How to know if spamfilter is working?

Discussion in 'Installation/Configuration' started by nandelbosc, Feb 19, 2009.

  1. nandelbosc

    nandelbosc New Member

    How to know if spamfilter is working? [SOLVED]

    UPDATE: SOLVED, see: http://www.howtoforge.com/forums/showpost.php?p=190493&postcount=24 Thank's Till!

    HI gurus!

    I have a recent ISPConfig 2 on Ubuntu 8.10 from applianceforge installation and all seems works ok except the spam control...

    As you can see in this capture... http://www.elsxukurs.org/Snap174.jpg in the last two hours I received 3 mail clearly spam.

    In the last week I have received more than 200 mail clearly spam and 0 with the subject modified with "***SPAM***"

    How can I know if spamfilter works well?

    The process is working...
    Code:
    root@vito:~# ps aux | grep -i spam
    root      4163  0.0  0.8  29864 27188 ?        Ss   00:53   0:10 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d --pidfile=/var/run/spamd.pid
    root      4514  0.0  0.8  29864 25348 ?        S    00:53   0:00 spamd child
    root      4516  0.0  0.8  29864 25348 ?        S    00:53   0:00 spamd child
    Of course I have checked the "MailScan", "AntiSpam" and "Antivirus" filters with the Strategy option "Accept" Score "5.0" and rewrite subject "***SPAM***"

    Thank's!
     
    Last edited: May 26, 2009
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The spamd daemon is not used by ispconfig 2. ISPConfig invokes the spamassassin script directly from procmail.

    If your spam does not get marked, then set the score to a lower value.
     
  3. nandelbosc

    nandelbosc New Member

    don't work...

    I changed from 5.0 to 1.0 (via ispconfig web administration) and still no detects spam... this user spamassassin prefs...

    Code:
    root@vito:/var/www/www.mysite.com/user/myuser# cat .spamassassin.rc
    # SpamAssassin sample procmailrc
    #
    # Pipe the mail through spamassassin (replace 'spamassassin' with 'spamc'
    # if you use the spamc/spamd combination)
    # The condition line ensures that only messages smaller than 250 kB
    # (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
    # isn't bigger than a few k and working with big messages can bring
    # SpamAssassin to its knees.
    :0fw
    * < 256000
    | /usr/sbin/spamc
    
    # Mails with a score of 15 or higher are almost certainly spam (with 0.05%
    # false positives according to rules/STATISTICS.txt). Let's put them in a
    # different mbox. (This one is optional.)
    #:0:
    #* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
    #/dev/null
    
    # All mail tagged as spam (eg. with a score higher than the set threshold)
    # is moved to "/dev/null".
    #:0:
    #* ^X-Spam-Status: Yes
    #/dev/null
    
    # Work around procmail bug: any output on stderr will cause the "F" in "From"
    # to be dropped.  This will re-add it.
    :0
    * ^^rom[ ]
    {
      LOG="*** Dropped F off From_ header! Fixing up. "
    
      :0 fhw
      | sed -e '1s/^/F/'
    }
    root@vito:/var/www/www.mysite.com/user/myuser# cat .spamassassin/user_prefs
    # SpamAssassin user preferences file.  See 'perldoc Mail::SpamAssassin::Conf'
    # for details of what can be tweaked.
    #*
    #* Note: this file is not read by SpamAssassin until copied into the user
    #* directory. At runtime, if a user has no preferences in their home directory
    #* already, it will be copied for them, allowing them to perform personalised
    #* customisation.  If you want to make changes to the site-wide defaults,
    #* create a file in /etc/spamassassin or /etc/mail/spamassassin instead.
    ###########################################################################
    
    # How many hits before a mail is considered spam.
    required_score                1.0
    
    rewrite_header Subject ***SPAM***
    
    # Whitelist and blacklist addresses are now file-glob-style patterns, so
    # "[email protected]", "*@isp.com", or "*.domain.net" will all work.
    # whitelist_from        [email protected]
    # whitelist_from
    
    # blacklist_from
    
    # URIBL support (see http://www.uribl.com)
    # urirhssub       URIBL_BLACK  multi.uribl.com.        A   2
    # body            URIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
    # describe        URIBL_BLACK  Contains an URL listed in the URIBL blacklist
    # tflags          URIBL_BLACK  net
    # score           URIBL_BLACK  3.0
    
    # Add your own customised scores for some tests below.  The default scores are
    # read from the installed spamassassin rules files, but you can override them
    # here.  To see the list of tests and their default scores, go to
    # http://spamassassin.org/tests.html .
    #
    # score SYMBOLIC_TEST_NAME n.nn
    
    # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost
    # definitely want to uncomment the following lines.  They will switch off some
    # rules that detect 8-bit characters, which commonly trigger on mails using CJK
    # character sets, or that assume a western-style charset is in use.
    #
    # score HTML_COMMENT_8BITS        0
    # score UPPERCASE_25_50                0
    # score UPPERCASE_50_75                0
    # score UPPERCASE_75_100        0
    
    score           AWL  -100.0
    As you can see, the score is changed...
     
