till I've got my centos setup ala perfect server with dovecot, postfix, mailman, spam assassin and clamav. I look in maillog and find plenty from clamav, but I'm getting lots of spam in boxes folks complaining and when I look at the headers I see nothing from spam assassin (and no spamd messages in the maillog) - I suspect some yum upgrade broke something. spamassassin is not running as a service - the etc/rc.d has a K30spamassassin entry and no starting file... any quick ideas on how to check to see where it broke? cdb.
Spamassassin won't register a score if the total is below your cutoff. Lets say you have a score of 5 so that Spamassassin marks anything that scores a 5 or above as spam, but anything below that it will let pass and not put a score in it. Spammers have figured out how to get around Spamassassin by entering extra words somewhere in the email where they are not visible. These are strings of non sensical sentences but Spammassassin add a high negative score to the total for that verbiage so when added with the positive score of the spam it comes out below 5. Next time you get such spam look at the raw email info and you will see these words. At least that's what I'm seeing. If you look at regular email headers you don't see a spam score, and when you get spam and look at the headers you see no spam score in there as well because the spammers have circumvented spamassassin. There is no spamassassin rule to test for random text.
spamassassin I'm not sure at all its working (it certainly used to work). I'm trying to find out where he's being invoked to see if its just not being consulted at all... some folks have it being invoked as a content filter in postfix.cf: --snip-- Telling Postfix to Start Filtering SPAM To get postfix going we need to un-comment a couple lines in /etc/postfix/master.cf Find: smtp inet n - n - - smtpd # -o content_filter=smtp-amavis:127.0.0.1:10024 # -o receive_override_options=no_address_mappings Change to: smtp inet n - n - - smtpd -o content_filter=smtp-amavis:127.0.0.1:10024 -o receive_override_options=no_address_mappings ---snip-- but I dont have these lines uncommented in my postfix file..
spamassasin is loaded internally by amavisd, so no need to invoke it manually. The lines that you posted above are not required by ispconfig and therefore not present in your config file. You can easily find out if its working, open the source of a email in your mailclient that has gone trough your server, if it contains a line like: X-Virus-Scanned: Debian amavisd-new at ..... the the email has been gone troug amavis which includes spamassassin filtering and clamav antivirus.
further info I do see X-virus scanned. but I recently updated amavisd cant I force it to put spamassassin headers? I believe that spamassassin for some reason is not working because folks unmarked spam has just exploded!
You can set the spam tag 1 level in the policy to -100. this tag level is the one that controls when headers get added that show the score to an email. the tag 2 level is the one that controls when a email is spam.
amavisd I set this restarted amavisd and sent an account an email. the header only contains: Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (unknown [127.0.0.1]) by ns9.cdbsystems.com (Postfix) with ESMTP id 55ABA1A594C for <[email protected]>; Fri, 26 Sep 2014 20:39:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com so amavisd-new isnt adding anything. I changed: $sa_tag_level_deflt = -100; # add spam info headers if at, or above that level no alteration. I notice that the $helpers dir for spamassassin (/var/spool/amavisd/var) - did not exist!!! I did change the ns9 to ns9a in amavisd.conf and it does change the header to ns9a so I know this is the conf file that is being read. but the sa_tag_level change did not cause any headers to be added as it should have! cdb. cdb.
