Spamassassin being over protective

Discussion in 'General' started by bluethunder82, Oct 20, 2006.

  1. bluethunder82

    bluethunder82 Member

    Hi all,
    I'm not sure where the best place to add this question but the General section looked correct.

    I've got my ISPConfig setup working fairly well just a few more items for me to learn and understand before I finish moving everything to ISPConfig server. However, I ran into one really strange problem that will be a major road block if I cannot solve.

    Using Postfix and Spamassassin it appeared everything was working fine with my test domains. However, today and yesterday when I logged into my internet account using my dial-up modem I am getting some very strange results. I sent an email from one of my hosted domains to another (both on the same machine) and I get the email marked as spam. This is frustrating because I know it isn't spam but simple a message from myself.

    The spam list is as follows:
    0.9 MSGID_FROM_MTA_ID Message-Id for external message added locally
    0.0 HTML_MESSAGE BODY: HTML included in message
    2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
    [161.184.196.222 listed in dnsbl.sorbs.net]
    1.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
    [<http://dsbl.org/listing?161.184.196.222>]
    1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
    [161.184.196.222 listed in combined.njabl.org]

    Now from my reading on the net about spamassassin the SORBS_DUL and NJABL_DUL are fairly aggressive. This leads me to two options.

    1) Should I remove SORBS_DUL, NjABL_DUL, etc. I already use a few rbls before the messages get to spamassassin which was my primary filter on my old server so would these DUL be of use?

    2) Did I set something up wrong when installing postfix/spamassassin? Email seems to be working otherwise.

    Up until this issue I was impressed with the amount of spam spamassassin was filtering. It was really nice to see that I was getting maybe one message come through not marked as spam when it should have. My thoughts are I want to minimize any false positives. Nothing is 100% but sending to myself is extreme.

    The ISP that I use for dial-up / co-location / high-speed is basically 1 of 2 major ISP in my region so it is not possible to switch ISP's. I assume it is unreasonable to talk to their abuse team and have them maybe talk with these DUL.

    To generate discussion what are others solutions? If I set the limit to a value like 10 these messages would get through but that doesn't really seem like a nice solution. So thoughts - opinions - options.

    If it would be helpful I don't mind posting the related information.

    thx.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Does your ISP provides a mailrelay server that you may use to send your emails through? There are several posts about this topic in the forum.

    Is your server hosted on a dialup / dsl line? Have you checekd that your server is not a open relay?

    http://www.abuse.net/relay.html
     
  3. bluethunder82

    bluethunder82 Member

    Hi Till,
    For the first question about using my ISP's mailrelay server. The answer is I don't know. I have never had this kind of problem before. I have a static IP address that hasn't changed in years. My thought is if I am running my mail server the emails should be going through my account. Otherwise, what would be the point of having the dedicated system.

    My server is hosted via a static IP address. I am not listed on any relays and haven't been in the history of my previous server.

    ---

    This problem again only appears to be happening when I send a local user email. Ie. I send a message from user1 to user2 both on the postfix server. When spamassassin checks to see if user1 sent spam the ip address from user1 is checked which is a dialup account. user2 sees the email flagged as spam.

    Should spamassassin only be checking against the IP address of the mail server? When I send in email from my old email setup I am not getting any spam points so this appears only for local delivery.

    Ideas - thoughts would be appreciated.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    But the message "1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
    [161.184.196.222 listed in combined.njabl.org]" says that your IP is listed as dialup account. Using the mailrealy server of your provider means that you may use your local server for sending and receiving mail, the only difference is that your local server will deliver all mails trough the SMTP relay of your provider to surround the usage of the blacklisted IP.
     
  5. bluethunder82

    bluethunder82 Member

    To clarify as I'm not sure exactly what you mean:

    The IP address reported by spamassassin (161.184.196.222) is a dynamic address created when I dial into my ISP via a modem. It has nothing to do with the mail server.

    If I use the mail relay when I send an email to a local account am I not now doing an extra step. client - my server - isp server - my server - client instead of client - my server - client?

