I have noticed recently in my root mail recent errors like this: -snip- Cron <root@ns9> /usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log Argument "perl_version" isn't numeric in numeric ge (>=) at (eval 625) line 1. Argument "perl_version" isn't numeric in numeric ge (>=) at (eval 1109) line 1. --snip-- this appears to be a problem caused by an update. fix according to google: --snip-- cd /tmp wget "http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Conf/Parser.pm?r1=1642207&r2=1642206&pathrev=1642207&view=patch" -O parser.pm.patch wget "http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm?r1=1642207&r2=1642206&pathrev=1642207&view=patch" -O conf.pm.patch patch /usr/share/perl5/Mail/SpamAssassin/Conf/Parser.pm < parser.pm.patch patch /usr/share/perl5/Mail/SpamAssassin/Conf.pm < conf.pm.patch --snip-- in my case (Centos) the path is actually /usr/share/perl5/vendor_perl/Mail/SpamAssassin etc. hopefully this helps. on another topic. I'm still being whackered by spam and customers complaining. I'm seeing blatant spam messages getting scored as .8, and my folks are getting VERY upset. something obviously is not working properly - and I'm wondering if sa-learn is working at all. how to troubleshoot?? or do you have a bit of time which you could log in and take a look at my spamassassin setup? happy to donate appropriately! one final question - I've not upgraded ISPConfig from p4 to p5 - how important is that? have been leery of upgrading recently LOL cdb.
Plesae take a look at the mail headers of spam mails that slipped trough, do their contain negative scores for the bayes filter? If thats the case, then spamassassin learnt something wrong. To improve the spam filtering, you can try to install raror and pyzor and configure them in spamassassin local.cf file, then restart amavisd to activate them. The update is not that important, so you can skip it.
from a recent spam X-Spam-Flag: NO X-Spam-Score: 0.712 X-Spam-Level: X-Spam-Status: No, score=0.712 tagged_above=-999 required=3 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=no any ideas?
yet another mail problem! one of my customers computers got infected and he used MY server to send out 1000s of spams so I've been blacklisted with several anti-spam sites... I let them use my server for outgoing (with port 6705 to get past the usual port 25 block) what on earth do I do to block OUTGOING spam?????? cdb.
Amavis filters the incoming and outgoing emails. If there is no policy defined that matches a specifc address, then the default settings from the amavis config file are used. To set a policy in ispconfig that applaies to all emails that dont have another policy set, create a new item under Spamfilter > User/domain in the email module, enter as pattern: @. and select the policy that shell get applied. As you want to delete the spam that is being sent, you have to set the kill level of that policy to the score that you want emails to be deleted. Another option to lower the impact of such issues is that you add policyd to your mails etup and configure email qutas in policyd, so that users ca only send a specified amount of emails per hour or day.
here is one of the emails in full how to diagnose? Here is one of the emails that I think certainly SHOULD be canned as spam: now in the spam-status block see the values? one is autolearn=no dont we want it to learn? how to fix. and all these values seem very low. and cant amavisd work with blacklist sites? how to incorporate one (or more) into my settings? and can I save this message for testing purposes to I can tell how any changes are helping/hurting things? cdb. --snip-- Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (unknown [127.0.0.1]) by ns9.cdbsystems.com (Postfix) with ESMTP id 8D89C1A257A for <[email protected]>; Tue, 9 Dec 2014 15:01:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com X-Spam-Flag: NO X-Spam-Score: 1.523 X-Spam-Level: * X-Spam-Status: No, score=1.523 tagged_above=-999 required=3 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=no Received: from ns9.cdbsystems.com ([127.0.0.1]) by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihZaaevkFc-t for <[email protected]>; Tue, 9 Dec 2014 10:01:14 -0500 (EST) Received: from hal-deb.disfuntionbegone.com (hal-deb.disfuntionbegone.com [206.206.168.26]) by ns9.cdbsystems.com (Postfix) with ESMTP id E2B1A1A2564 for <[email protected]>; Tue, 9 Dec 2014 10:01:11 -0500 (EST) Date: Tue, 09 Dec 2014 07:01:09 -0800 From: No More ED <[email protected]> To: <[email protected]> Subject: Unwanted body changes in men Message-ID: <22224711370340320141209073430949.eBvzlOaxa@mx1.hal-deb.disfuntionbegone.com> Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 <HTML> <BODY> <table