Outlooks SPAM vs ISPConfig3 SPAM

Discussion in 'General' started by Tekati, Nov 19, 2014.

  1. Tekati

    Tekati ISPConfig Developer ISPConfig Developer

    I have a question about SPAM. I am running ispconfig3 with postfix, amavis-new with courier pop and imap.

    I get a lot of spam that makes it through the mail server but Outlook catches it just fine. So why does OUTLOOK work for spam but the postfix and amavis combination not?

    I set tag level 1 to -100 so I can see all tags. Then I set tag to show [_SCORE_] so that I can see the score in all emails only to me. They are all over the place. Lots are below 1 and pass through no problem.

    What can I check or add to the configuration to help? Is there logs or config files you would like to see?

    Thank you!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I cant tell you what outlook uses internally, most likely a combination of autolearning (bayes) and filter rules, not sure if microsoft published that at all. What amavis uses is a combination of spamassassin (rules and bayes filter) and blacklists.

    Which "spam tag 2" level do you use (thats the one that marks a mail as spam)?
    Did you set any postfix blacklists under System > server config > mail in ispconfig?
    Do you see any negative scores in the spam emails that come trough like "bayes -1) or similar?
     
  3. Tekati

    Tekati ISPConfig Developer ISPConfig Developer

    5

    zen.spamhaus.org,bl.spamcop.net,psbl.surriel.com,combined.rbl.msrbl.net

    Yes lots of negative numbers some positive numbers. The problem is I see good email with positive and negative numbers and some spam that Outlook catches as spam with negative numbers :confused:
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Set the spam tag 2 level from 5 to to 3.501

    Regarding negative numbers in spam scores, please check which tests vause regularily negative numbers on messages that are spam.

    The blacklists are fine.
     
  5. Tekati

    Tekati ISPConfig Developer ISPConfig Developer

    Here is a message header from a mailing list. Even it received a -1.68

    Received: from localhost (localhost [127.0.0.1])
    by x.x.com (Postfix) with ESMTP id 7021D256102
    for <[email protected]>; Thu, 20 Nov 2014 13:01:04 -0800 (PST)
    X-Virus-Scanned: Debian amavisd-new at x.x.com
    X-Spam-Flag: NO
    X-Spam-Score: -1.68
    X-Spam-Level:
    X-Spam-Status: No, score=-1.68 tagged_above=-100 required=2
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    HEADER_FROM_DIFFERENT_DOMAINS=0.013, HTML_MESSAGE=0.001,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
    RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, RDNS_NONE=0.793,
    SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_GREY=0.424]
    autolearn=no autolearn_force=no
    Authentication-Results: x.x.com (amavisd-new);
    dkim=pass (1024-bit key) header.d=mail21.atl91.mcsv.net;
    domainkeys=pass (1024-bit key)
    [email protected]
    header.d=mail21.atl91.mcsv.net
    Received: from x.x.com ([127.0.0.1])
    by localhost (x.x.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id ulo_9d82ajAT for <[email protected]>;
    Thu, 20 Nov 2014 13:00:57 -0800 (PST)
    Received: from mail21.atl91.mcsv.net (unknown [198.2.130.21])
    by x.x.com (Postfix) with ESMTP id 809F9256056
    for <[email protected]>; Thu, 20 Nov 2014 13:00:57 -0800 (PST)
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail21.atl91.mcsv.net;
    h=Subject:From:Reply-To:To:Date:Message-ID:List-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; [email protected];
    bh=ahJeGjXl+DU76hzRlbUwYpvPYO4=;
    b=hmzQa/q2JbT8KNgLBxns745qUnx8c1sKAxGe8mjZqSt1uW0d7Y0NAyhjxkPQmt1O05ziXgvZloKz
    Eym+Fv/V2xWaeCh7KwzNz6Kj7AkEBlQn9IFcdc1kcxTJRQLY60qDmfBqh3rHOv3hKYxBZVtYh8dI
    8kD0uwZH90mYBtyLE7I=
    DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail21.atl91.mcsv.net;
    b=Qv7ZhNVx4RTRMoAqXX1fShkb1GVbOE8nk/up3wUCH+romOGj6LmfO8aK5Yp6e8+wxgIHKx9rJVMH
    o54wlRbPQ10XJsEMr5X5IAX5keDwXwEgYJ8iYbRhqWfttb4ZUiQgQRodXNOFy0/9vQia4EtM3o2J
    MtFQ21CewTh/DNkaVLY=;
    Received: from (127.0.0.1) by mail21.atl91.mcsv.net id hdpb8i1ohkgo for <[email protected]>; Thu, 20 Nov 2014 21:00:25 +0000 (envelope-from <[email protected]>)
    Subject: [-1.68] =?utf-8?Q?November=202014=20Newsletter?=
    From: =?utf-8?Q?GHI=20Electronics?= <[email protected]>
    Reply-To: =?utf-8?Q?GHI=20Electronics?= <[email protected]>
    To: =?utf-8?Q?X?= <[email protected]>
    Date: Thu, 20 Nov 2014 21:00:25 +0000
    Message-ID: <a4e51d4ff899124001f2b9e7741f5676ffb.20141120205947@mail21.atl91.mcsv.net>
    X-Mailer: MailChimp Mailer - **CID17f54c59ab41f5676ffb**
    X-Campaign: mailchimpa4e51d4ff899124001f2b9e77.17f54c59ab
    X-campaignid: mailchimpa4e51d4ff899124001f2b9e77.17f54c59ab
    X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=a4e51d4ff899124001f2b9e77&id=17f54c59ab&e=41f5676ffb
    X-MC-User: a4e51d4ff899124001f2b9e77
    X-Feedback-ID: 34985885:34985885.656937:us9:mc
    List-ID: a4e51d4ff899124001f2b9e77mc list <a4e51d4ff899124001f2b9e77.502265.list-id.mcsv.net>
    X-Accounttype: pd
    List-Unsubscribe: <mailto:unsubscribe-a4e51d4ff899124001f2b9e77-17f54c59ab-41f5676ffb@mailin1.us2.mcsv.net?subject=unsubscribe>, <http://c.us9.list-manage.com/unsubscribe?u=a4e51d4ff899124001f2b9e77&id=809a63cbc5&e=41f5676ffb&c=17f54c59ab>
    Sender: "X" <[email protected]>
    x-mcda: FALSE
    Content-Type: multipart/alternative; boundary="_----------=_MCPart_1328905513"
    MIME-Version: 1.0
    X-Antispam: clean, score=10
    X-Antivirus: avast! (VPS 141120-0, 11/20/2014), Inbound message
    X-Antivirus-Status: Clean
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, but mailing lists are normally double opt in and not spam? The mail is from a well known business mailing service and also includes a link to report this as spam in case that someone misued the service. So I wont call this a typical spam mail.