    What I am not understanding is why this only affects loccally delivered messages. When I look at the header I send via the mail server to an external address the header has the correct IP's (client and mail server). However, local only has client ip (which is dynamic).

    Hopefully this clears up my confusion.
     
  6. falko

    falko Super Moderator Howtoforge Staff

  7. bluethunder82

    bluethunder82 Member

    Hi Falko,
    I have checked using the blacklist test you gave and the other I have used in the past when checking IP addresses is at http://www.dnsstuff.com/. Both check out and I am not listed for any of my IP addresses.

    I tested out the replayhost entry in my main.cf to see if this would get rid of the problem. It won't be elegant but it may have worked. After using my isp's smtp relay for just over 24 hours the problem never resolved itself. To further track and see if this change was working I also tried separately using my other mail server as a relay. Both worked for outgoing mail - headers had all the correct data. However, locally delivered mail is still being marked as spam when I use my dial-up connection because it is checking on my dynamic IP address. Needless to say I'm thinking I've got some setting mixed up.

    A copy of main.c is below:
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no

    append_dot_mydomain = no

    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = no
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

    myhostname = mytestinghostname
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    relayhost = (isp mail relay address / blank depending on test)
    mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client dnsbl.njabl.org

    smtpd_tls_auth_only = no
    smtp_use_tls = no
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom

    virtual_maps = hash:/etc/postfix/virtusertable

    mydestination = localhost, /etc/postfix/local-host-names, 127.0.0.1
    ---end main.cf---

    Hopefully I am making some mistake here because it really isn't making much sense.
     
  8. falko

    falko Super Moderator Howtoforge Staff

    Put your local domains into /etc/hosts (with their local IP addresses). That should solve the problem.
     
  9. bluethunder82

    bluethunder82 Member

    For editing the hosts file:
    127.0.0.1 domainname

    Would that be sufficient?

    Also, what I was able to do last night was create a script that reads my local-host-names file and creates corresponding whitelist entries in my spamassassin's local.cf file.

    This seems to work but I am still interested in trying out the hosts file method.

    Cheers
     
  10. falko

    falko Super Moderator Howtoforge Staff

    Should work, but I'd rather do it like this:

    Code:
    127.0.0.1 localhost.localdomain localhost
    192.x.x.x(or whatever your IP address is) domainname
     
  11. DanceNgine

    DanceNgine New Member

    mmmh

    Same problem here.

    I added the infos in the /etc/hosts - do i have to restart anything after editing the hosts file?
     
  12. bluethunder82

    bluethunder82 Member

    To my understanding you do not need to restart any services. The file is looked up when needed.

    I made my changes with no restart.
     
  13. DanceNgine

    DanceNgine New Member

    hmmm... Is there any possibility to add my own URL to a whitelist or something like that?

    It's strange : Spamassassin sometimes flags emails as spam, although they were on the same server. For example: [email protected] to [email protected]

    What else can I do? :(
     
  14. bluethunder82

    bluethunder82 Member

    Have you made the appropriate changes to your /etc/hosts file? This method does work. I am curious however if ispconfig should automatically populate this file but there may be a non-obvious reason for not populating.

    In addition you can add whatever domains you want to the spamassassin whitelist list. Then when spamassassin detects a domain from your whitelist it automatically gives a -100 value.
     
  15. DanceNgine

    DanceNgine New Member

    Sounds nice. Where can I find the whitelist? Or do you know the filename?
     
  16. falko

    falko Super Moderator Howtoforge Staff

    It's on the Spamfilter & Antivirus tab of each user in ISPConfig.

    No, ISPConfig doesn't modify /etc/hosts.
     
  17. bluethunder82

    bluethunder82 Member

    Hi Falko,
    What would be the reason not to have the /etc/hosts file modified? There is lots of info on the net about this file but nowhere does it really mention what shouldn't or should be done?

    Just curious.
     
  18. falko

    falko Super Moderator Howtoforge Staff

    There's no need for ISPConfig to modify it.
     

Share This Page