cellpadding="0" cellspacing="0" style="margin:0px;border-right:5px solid #000000; border-left:5px solid #000000;" width="774"> <tr><td width="764"> <table cellpadding="0" cellspacing="0" style="margin-top:0px;" width="766"><tr><td style="font-size:12px; color:#000000; line-height:150%; font-family:trebuchet ms;" valign="top" width="127"><table border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody> <tr><td bgcolor="#000000"></td> <td bgcolor="#000000"></td> <td bgcolor="#000000"></td></tr> <tr><td bgcolor="#000000" width="493"><img align="left" alt="Men's Health Today" border="0" height="73" src="http://www.disfuntionbegone.com/martins/vanillins/vapour/coextensive/ironside/exurbanites.png" width="493"></td> <td bgcolor="#000000" width="5"> <td width="269"><table bgcolor="#000000" border="0" cellpadding="0" cellspacing="0"> <tbody> <tr><td bgcolor="#ffe400" height="7" width="269"></td></tr> <tr> <td height="20" width="269"><font color="#ffffff" face="Arial, Helvetica,sans-serif" originaltag="yes" size="3"><b>December 09, 2014</b></font><span style="font-size:1px;">Re: Ginny I wanted to see that too. I keep dropping connection to the internet. Sometimes it will work for an extended period of time. Other times it won't work at all or just for a second or two. When I run the troubleshoot, it states (The communication between your access point, router, or cable modem and the internet is broken and -The default gateway</span></td></tr> <tr><td height="46"></tr> </tbody></table></td></tr></tbody></table> <table bgcolor="#FFFFFF" cellpadding="0" cellspacing="0" width="766"> <tr><td bgcolor="#FFFFFF" valign="top" width="415"> <table border="0" width="415"> <tr><td valign="top"><h2 style="font-family:Arial, Helvetica, sans-serif; font-size:20px; font-weight:bold; text-transform:uppercase;margin:15px 0 0 0;padding-left:5px; padding-right:10px; text decoration:none; color:#981818"><strong>devastating condition 50% of men get; have you been lied to?</strong><BR> </h2></td></tr> <tr><td style="font-size:12px;color: #636363;font-weight:bold; font-family:Arial; padding-left:5px; padding-right:5px; text decoration:none">By: Jerry Miller | December 08, 2014</td></tr> <tr> <td style="text-aling:left;padding-left:5px;color:#000000;font-family:Arial, Helvetica, sans-serif;padding-right:1px;font-size:14px; line-height:1.1m;font-weight:400;"><p><A HREF="http://www.disfuntionbegone.com/instabilities/lunging/fishtailing/crumble/blemishes/penology.htm"><img align="right" alt="living-in-fear" border="0" hspace="10" src="http://www.disfuntionbegone.com/centralizers/dubbers/tzardom/stoneware/rumanians.png" vspace="10" width="150"></A><BR> As a man with E.D. it's something you pray you never get. And when you do you're in complete shock and humiliation and think that your life is doomed because you can't perform on-demand anymore.<a href="http://www.cdc.gov/men/nmhw/" style="font-size:1px;">http://www.cdc.gov/men/nmhw/</a><BR> <BR> <span style="font-family:Cambria, 'Hoefler Text', 'Liberation Serif', Times, 'Times New Roman', serif; font-size:1px;">Type the following command: IPCONFIG /ALL [Note that there is no space between the slash and ALL.] [Press ENTER after each command.]</span><BR> The reason why I'm telling you this is because I was once in your shoes. The embarrassment and devastation led me to the root cause of ED, which has <strong>NOTHING to do with Low-T levels</strong>, according to Columbia University, and Ivy league research.<BR> <BR> More importantly, I would like you to understand the cause and how I managed to overcome my ED. <br> <A HREF="http://www.disfuntionbegone.com/instabilities/lunging/fishtailing/crumble/blemishes/penology.htm" STYLE="font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-style: normal; font-weight: bold; color: #C00; font-variant: normal; text-transform: none;"><em><strong>http://report.MensHealth/2014/ED-have-we-been-lied-to.html</strong></em></A></p> <p> </p> <p>Thanks.</p> <p> </p> <p>P.S.: Remember, it's normal be shocked at first. Believe me we all are.