in front of all our internet servers. I have to say that nothing like this happened to us before when using CentOS + Virtualmin. Thanks for your input DDArt and greetings.
Your issue is nt related to the sue of a specific controlpanel nor OS. Its a issue in the cms system, so the same woul have happened under Centos, Opensuse, virtualmin, ispconfig or cpanel.
As I pointed out weeks ago, there is no such CSM system now on any of our internet servers. So that could not caused the problem since there is no Joomla, Wordpress, etc. installed at the moment on any server. Also, we never saw this behavior before when using CentOS + Virtualmin.