  4. nandelbosc

    nandelbosc New Member

  5. falko

    falko Super Moderator Howtoforge Staff

    What's in the .procmailrc of that user?

    Have you tried to update SpamAssassin's rulesets?
    Code:
    /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/sa-update
     
  6. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi,

    You can test your spam filter to send en email with this content

    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
     
  7. nandelbosc

    nandelbosc New Member

    Sorry for the delay.

    Thank's Falko, I executed /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/sa-update without errors, but still not detecting spam.

    In my user .procmailrc...

    Code:
    cat /var/www/web10/.procmailrc
    MAILDIR=$HOME/Maildir/
    DEFAULT=$MAILDIR
    ORGMAIL=$MAILDIR
    
    INCLUDERC=/var/www/web10/user/10info/.mailsize.rc
    ## INCLUDERC=/var/www/web10/user/10info/.quota.rc
    INCLUDERC=/var/www/web10/user/10info/.antivirus.rc
    INCLUDERC=/var/www/web10/user/10info/.local-rules.rc
    INCLUDERC=/var/www/web10/user/10info/.html-trap.rc
    INCLUDERC=/var/www/web10/user/10info/.spamassassin.rc
    ## INCLUDERC=/var/www/web10/user/10info/.autoresponder.rc
    
    mccharlet thank's too, but yout test don't work... I have the mail my inbox withou SPAM tag.
     
  8. mccharlet

    mccharlet Member HowtoForge Supporter

  9. falko

    falko Super Moderator Howtoforge Staff

    Does
    Code:
    /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --lint
    show any errors?
     
  10. nandelbosc

    nandelbosc New Member

    I know EICAR test, but GTUBE is new for me, interesting!

    No...
    Code:
    root@vito# /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin --lint
    root@vito# 
    I'm the only one who have this problem with "ISPConfig 2 on Ubuntu 8.10 from applianceforge"? This makes me think that I've done something wrong, but I have not changed anything other than through the web interface...
     
  11. falko

    falko Super Moderator Howtoforge Staff

    What's in the header of the spam mails that got through? Are there any SpamAssassin lines?
     
  12. nandelbosc

    nandelbosc New Member

    I see a line from antivirus...

    Code:
    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: by vito.elseudomini.net (Postfix)
    	id A556D13C21A; Sun, 22 Feb 2009 20:34:54 +0100 (CET)
    Delivered-To: [email protected]
    Received: from [78.167.116.205] (unknown [78.167.116.205])
    	by vito.elseudomini.net (Postfix) with ESMTP id 01C3A13C218
    	for <[email protected]>; Sun, 22 Feb 2009 20:34:39 +0100 (CET)
    Received: from [78.167.116.205] by mx3.hotmail.com; Sun, 22 Feb 2009 21:34:39 +0200
    From: "Blake Rossi" <[email protected]>
    To: <[email protected]>
    Subject: Re: 
    Date: Sun, 22 Feb 2009 21:34:39 +0200
    MIME-Version: 1.0
    X-Security: message sanitized on vito.elseudomini.net
    	See http://www.impsec.org/email-tools/sanitizer-intro.html
    	for details. $Revision: 1.151 $Date: 2006-01-20 07:29:24-08 
    X-Security: The postmaster has not enabled quarantine of poisoned messages.
    Content-Type: multipart/related;
    	boundary="----=_NextPart_000_000E_01C99535.5D6D0180"
    X-Mailer: Microsoft Office Outlook, Build 11.0.5742
    Thread-Index: Aca6QHHNGGHMW6TATX9MVIXZAQ255E==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3000.0558
    Message-ID: <01c99535$5d6d0180$cd74a74e@telemaquem>
    X-Virus-Status: No
    X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV 0.94.1rc1/9022/Sun Feb 22 03:31:59 2009
    
    This is a multi-part message in MIME format.
    