<br> And it helps to know that there is hope: <a href="http://www.disfuntionbegone.com/instabilities/lunging/fishtailing/crumble/blemishes/penology.htm">www.menshealth/ED/faq.html</a></p> <p> </p> <p><BR> <BR> </p> </td></tr></table> </td> <td style="font-size:12px; color:#000000; line-height:1.1m; font-family:trebuchet ms;background-color:#FFFFFF;border-left:1px solid #000000;text-align:left; padding-top:10px;" valign="top" width="364"> <table width="350"> <tr> <td align="center"> </td></tr></table> <table border="0" cellpadding="0" cellspacing="0" width="350"><tr> <td><table align="center" border="0" cellpadding="0" cellspacing="0" valign="top" width="337"> <tr> <td align="left" height="101" style="line-height:0px;" valign="top" width="92"> </td> <td align="left" style="font-family: Arial, sans-serif; font-size: 12px; color: #000000; line-height: 14px; font-weight: normal; letter-spacing: normal; word-spacing: normal;" valign="top"></td> </tr></table></td></tr> <tr><td align="left" height="2" valign="bottom"><BR> </td></tr> <tr> <td align="center" valign="bottom"><BR> </td></tr></table></td> </tr></table> </td></tr> <tr><td align="center" colspan="2" style="border-top: 1px solid #000000; margin-top: 10px" valign="top"><p><BR> </p> <p><font face="Verdana, Arial, Helvetica, sans-serif" originaltag="yes" size="1"><BR> <BR> <font color="#333333" face="Verdana, Arial, Helvetica, sans-serif" originaltag="yes" size="-5"><span style="font-size:70%">Customer Service Dept., 19 Jonas St,, Virginia Beach,, VA 23462<BR> © 2014 MH Producitons</span></font></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" originaltag="yes" size="1"><font face="Verdana, Arial, Helvetica, sans-serif" originaltag="yes" size="1"><a style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9px; font-weight: normal; color: #333333; text-decoration: underline" href="http://www.disfuntionbegone.com/cumquats/ersatz/knotted/appropriation.html">maintain Your Email-Preferences</a><BR> </font><font color="#333333" face="Verdana, Arial, Helvetica, sans-serif" originaltag="yes" size="1"><BR> <BR> 37395169 </font></font></p> <p> </p> <p> </p> <p> </p> <ul style="font-size:10px;"> <li>Skip the galvanized tub and stabilization steps if the tree comes packed in a plastic bucket. Use something under the tree to protect the floor.</li> <li>If the work of bringing a live tree in and out of the house seems excessive, consider planting the tree directly outside and decorating it there. This can become an enjoyable occasion that is less stressful on both you and the tree.</li> <li>Place old cotton towels on top of the root ball and keep the towels moist. Wet towels will generally remain moist for for 1-2 days depending on conditions in your home. They also make it easier to apply water to the tree root ball without spillage onto your flooring.</li> <li>Look for Anti-dessicants and anti-wilt product under the names of<em>Wilt-Pruf</em>or<em>Cloud-Cover</em>.</li> <li>If you do not have space in your own yard for a living tree, you may be able to donate it to a local school, church or park. Be sure that there are such options in your area ahead of time.</li> </ul> <p><font face="Verdana, Arial, Helvetica, sans-serif" originaltag="yes" size="1"><font color="#333333" face="Verdana, Arial, Helvetica, sans-serif" originaltag="yes" size="1"><BR> </font></font></p> </td></tr></table> </td></tr></table> <BR> <BR> <BR> <font color="#666666" face="Verdana,Helvetica" originaltag="yes" size="1"></font><BR> </BODY> </HTML> --snip--
comment on these postfix main.cf changes? I see one fellow suggesting these for anti-spam measures, in the /etc/postfix/main.cf file: currently I have NO entries for smtpd_helo_restrictions, or smtpd_recipient_restrictions. should I implement any/all of these? and if I want to implement some of the blacklist checks (are they worth it?) what do I have to do? anything outside of postfix? any account I need to setup with them or do these work transparently. I also notice I have several main.cf files: xxxxxxxxxxxxxxxxxxxxxxt 29428 Oct 19 17:34 main.cf -rw-r--r-- 1 root root 29310 Oct 19 17:34 main.cf~ -rw-r--r-- 1 root root 29428 Oct 19 17:34 main.cf~2 -rw-r--r-- 1 root root 29429 Oct 19 17:34 main.cf~3 which on is used by postfix? why are there multiple version? the main.cf lists NO entry for smtpd_recipient_restrictions. but the cf~2 file has: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf but this file has NO entry for smtpd_helo_restrictions back to the suggested settings for main.cf --snip-- disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 --snip--
A message gets learned when its scores a high enough to be problaböy spam. spamassassin always uses blacklist by default, at least if you did not disable that manually in spamassassin's local.cf file. And as spamasssasin is the filter engine of amavis, the same rules get applied to amavis filtering. Nevertheless you should consider to add some blacklists under System > server config > mail to deny emals also on postfix level. pipe the output of the command to a file, if you want to save it. Postfix uses the file main.cf Adding restrictions in smtpd_recipient_restrictions is just fine as the yget applied to the connection as well, just at a different stage. you can try the settings that you mentioned above, but ensure that you dont remove "check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf" from recipient restrictions.