further info... I sent an email to the one of the covered boxes and though the header has the single line: X-Virus-Scanned: amavisd-new at ns9a.cdbsystems.com the maillog contains these lines: Sep 26 20:00:43 ns9 postfix/qmgr[11850]: AC3481A5C86: from=<[email protected]>, size=3227, nrcpt=1 (queue active) Sep 26 20:00:43 ns9 amavis[7668]: (07668-15) DSN: sender is credible (dkim), SA: -0.801, <[email protected]> Sep 26 20:00:43 ns9 amavis[7668]: (07668-15) status counters: InMsgsStatus{Relayed,RelayedUntagged,RelayedUntaggedOpenRelay} Sep 26 20:00:43 ns9 amavis[7668]: (07668-15) Passed CLEAN {RelayedOpenRelay}, [98.139.213.163]:50964 [74.96.241.34] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: hClvxddQnpcj, Hits: -0.801, size: 2772, queued_as: AC3481A5C86, dkim_sd=s1024:yahoo.com, 480 ms Sep 26 20:00:43 ns9 amavis[7668]: (07668-15) TIMING-SA total 340 ms - parse: 3 (0.8%), extract_message_metadata: 7 (2.2%), get_uri_detail_list: 0.73 (0.2%), tests_pri_-1000: 4 (1.1%), tests_pri_-950: 1.24 (0.4%), tests_pri_-900: 1.35 (0.4%), tests_pri_-400: 1.10 (0.3%), tests_pri_0: 266 (78.4%), check_spf: 169 (49.6%), poll_dns_idle: 146 (42.9%), check_razor2: 49 (14.4%), check_pyzor: 0.22 (0.1%), tests_pri_500: 4 (1.1%), learn: 20 (5.8%), get_report: 1.29 (0.4%) Sep 26 20:00:43 ns9 amavis[7668]: (07668-15) sending SMTP response: "250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AC3481A5C86" Sep 26 20:00:43 ns9 postfix/smtp[11102]: 2969E1A5C83: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.59, delays=0.1/0/0/0.48, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AC3481A5C86) Sep 26 20:00:43 ns9 postfix/qmgr[11850]: 2969E1A5C83: removed Sep 26 20:00:43 ns9 amavis[7668]: (07668-15) size: 2772, TIMING [total 485 ms] - SMTP greeting: 1.9 (0%)0, SMTP EHLO: 0.5 (0%)0, SMTP pre-MAIL: 0.5 (0%)1, SMTP pre-DATA-flush: 2.0 (0%)1, SMTP DATA: 38 (8%)9, check_init: 0.5 (0%)9, digest_hdr: 26 (5%)14, digest_body_dkim: 1.3 (0%)15, collect_info: 4.1 (1%)15, mime_decode: 11 (2%)18, get-file-type2: 15 (3%)21, parts_decode: 0.3 (0%)21, check_header: 0.7 (0%)21, AV-scan-1: 13 (3%)24, spam-wb-list: 1.1 (0%)24, SA msg read: 0.7 (0%)24, SA parse: 3.4 (1%)25, SA check: 328 (68%)92, decide_mail_destiny: 11 (2%)95, notif-quar: 0.6 (0%)95, fwd-connect: 4.8 (1%)96, fwd-mail-pip: 3.2 (1%)96, fwd-rcpt-pip: 0.3 (0%)96, fwd-data-chkpnt: 0.1 (0%)96, write-header: 0.9 (0%)97, fwd-data-contents: 0.1 (0%)97, fwd-end-chkpnt: 3.2 (1%)97, prepare-dsn: 0.8 (0%)97, report: 2.2 (0%)98, main_log_entry: 6 (1%)99, update_snmp: 2.0 (0%)100, SMTP pre-response: 0.3 (0%)100, SMTP response: 0.3 (0%)100, unlink-3-files: 0.4 (0%)100, rundown: 0.8 (0%)100 Sep 26 20:00:43 ns9 amavis[7668]: (07668-15) load: 1 %, total idle 2804.778 s, busy 36.203 s Sep 26 20:00:43 ns9 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX' clearly spamassassin is not doing anything!
Spamassasin is working, your output shows that. You just did not change the header level in the policy and therefor yu cant see the score.
policy? I altered the amavisd.conf file in /etc/amavisd and that clearly alters things (changing the domain name to ns9a altered the X-virus header to ns9a!) but altering sa_tag_level_default did not cause SA headers to be added. I've now changed the policy in isp3 as well to -999 - but what does THAT alter? and I just sent an email that should be spam and there is nothing other than the same single X-virus header from amavisd. and the amavisd.conf file has not changed after I set the policy to -999 in ispconfig3! is ispconfig3 altering a different file?? in spite of what the log shows its pretty clear that SA is not really doing anything - and the spam has exploded!!! I notice also an amavisd.conf file in /etc/clamd.d which is very short and just has logging info... how do I diagnose further?
amavisd update breaks ispconfig3 running Centos 6.5 seems this is what has happened. from yum.log: Aug 28 09:44:09 Updated: amavisd-new-2.9.1-2.el6.noarch and I believe this when everything broke. this process is reading ONLY the file /etc/amavisd/amavisd.conf that is the only amavisd.conf file btw /etc/amavisd.conf does not exist. editing amavisd.conf to force spam headers to be added does nothing. I've never seen anything other than the single amavisd X-virus scanned header. changing policy seems to have no affect. and what files do policy changes affect? dont amavisd and ispconfig3 work off the same database? how can I check that? putting the default tag to -999 in the 'normal' policy has altered nothing... even though the maillog shows SA entries, I have sent utter spam (detected by yahoo as such) to my box and it goes though, and no X-Spam headers or anything! at a real loss here.... how on earth do I fix this? what to do now? cdb.
