Spam filter behaving strange :(

Hi all,

I just moved my ISPConfig installation from Ubuntu to Debian, as per this thread: http://www.howtoforge.com/forums/showthread.php?t=42579

But for some odd reason, after the move I'm getting loads of spam mails!!

With the old installation I never ever had a single one

System is running with the same spam scores as the old server(see picture). And I have not added any other domains to the server, so basically it a complete replica of my Ubuntu server, just now running Debian.

What can I do about this? The obvious would be to tighten the scores even more, but I just don't want to do that, when the old server ran perfect with these numbers.

I have also followed the guide on Spam Learning (sa_learn) here on Howtoforge.

Thanks for any assistance.
/Jim

 

Please update your SpamAssassin rules:

Code:

sa-update --no-gpg

 

Thanks Falko, now should I just wait a couple days to see if things are better or is there any way to check if this helped?

 

Wait a few days.

You can run

Code:

spamassassin --lint

to find out if there are any problems with your SpamAssassin configuration. If it just returns to the command prompt, everything's fine.

 

It all seems to be good, at least on the command prompt. I am still getting more spam than usual. I also have more mails caught in the spamfilter, which is not spam

Is this just a matter of time or is there something I can do about it?

Thanks for your help!

 

Can you restart amavisd and at the same time take a look at the mail log? Does amavisd report any errors there?

 

This is the output from "mail.log", when restarting Amavis:

Code:

Nov 12 20:48:06 node01 amavis[20347]: starting.  /usr/sbin/amavisd-new at node01.domain.com amavisd-new-2.6.1 (20080629), Unicode aware, LANG="en_DK.UTF-8"
Nov 12 20:48:06 node01 amavis[20347]: Perl version               5.010000
Nov 12 20:48:06 node01 amavis[20352]: Net::Server: Group Not Defined.  Defaulting to EGID '113 113'
Nov 12 20:48:06 node01 amavis[20352]: Net::Server: User Not Defined.  Defaulting to EUID '109'
Nov 12 20:48:06 node01 amavis[20352]: Module Amavis::Conf        2.103
Nov 12 20:48:06 node01 amavis[20352]: Module Archive::Zip        1.18
Nov 12 20:48:06 node01 amavis[20352]: Module BerkeleyDB          0.34
Nov 12 20:48:06 node01 amavis[20352]: Module Compress::Zlib      2.012
Nov 12 20:48:06 node01 amavis[20352]: Module Convert::TNEF       0.17
Nov 12 20:48:06 node01 amavis[20352]: Module Convert::UUlib      1.11
Nov 12 20:48:06 node01 amavis[20352]: Module DBD::mysql          4.007
Nov 12 20:48:06 node01 amavis[20352]: Module DBI                 1.605
Nov 12 20:48:06 node01 amavis[20352]: Module DB_File             1.816_1
Nov 12 20:48:06 node01 amavis[20352]: Module Digest::MD5         2.36_01
Nov 12 20:48:06 node01 amavis[20352]: Module Digest::SHA         5.45
Nov 12 20:48:06 node01 amavis[20352]: Module Digest::SHA1        2.11
Nov 12 20:48:06 node01 amavis[20352]: Module IO::Socket::INET6   2.54
Nov 12 20:48:06 node01 amavis[20352]: Module MIME::Entity        5.427
Nov 12 20:48:06 node01 amavis[20352]: Module MIME::Parser        5.427
Nov 12 20:48:06 node01 amavis[20352]: Module MIME::Tools         5.427
Nov 12 20:48:06 node01 amavis[20352]: Module Mail::Header        2.03
Nov 12 20:48:06 node01 amavis[20352]: Module Mail::Internet      2.03
Nov 12 20:48:06 node01 amavis[20352]: Module Mail::SPF           v2.005
Nov 12 20:48:06 node01 amavis[20352]: Module Mail::SpamAssassin  3.002005
Nov 12 20:48:06 node01 amavis[20352]: Module Net::DNS            0.63
Nov 12 20:48:06 node01 amavis[20352]: Module Net::Server         0.97
Nov 12 20:48:06 node01 amavis[20352]: Module NetAddr::IP         4.007
Nov 12 20:48:06 node01 amavis[20352]: Module Socket6             0.20
Nov 12 20:48:06 node01 amavis[20352]: Module Time::HiRes         1.9711
Nov 12 20:48:06 node01 amavis[20352]: Module URI                 1.35
Nov 12 20:48:06 node01 amavis[20352]: Module Unix::Syslog        1.1
Nov 12 20:48:06 node01 amavis[20352]: Amavis::DB code      loaded
Nov 12 20:48:06 node01 amavis[20352]: Amavis::Cache code   loaded
Nov 12 20:48:06 node01 amavis[20352]: SQL base code        loaded
Nov 12 20:48:06 node01 amavis[20352]: SQL::Log code        NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: SQL::Quarantine      NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: Lookup::SQL code     loaded
Nov 12 20:48:06 node01 amavis[20352]: Lookup::LDAP code    NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: AM.PDP-in proto code loaded
Nov 12 20:48:06 node01 amavis[20352]: SMTP-in proto code   loaded
Nov 12 20:48:06 node01 amavis[20352]: Courier proto code   NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: SMTP-out proto code  loaded
Nov 12 20:48:06 node01 amavis[20352]: Pipe-out proto code  NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: BSMTP-out proto code NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: Local-out proto code loaded
Nov 12 20:48:06 node01 amavis[20352]: OS_Fingerprint code  NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: ANTI-VIRUS code      loaded
Nov 12 20:48:06 node01 amavis[20352]: ANTI-SPAM code       loaded
Nov 12 20:48:06 node01 amavis[20352]: ANTI-SPAM-SA code    loaded
Nov 12 20:48:06 node01 amavis[20352]: Unpackers code       loaded
Nov 12 20:48:06 node01 amavis[20352]: DKIM code            NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: Tools code           NOT loaded
Nov 12 20:48:06 node01 amavis[20352]: Found $file            at /usr/bin/file
Nov 12 20:48:06 node01 amavis[20352]: No $dspam,             not using it
Nov 12 20:48:06 node01 amavis[20352]: No $altermime,         not using it
Nov 12 20:48:06 node01 amavis[20352]: Internal decoder for .mail
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .F   
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .Z    at /bin/uncompress
Nov 12 20:48:06 node01 amavis[20352]: Internal decoder for .gz  
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .bz2  at /bin/bzip2 -d
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .lzo  at /usr/bin/lzop -d
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .rpm  tried: rpm2cpio.pl, rpm2cpio
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .cpio tried: pax
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .cpio at /bin/cpio
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .tar  tried: pax
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .tar  at /bin/cpio
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .deb  at /usr/bin/ar
Nov 12 20:48:06 node01 amavis[20352]: Internal decoder for .zip 
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .7z   tried: 7zr, 7za, 7z
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .rar 
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .arj  at /usr/bin/arj
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .arc  at /usr/bin/nomarch
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .zoo  at /usr/bin/zoo
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .lha 
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .doc  tried: ripole
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .cab  at /usr/bin/cabextract
Nov 12 20:48:06 node01 amavis[20352]: No decoder for       .tnef
Nov 12 20:48:06 node01 amavis[20352]: Internal decoder for .tnef
Nov 12 20:48:06 node01 amavis[20352]: Found decoder for    .exe  at /usr/bin/arj
Nov 12 20:48:06 node01 amavis[20352]: Using primary internal av scanner code for ClamAV-clamd
Nov 12 20:48:06 node01 amavis[20352]: Using primary internal av scanner code for check-jpeg
Nov 12 20:48:06 node01 amavis[20352]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Nov 12 20:48:06 node01 amavis[20352]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.34, libdb 4.6

Thanks for your help!!

 

Hm, amavisd looks good.

Can you post an excerpt of your mail log when a spam mail arrives and is not categorized as spam?

 

Yes here is the output from "mail.log" this morning 9.20.

Code:

Nov 13 09:20:22 node01 postfix/smtpd[27533]: connect from bay0-omc1-s27.bay0.hotmail.com[65.54.190.38]
Nov 13 09:20:23 node01 postfix/smtpd[27533]: 5C0A4202C8: client=bay0-omc1-s27.bay0.hotmail.com[65.54.190.38]
Nov 13 09:20:23 node01 postfix/cleanup[30871]: 5C0A4202C8: message-id=<[email protected]>
Nov 13 09:20:23 node01 postfix/qmgr[3556]: 5C0A4202C8: from=<[email protected]>, size=3060, nrcpt=1 (queue active)
Nov 13 09:20:23 node01 postfix/smtpd[27533]: disconnect from bay0-omc1-s27.bay0.hotmail.com[65.54.190.38]
Nov 13 09:20:24 node01 postfix/smtpd[30875]: connect from localhost.localdomain[127.0.0.1]
Nov 13 09:20:24 node01 postfix/smtpd[30875]: 2B1C3202C9: client=localhost.localdomain[127.0.0.1]
Nov 13 09:20:24 node01 postfix/cleanup[30871]: 2B1C3202C9: message-id=<[email protected]>
Nov 13 09:20:24 node01 postfix/smtpd[30875]: disconnect from localhost.localdomain[127.0.0.1]
Nov 13 09:20:24 node01 postfix/qmgr[3556]: 2B1C3202C9: from=<[email protected]>, size=3548, nrcpt=1 (queue active)
Nov 13 09:20:24 node01 amavis[27413]: (27413-20) Passed CLEAN, [65.54.190.38] [65.54.190.61] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: mP2yYDn345tO, Hits: -2.599, size: 3060, queued_as: 2B1C3202C9, 472 ms
Nov 13 09:20:24 node01 postfix/smtp[30872]: 5C0A4202C8: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.99, delays=0.52/0/0/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=27413-20, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2B1C3202C9)
Nov 13 09:20:24 node01 postfix/qmgr[3556]: 5C0A4202C8: removed
Nov 13 09:20:24 node01 postfix/pipe[30877]: 2B1C3202C9: to=<[email protected]>, relay=maildrop, delay=0.06, delays=0.01/0/0/0.04, dsn=2.0.0, status=sent (delivered via maildrop service)
Nov 13 09:20:24 node01 postfix/qmgr[3556]: 2B1C3202C9: removed

This is the mail that landed in my inbox. Subject was NOT modifed with "SPAM".

SUBJECT OF MAIL = RE:Friend: g y i 3

Code:

en god nyhed til dig: b g Z Q

Jeg finder en hjemmeside, s? fantastisk! alle navn m?rke,  5 P 5 5  som telefoner mv
s? l?nge der er registreret, Win $ 10 kupon let. glade for at anbefale jer, H n Y n  
Jeg tror, du kan lide det. Kig-www.happyshopping68.com-, overraskende gave venter p? dig!
det accepterer paypal betaling, er det meget sikkert.

 b 1 o u
 D g H Q

a good news for you: 5 f P 3

I find a website, so amazing! all name brand, as phones etc. g o w T  
as long as registered, Win $10 coupon easy. happy to recommend to you, 
I believe you like it . T K 7 H  please look -www.happyshopping68.com- , surprising gift waiting for you! 
it accept the paypal payment, it's very safe.

 i A 7 j
 o M u S

Also, here are the headers from Outlook:

Code:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from localhost (localhost.localdomain [127.0.0.1])
	by node01.domain.dk (Postfix) with ESMTP id 2B1C3202C9
	for <[email protected]>; Sat, 13 Nov 2010 09:20:24 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at node01.domain.dk
Received: from node01.domain.dk ([127.0.0.1])
	by localhost (node01.domain.dk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id mP2yYDn345tO for <[email protected]>;
	Sat, 13 Nov 2010 09:20:23 +0100 (CET)
Received: from bay0-omc1-s27.bay0.hotmail.com (bay0-omc1-s27.bay0.hotmail.com [65.54.190.38])
	by node01.domain.dk (Postfix) with ESMTP id 5C0A4202C8
	for <[email protected]>; Sat, 13 Nov 2010 09:20:23 +0100 (CET)
Received: from BAY149-W56 ([65.54.190.61]) by bay0-omc1-s27.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Sat, 13 Nov 2010 00:20:22 -0800
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
	boundary="_3509b800-4135-48df-9327-af9cc3b7d8cf_"
X-Originating-IP: [115.49.105.37]
From: Hao To <[email protected]>
To: <[email protected]>
Subject: RE:Friend: g y i 3
Date: Sat, 13 Nov 2010 18:50:22 +1030
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 13 Nov 2010 08:20:22.0084 (UTC) FILETIME=[9D857840:01CB830B]

NB!! The "TO:" address above is NOT my email.

Thanks for your help, it is much appreciated!

 

Did you whitelist hotmail.com?

 

No, I have only whitelisted a couple of addresses, no hotmail addresses included.