    And the content of this mail is spam, or just unwanted? Spamassassin reports the contet according to the self learning filter as not typical spam. So either the bayes filter has trained wrong emails or the message content is not typical spam content.
     
  7. Tekati

    Tekati ISPConfig Developer ISPConfig Developer

    Bad example how about this one.

    That last one was a bad example how about this one.

    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
    by x.x.com (Postfix) with ESMTP id 0532025614C
    for <[email protected]>; Thu, 20 Nov 2014 13:37:37 -0800 (PST)
    X-Virus-Scanned: Debian amavisd-new at x.x.com
    X-Spam-Flag: NO
    X-Spam-Score: -0.013
    X-Spam-Level:
    X-Spam-Status: No, score=-0.013 tagged_above=-100 required=2
    tests=[BAYES_20=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
    T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
    Received: from x.x.com ([127.0.0.1])
    by localhost (x.x.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id HuBgPg7G_fLc for <[email protected]>;
    Thu, 20 Nov 2014 13:37:30 -0800 (PST)
    Received: from vpsnoder02.mobi (vpsnoder02.mobi [50.2.23.195])
    by x.x.com (Postfix) with ESMTP id 3CFBC256103
    for <[email protected]>; Thu, 20 Nov 2014 13:37:30 -0800 (PST)
    Date: Thu, 20 Nov 2014 14:38:17 -0700
    Message-ID: <8819433-12723684-0f566aaaec97dcaf8b40023bb7fd67b0@vpsnoder02.mobi>
    To: <[email protected]>
    Harl: 8819433.12723684
    Vivid: 881943312723684
    Rasbora: 0f566aaaec97dcaf8b40023bb7fd67b08819433
    From: Verify TranUnion Details <[email protected]>
    Subject: [-0.013] Critical - Verify Your Transunion, Experian, Equifax Details
    Today.
    Content-Type: text/plain
    Eatery: 0f566aaaec97dcaf8b40023bb7fd67b0
    Mime-Version: 1.0
    X-Antispam: spam, score=90
    X-Antivirus: avast! (VPS 141120-0, 11/20/2014), Inbound message
    X-Antivirus-Status: Clean
     

Share This Page