Ok, most likely yum overwrote the config file and now your system runs with the stock config. Please try this: Download the ispconfig tar.gz file, unpack it and run the update.php script in the install folder. Chose to reconfigure services during update. This should fix the config file if xum has overwritten the custom config.
ispconfig.tar.gz want to send me a link? www.ispconfig.org seems to be done. but this is a reasonable explanation. now somewhere there should be a file of what config files get altered by ispconfig3 so I can keep them safe! cdb.
Captain there be whales here! or at least headers with X-Spam tags.... I saw elsewhere info about improving the settings to reject more spam - can you give me the current best anti-spam settings? so that was it. some yum update broke things. any useful ispconfig script anywhere along the lines of 'after yumming run this to see if anything is broken' script? sure would be a time and hair saver many thanks
one more thing . amavisd? not sure if this will continue to happen but mailq shows about 300 stuck messages. these seem to be messages sent BACK to the spammer in this case complaining about an invalid header and saying it was not delivered. obviously these will never get anywhere useful. unless you need an online doctorate that is! suggestions? or should amavisd now handle them differently? presumably postfix will give up trying to deliver them, but they are stuck in q in the meantime! when I look at one (they are all pretty much like this) ---snip-- CO 3251 642 1 0 3251T1412094870 263672Acreate_time=1412094870Arewrite_context=localA?envelope_id=AM.H6USmeELNz3x.20140930T163430Z@ns9.cdbsystems.comSAlog_client_name=unknownAlog_client_address=127.0.0.1Alog_client_port=46120A%log_message_origin=unknown[127.0.0.1]Alog_helo_name=localhostAlog_protocol_name=ESMTPAclient_name=unknownAeverse_client_name=unknownAclient_address=127.0.0.1Aclient_port=46120Ahelo_name=localhostAprotocol_name=ESMTPAclient_address_type=2A-dsn_orig_rcpt=rfc822;[email protected]@[email protected]: from localhost (unknown [127.0.0.1])N: by ns9.cdbsystems.com (Postfix) with ESMTP id 40A301A5DC4NF for <[email protected]>; Tue, 30 Sep 2014 16:34:30 +0000 (UTC)N<Content-Type: multipart/report; report-type=delivery-status;N* boundary="----------=_1412094870-20537-0"NContent-Transfer-Encoding: 7bitNMIME-Version: 1.0N3Subject: Undeliverable mail, invalid header sectionN0Message-ID: <[email protected]>NLFrom: "Content-filter at ns9.cdbsystems.com" <[email protected]>NTo: <[email protected]>N+Date: Tue, 30 Sep 2014 12:34:30 -0400 (EDT)NN.This is a multi-part message in MIME format...NN ------------=_1412094870-20537-0N)Content-Type: text/plain; charset="UTF-8"Nontent-Disposition: inlineN+Content-Transfer-Encoding: quoted-printableNNThe message WAS NOT relayed to:N <[email protected]>:N/ 554 5.6.0 Bounce, id=3D20537-09 - BAD HEADERNNHThis nondelivery report was generated by the program amavisd-new at hostNCns9.cdbsystems.com. Our internal reference code for your message isN20537-09/3ENGhLSETCLENNINVALID HEADERNNC Non-encoded 8-bit data (char E2 hex): Subject: Challenge yourselfN" \342\236\234 View online [...]NN'Return-Path: <[email protected]>N3From: "Online Doctorate" <[email protected]>N=Message ---snip--
Bad header mails shoul not be bounced as your server might get banned then for backsactter spam. The default for baf header handling that ispconfig sets during install is: $final_bad_header_destiny = D_PASS; I recommedn that you keep this settings and that you dont set it to bounce in a policy to avoid backscatter spam.
ok - where do I look for this? clearly they ARE being bounced back so where can I check and make sure we are not doing this? what conf file? the /etc/amavisd/amavisd.conf file contains: $final_virus_destiny = D_BOUNCE; $final_spam_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_bad_header_destiny = D_PASS; and are there better spamassassin directives I can implement without clobbering ispconfig3 settings?
anything to improve spamassassin? I read about folks using postgrey - does that help? and if so how to set it up so that ispconfig3 is happy? anything else I can do to improve my anti-spam? sure seem to be getting a lot still after spamassassin is clearly working now... I have the spam level set at 5 but see quite a bit that comes in at 4.2-4.5 but is clearly spam? are we checking known spammers? blacklists? etc? I see nothing in ispconfig3 settings regarding etc. inquiring minds and all that thanks till