changes to main.cf I've implemented these changes: one question is the 'permit' required at the end of the last line? it seems to be missing so I'm assuming its probably optional at this point. and how about the sleep lines at the end of the suggested hardening - any comments? --snip-- [root@ns9 postfix]# diff main.cf main.cf.bak 687c687 < smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf --- > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf 720,721d719 < smtpd_helo_required = yes < smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit [root@ns9 postfix]# /etc/init.d/postfix restart ----snip--- I've noticed these lines in maillog: Dec 9 15:17:53 ns9 postfix/smtpd[15190]: warning: 118.84.91.74.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=118.84.91.74.list.dsbl.org type=A: Host not found, try again is this a valid response? and this is invoked by the list.dsbl.org entry above? is this a spam location or an error of some kind? ***** UPDATE **** the lines above are because list.dsbl.org has been discontinued. have to remove the reject_rbl_client list.dsbl.org entry.
a recent email: I just got a passed email from 1000s or russian ladies - and these are the spam info from the header: --snip-- X-Spam-Score: 2.565 X-Spam-Level: ** X-Spam-Status: No, score=2.565 tagged_above=-999 required=4.5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_SPAM=2.5, URIBL_JP_SURBL=1.25] autolearn=no --snip-- clearly higher but this is still clearly spam! also I note from maillog an entry: Dec 9 15:40:30 ns9 postfix/cleanup[18026]: warning: regexp map /etc/postfix/body_checks, line 1: Invalid preceding regular expression anything I need to do? also when does ispconfig3 rewrite main.cf? do I need to keep my batch file to make the changes again? and from what I understand the white/blacklists in ispconfig3 are for ip addresses right? nothing to 'start using spamhaus.org' or the like. anywhere to put these commands inside ispconfig3 so I dont need to redo this each time main.cf changes? cdb. thanks cdb.
the dsbl rbl does not exist anymore and therefor you get this error. you should remove it from your main.cf. The score is fine except of the bayes score. If you see such a big negative score on more spam mails, then it might be that your self learning fildter has learned something wrong and it might have to be reset to start over. I guess you added a custom body filter rule in ispconfig and that rule is no valid regular expression. the easiest way to protect the main.cf file from being altered is to set the immutable bit on that file: chattr +i /etc/postfix/main.cf if you want to edit that file, run: chattr -i /etc/postfix/main.cf to remove the immutable bit.
self learning filter ok - how to I start the self learning filter over? clearly a lot of spam IS now being blocked the RBL entries are helping a lot! cdb.
su amavis results in 'this account is currently not available' or something similar. any ideas? cdb. -- never mind the account has no shell I'll take care of it
su amavis su amavis gives 'this account not currently available' sa-learn --clear under root gives no errors but sa-learn --dump all gives a database error. maybe because I'm running it as root?
sa-learn problmes continue! just had this email - clearly spam but it says autolearn=ham what on earth is going on now? I did do the -clear option cdb. --snip-- Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (unknown [127.0.0.1]) by ns9.cdbsystems.com (Postfix) with ESMTP id 1BD5D1A2891 for <[email protected]>; Wed, 10 Dec 2014 18:27:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=3 tests=[SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham Received: from ns9.cdbsystems.com ([127.0.0.1]) by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bct8H4JSPfM5 for <[email protected]>; Wed, 10 Dec 2014 13:26:56 -0500 (EST) Received: from glazeworld.electricalinnovatenow.com (glazeworld.electricalinnovatenow.com [104.243.27.6]) by ns9.cdbsystems.com (Postfix) with ESMTP id A24791A286A for <[email protected]>; Wed, 10 Dec 2014 13:26:55 -0500 (EST) Date: Wed, 10 Dec 2014 10:26:54 -0800 Subject: maintain uninterrupted quality of power From: Critical Energy Application <[email protected]> Reply-to: Critical Energy Application <[email protected]> Message-ID: <4YjNHG70Af6D29c.M2.20141210103445449.80132896535214EtPuPiGj@glazeworld.electricalinnovatenow.com> To: <[email protected]> X-RCPT-To: <[email protected]> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Federal Research and Development Requirement: Obligation to notify public of consumption decreasing device Following a nationwide Audit of US Energy & Consumption; the department of research and development was awarded funds. They created and approved an affordable device to lower consumption and the average electric bill by 80%. http://www.electricalinnovatenow.com/dilations/clement/statedly.html --snip--
A message is clarly spam when its score exceeds the spam tag 2 level that you have set. Si the message above is ham as it has a negative score ans therefor learnt as ham and not spam. The message that you posted has not much text and it contains no words that are typical for spam messages and the sender is not on any blacklists, so how should a computer know that this is spam?