    ------=_NextPart_000_000E_01C99535.5D6D0180
    Content-Type: multipart/alternative; boundary="----=_NextPart_001_000F_01C99535.5D6D0180"
    
    ------=_NextPart_001_000F_01C99535.5D6D0180
    Content-Type: text/plain; charset="windows-1250"
    Content-Transfer-Encoding: 7bit
    
    is so often misunderstood,  Noted pediatrician and author  the �zeros� element of your and why everything   activities  this should be your  in between sips of a martini.  in the shuffle,  piece of accurate 
    used in the Java API "There's just such a  of every internal industry In a way that lets you put  For now,  will be provides a  Design Patterns, you'll avoid  for some of  such an attitude neurobiology, cogn
    itive   the report says. render you any further services.But you don't just  have the resources,  are unregulated and Head First Design Patterns  balanced with plenty  recommended by In a way that lets you p
    ut  children are plopped in  the investments within  what to expect--a visually-rich  stress for children  that these investments or on the real relationship  Ginsburg, the report's lead author and  to a mor
    tgage endowment.
    
    
    ------=_NextPart_001_000F_01C99535.5D6D0180
    Content-Type: text/html; charset="windows-1250"
    Content-Transfer-Encoding: quoted-printable
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    
     
  13. nandelbosc

    nandelbosc New Member

    I created a test user (prova(AT)elseudomini.net) and sent (from other domain outside of ISPConfig [email protected]) a GTUBE test, here is the header...

    Code:
    root@vito:/var/www/www.elseudomini.net/user/10prova/Maildir# cat cur/1235338449.3734_1.vito.elseudomini.net\:2\, 
    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from triesmailnou.MYOTHERDOMAIN.COM (unknown [81.47.195.202])
    	by vito.elseudomini.net (Postfix) with ESMTP id 269FC13C218
    	for <[email protected]>; Sun, 22 Feb 2009 22:34:09 +0100 (CET)
    Content-Class: urn:content-classes:message
    MIME-Version: 1.0
    X-Security: message sanitized on vito.elseudomini.net
    	See http://www.impsec.org/email-tools/sanitizer-intro.html
    	for details. $Revision: 1.151 $Date: 2006-01-20 07:29:24-08 
    X-Security: The postmaster has not enabled quarantine of poisoned messages.
    Content-Type: multipart/alternative;
    	boundary="----_=_NextPart_001_01C99535.209CF747"
    Subject: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X 
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3959
    Date: Sun, 22 Feb 2009 22:32:56 +0100
    Message-ID: <ECE3012EF7CA654A86F6753CCE68FFAE6C2F@triesmailnou.MYOTHERDOMAIN.COM>
    X-MS-Has-Attach: 
    X-MS-TNEF-Correlator: 
    Thread-Topic: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X 
    thread-index: AcmVNSCVgbh+LECdQUaZRQ/TuElc4g==
    From: "Marc Serra" <[email protected]>
    To: <[email protected]>
    X-Virus-Status: No
    X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV 0.94.1rc1/9023/Sun Feb 22 21:11:47 2009
    
    This is a multi-part message in MIME format.
    
    ------_=_NextPart_001_01C99535.209CF747
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    
    
    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X=20
    
    For this user I have this check boxes activated... MailScan, Antispam Filter and Antviritus.
     
    Last edited: Feb 22, 2009
  14. falko

    falko Super Moderator Howtoforge Staff

    Hm, hard to tell why this isn't working. Is AppArmor disabled?
     
  15. nandelbosc

    nandelbosc New Member

    Now i'm not at work, for this reason i can't check if apparmor is enabled, but ... It's enabled by default? The answer of this question is the answer of your question :)
     
  16. nandelbosc

    nandelbosc New Member

    confirmed... AppArmor is not running :(

    Can I try to reinstall Spamassassin?
     
  17. falko

    falko Super Moderator Howtoforge Staff

    I don't think that will help. I think I'm at my wit's end here. :(
     
  18. nandelbosc

    nandelbosc New Member

    I'm sorry to hear this, but thank you for your patience! ;)

    Furthermore, only I have a question ... I am the only one that happens? Some also use the same virtual machine that I?

    Thank's again!
     
  19. falko

    falko Super Moderator Howtoforge Staff

    I don't have any problems with SpamAssassin...
     
  20. nandelbosc

    nandelbosc New Member

    Sorry to re-live this post, but i'm still trying to solve it...

    In the mail header you can see ...

    Code:
    ...
    Content-type: text/plain; charset=ISO-8859-1
    Content-transfer-encoding: 7bit
    X-virus-status: No
    X-virus-checker-version: clamassassin 1.2.4 with clamscan / ClamAV 0.94.2/9180/Sun Mar 29 22:40:14 2009
    X-evolution-source: imap: ...

    but we should see a line like this, no?...

    Code:
    X-UKC-CSSpamCheck-Checker-Version: SpamAssassin  3.2.5-1ubuntu1
    why that line is missing?
     

Share This Page