You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alistair Ross <aj...@gmail.com> on 2006/01/25 01:33:19 UTC

SA catching mails, but then allowing them through anyway!

Hi all,

  I recently switched from a spamassassin only based setup to an
amavis-new combo setup, which seems to be doing all the right things,
apart from the fact that it's picking up 60% of the spam. The rest of
the spam is blatantly being identified as spam, then being re-itemised
and finally sent to mailbox as valid mail.

I've been trawling the net for days now looking for the answer and I
simply cannot find out what's going on. The cpu isn't so great (366
P3/512MB RAM, but as it's only a small mail server, I didn't think it
would matter too much). I did notice in the logs that SA TIMEOUT had
ocurred, so I changed that from 30s to 300s (i'll change that later
when I find out whats optimal). That fixed that issue, but the amount
of spam getting to my users' mailbox is unacceptable, especially
compared to my previous no-frills setup without amavis-new.

I post the output of a typical spam getting through, in the hope that
it will get some of you to go ooh, ahh and generally notice straight
away how stupid I am being and point out the problem to me.

Note that the mail is first given a spam level of 35.65, identified as
spam, then it's quarantined, then some how, it gets a status of
'Passed' and then is finally delivered.

Please ask if you wish to see my amavis-new config file. I thought
that my post was already long enough to add even more on to it,
hopefully un-necessarily.

Please help!!

Thanks In Advance.


I have changed the recipient address to XXXXX:

Jan 25 00:07:59 xbolt amavis[14198]: (14198-04) ESMTP::10024
/var/lib/amavis/amavis-20060124T232351-14198:
<HW...@yahoo.com> -> <XXXXXXXXXXXX> Received: SIZE=798 from
xbolt.net ([127.0.0.1]) by localhost (xbolt.net [127.0.0.1])
(amavisd-new, port 10024) with ESMTP id 14198-04 for <XXXXXXXXXXXX>;
Wed, 25 Jan 2006 00:07:59 +0000 (GMT)
Jan 25 00:07:59 xbolt amavis[14198]: (14198-04) Checking:
<HW...@yahoo.com> -> <XXXXXXXXXXXX>
Jan 25 00:08:00 xbolt postfix/smtpd[14962]: disconnect from
200-161-100-146.dsl.telesp.net.br[200.161.100.146]
Jan 25 00:08:40 xbolt postfix/smtpd[14962]: connect from unknown[218.5.142.157]
--
Jan 25 00:09:05 xbolt amavis[14198]: (14198-04) spam_scan: hits=35.65
tests=BAYES_99,FB_GET_MEDS,FORGED_YAHOO_RCVD,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR2,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_SOCKS,SARE_RECV_SPAM_DOMN02,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL,WLS_URI_OPT_2741
Jan 25 00:09:05 xbolt amavis[14198]: (14198-04) local delivery: <> ->
<spam-quarantine>,
mbx=/var/lib/amavis/virusmails/spam-3c292f3cc6d105f92c4a12ea8e605039-20060125-000905-14198-04.gz
Jan 25 00:09:05 xbolt amavis[14198]: (14198-04) SPAM,
<HW...@yahoo.com> -> <XXXXXXXXXXXX>, Yes, hits=35.6 tag1=0.0
tag2=5.0 kill=5.0 tests=BAYES_99, FB_GET_MEDS, FORGED_YAHOO_RCVD,
HELO_DYNAMIC_HCC, HELO_DYNAMIC_IPADDR2, RAZOR2_CF_RANGE_51_100,
RAZOR2_CHECK, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL,
RCVD_IN_SORBS_SOCKS, SARE_RECV_SPAM_DOMN02, URIBL_AB_SURBL,
URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL, URIBL_WS_SURBL,
WLS_URI_OPT_2741, quarantine
spam-3c292f3cc6d105f92c4a12ea8e605039-20060125-000905-14198-04
(spam-quarantine)
Jan 25 00:09:05 xbolt amavis[14198]: (14198-04) FWD via SMTP:
[127.0.0.1]:10025 <HW...@yahoo.com> -> <XXXXXXXXXXXX>
Jan 25 00:09:05 xbolt postfix/smtpd[15021]: connect from xbolt.net[127.0.0.1]
Jan 25 00:09:05 xbolt postfix/smtpd[15021]: EEF302D029A:
client=xbolt.net[127.0.0.1]
--
Jan 25 00:09:06 xbolt amavis[14198]: (14198-04) Passed,
<HW...@yahoo.com> -> <XXXXXXXXXXXX>, quarantine
spam-3c292f3cc6d105f92c4a12ea8e605039-20060125-000905-14198-04,
Message-ID: <3A...@localhost>, Hits: 35.65
Jan 25 00:09:06 xbolt amavis[14198]: (14198-04) TIMING [total 66794
ms] - SMTP EHLO: 41 (0%), SMTP pre-MAIL: 1 (0%), SMTP pre-DATA-flush:
18 (0%), SMTP DATA: 36 (0%), body hash: 34 (0%), mime_decode: 113
(0%), get-file-type: 64 (0%), decompose_part: 4 (0%), parts: 0 (0%),
AV-scan-1: 50 (0%), SA msg read: 5 (0%), SA parse: 40 (0%), SA check:
66011 (99%), write-header: 253 (0%), save-to-local-mailbox: 4 (0%),
fwd-connect: 20 (0%), fwd-mail-from: 4 (0%), fwd-rcpt-to: 5 (0%),
write-header: 10 (0%), fwd-data: 1 (0%), fwd-data-end: 45 (0%),
fwd-rundown: 4 (0%), unlink-1-files: 15 (0%), rundown: 17 (0%)
Jan 25 00:09:06 xbolt amavis[14198]: (14198-04) Requesting a process
rundown after 10 tasks
Jan 25 00:09:06 xbolt postfix/smtp[14933]: 8B3AE2D02CE:
to=<XXXXXXXXXXXX>, relay=127.0.0.1[127.0.0.1], delay=75, status=sent
(250 2.6.0 Ok, id=14198-04, from MTA: 250 Ok: queued as EEF302D029A)
Jan 25 00:09:06 xbolt postfix/qmgr[14132]: 8B3AE2D02CE: removed
Jan 25 00:09:06 xbolt amavis[14198]: (14198-04) tempdir being removed:
/var/lib/amavis/amavis-20060124T232351-14198
Jan 25 00:09:06 xbolt postfix/local[15023]: EEF302D029A:
to=<XXXXXXXXXXX>, orig_to=<XXXXXXXXXXXX>, relay=local, delay=1,
status=sent (delivered to command: /usr/bin/procmail -f- -a "$USER")
Jan 25 00:09:06 xbolt postfix/qmgr[14132]: EEF302D029A: removed

Re: SA catching mails, but then allowing them through anyway!

Posted by mouss <us...@free.fr>.

Alistair Ross a écrit :
> Am I in the wrong place for asking questions about amavis-come-spamassassin?
> 
> I appreciate that spamassassin does not reject/move, amavis does.  If
> it is a configuration problem, the likeliness of blame is the amavis
> configuration, which encompasses spamassassin too.

well, the blame is on you, because you didn't take the time to read
amavisd-new docs:)


1- Take a look at amavisd.conf-sample for possible settings of amavisd-new.
here are few vars you'll need to check (the values here are just examples):

----------
$sa_tag_level_deflt  = undef; # we tag all messages (ie adding headers)
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 1000.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 1;    # spam level beyond which a DSN is not sent

# spam level beyond which quarantine is off
#$sa_quarantine_cutoff_level = 20;

$sa_mail_body_size_limit = 200*1024; # do not scan large messages
$sa_local_tests_only = 0;    # we do net checks

....
# $final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_PASS;
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;
---------

2- check the docs on amavisd-new site

3- for more, ask on the amavisd-new ML.

Re: SA catching mails, but then allowing them through anyway!

Posted by Alistair Ross <aj...@gmail.com>.

Am I in the wrong place for asking questions about amavis-come-spamassassin?

I appreciate that spamassassin does not reject/move, amavis does.  If
it is a configuration problem, the likeliness of blame is the amavis
configuration, which encompasses spamassassin too.

Regards,

On 1/25/06, Evan Platt <ev...@espphotography.com> wrote:
> On Tue, January 24, 2006 4:33 pm, Alistair Ross wrote:
> > Hi all,
> >
> >   I recently switched from a spamassassin only based setup to an
> > amavis-new combo setup, which seems to be doing all the right things,
> > apart from the fact that it's picking up 60% of the spam. The rest of
> > the spam is blatantly being identified as spam, then being re-itemised
> > and finally sent to mailbox as valid mail.
>
> I'm not familiar with Amavis, but I can tell you, SpamAssassin will always
> let mail through. SpamAssassin scans mail, that's it. It cannot reject or
> move mail. So perhaps your procmail, or Amavis is to blame? If you don't
> get an answer here, that may be a good starting point.
>
>

Re: SA catching mails, but then allowing them through anyway!

Posted by Evan Platt <ev...@espphotography.com>.

On Tue, January 24, 2006 4:33 pm, Alistair Ross wrote:
> Hi all,
>
>   I recently switched from a spamassassin only based setup to an
> amavis-new combo setup, which seems to be doing all the right things,
> apart from the fact that it's picking up 60% of the spam. The rest of
> the spam is blatantly being identified as spam, then being re-itemised
> and finally sent to mailbox as valid mail.

I'm not familiar with Amavis, but I can tell you, SpamAssassin will always
let mail through. SpamAssassin scans mail, that's it. It cannot reject or
move mail. So perhaps your procmail, or Amavis is to blame? If you don't
get an answer here, that may be a good starting point.

Re: SA catching mails, but then allowing them through anyway!

Posted by Mark Martinec <Ma...@ijs.si>.

Alistair Ross writes:

> I recently switched from a spamassassin only based setup to an
> amavis-new combo setup, which seems to be doing all the right things,
> apart from the fact that it's picking up 60% of the spam. The rest of
> the spam is blatantly being identified as spam, then being re-itemised
> and finally sent to mailbox as valid mail.

> Jan 25 00:09:05 xbolt amavis[14198]: (14198-04) SPAM,
> <HW...@yahoo.com> -> <XXXXXXXXXXXX>, Yes,
> hits=35.6 tag1=0.0 tag2=5.0 kill=5.0 tests=...

A spam message (above kill level) is passed if you have 
$final_spam_destiny=D_PASS or if recipient matches
spam_lovers lookup table(s).

> Jan 25 00:09:06 xbolt amavis[14198]: (14198-04) Passed,
> <HW...@yahoo.com> -> <XXXXXXXXXXXX>, quarantine
> spam-3c292f3cc6d105f92c4a12ea8e605039-20060125-000905-14198-04,

This looks like a fairly old version of amavisd-new.
Nevertheless, these basic concepts have not changed.

(followups to the amavis-user ML please)

  Mark