You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by killerhorse <in...@lauf-forum.at> on 2017/02/08 09:39:11 UTC
Problem with Horde IMP ans Spamassassin
Hello,
I'm using Spamassassin (through amavis) for some years and I never had any
problem, but for a while spamassassin marks mails that are sent through
Horde Webmail (IMP), to another mailaddress on my server, as spam.
It seems to score the wrong IP address. Here the Header of one of the Mails:
Return-Path: <te...@lauf-forum.at>
Delivered-To: test@schachenhofer.net
Received: from localhost (localhost [127.0.0.1])
by mail.lauf-forum.at (Postfix) with ESMTP id E00919400D7
for <te...@schachenhofer.net>; Sun, 21 Aug 2016 16:29:49 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail.lauf-forum.at
X-Spam-Flag: NO
X-Spam-Score: -2.789
X-Spam-Level:
X-Spam-Status: No, score=-2.789 tagged_above=-999 required=5.5
tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, DKIM_SIGNED=0.1,
TVD_SPACE_RATIO=0.001, T_DKIM_INVALID=0.01]
autolearn=no autolearn_force=no
Received: from mail.lauf-forum.at ([127.0.0.1])
by localhost (lauf-forum.at [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3L6FuLTaI-ba for <te...@schachenhofer.net>;
Sun, 21 Aug 2016 16:29:45 +0200 (CEST)
Received: by mail.lauf-forum.at (Postfix, from userid 1010)
id 8D13B9400D8; Sun, 21 Aug 2016 16:29:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lauf-forum.at;
s=default; t=1471789785;
bh=iG6FMeJrSyixYeDFuT+cK1li4u6Oq6mvaPpTd3pWtbA=;
h=Date:From:To:Subject:From;
b=ssgY0npEPvTYTi3l3O4xBLQ27ypvwv9pSzBdDjo4miBkNMLZd2Cf7Wf3oHHDan0gu
5Rk/krW05cvBtft5qLjxJantl68AXgL6aGS1vPnPeLk7ZsCPExeGzvK6CqYpcXof8V
x4Lh8Ots0rQJgkQzr35sHQ10DWxqcHVz+5+fIwRg=
Received: from 212.186.35.163 ([212.186.35.163]) by webmail.lauf-forum.at
(Horde Framework) with HTTP; Sun, 21 Aug 2016 14:29:45 +0000
Date: Sun, 21 Aug 2016 14:29:45 +0000
Message-ID:
<20...@webmail.lauf-forum.at>
If I run spamc manually on this message, the detailed report looks like
this:
pts rule name description
---- ----------------------
--------------------------------------------------
1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
(Split IP)
0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or
Generic rPTR
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[212.186.35.163 listed in zen.spamhaus.org]
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[212.186.35.163 listed in dnsbl.sorbs.net]
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[212.186.35.163 listed in
bb.barracudacentral.org]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
0.0 TVD_SPACE_RATIO No description available.
2.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
It's correct that 212.186.35.163 is a dynamiv IP, but why ist SA analyzing
this IP, because its the PC from wich I connected to Horde webmail, so it
was authenticated.
I also don't understand why I didn't have the problem till some months ago.
I can't remember that I changed anything on the Mailserver configuration.
Does anyone have an idea what's going wrong?
best regards,
Christian
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Problem-with-Horde-IMP-ans-Spamassassin-tp123915.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem with Horde IMP ans Spamassassin
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 08.02.17 03:08, killerhorse wrote:
>Sorry I posted the wrong email header.
>Here that one I wanted to post:
I think you can configure horde to send mail using SMTP authentication and
the same credentials as for IMAP login.
Clearly the sending IP appears in multiple blacklists and also has dynamic
rdns which increases score horribly. using SMTP authentication should avoid
checking most of those.
>Received: from localhost (localhost [127.0.0.1])
> by mail.lauf-forum.at (Postfix) with ESMTP id A11CD940017
> for <te...@schachenhofer.net>; Tue, 7 Feb 2017 22:57:11 +0100 (CET)
>X-Spam-Flag: YES
>X-Spam-Score: 11.884
>X-Spam-Level: ***********
>X-Spam-Status: Yes, score=11.884 tagged_above=-999 required=5.5
> tests=[BAYES_00=-1.9, CK_HELO_DYNAMIC_SPLIT_IP=1.498,
> CK_HELO_GENERIC=0.249, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1, HELO_DYNAMIC_HCC=2.762,
> HELO_DYNAMIC_IPADDR2=3.607, RCVD_IN_BRBL_LASTEXT=1.449,
> RCVD_IN_PBL=3.335, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982,
> TVD_SPACE_RATIO=0.001] autolearn=no autolearn_force=no
>Received: from mail.lauf-forum.at ([127.0.0.1])
> by localhost (lauf-forum.at [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id XEjw0voShCXE for <te...@schachenhofer.net>;
> Tue, 7 Feb 2017 22:57:07 +0100 (CET)
>Received: by mail.lauf-forum.at (Postfix, from userid 110)
> id 06E3F9400D4; Tue, 7 Feb 2017 22:57:07 +0100 (CET)
>DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lauf-forum.at;
> s=default; t=1486504627;
> bh=fVmRvVXx23ltn/Mv0jQkP1rns8hTN22qu2EjWlAd3cE=;
> h=Date:From:To:Subject:From;
> b=bq/DIuP/UBRPUykRvJNVyAGRZ5GKBDdtjSEESTF5lccngpI7G3jtjqk7NN5Dk7mzl
> l8DB0lBrB8K/JhzoZ1xlWAPWEYx/FQUSek3B5MKW9dHhtXR2JPYJ8xbSBMSfJ17WYw
> h75lMKH/wvYd4y9wunLBL2jTxxZVZlSxNCsSR4MM=
>Received: from 212-186-35-163.cable.dynamic.surfer.at
> (212-186-35-163.cable.dynamic.surfer.at [212.186.35.163]) by
> webmail.lauf-forum.at (Horde Framework) with HTTPS; Tue, 07 Feb 2017
> 21:57:06 +0000
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
Re: Problem with Horde IMP ans Spamassassin
Posted by killerhorse <in...@lauf-forum.at>.
Sorry I posted the wrong email header.
Here that one I wanted to post:
Return-Path: <te...@lauf-forum.at>
Delivered-To: test@schachenhofer.net
Received: from localhost (localhost [127.0.0.1])
by mail.lauf-forum.at (Postfix) with ESMTP id A11CD940017
for <te...@schachenhofer.net>; Tue, 7 Feb 2017 22:57:11 +0100 (CET)
X-Quarantine-ID: <XEjw0voShCXE>
X-Virus-Scanned: Debian amavisd-new at mail.lauf-forum.at
X-Spam-Flag: YES
X-Spam-Score: 11.884
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.884 tagged_above=-999 required=5.5
tests=[BAYES_00=-1.9, CK_HELO_DYNAMIC_SPLIT_IP=1.498,
CK_HELO_GENERIC=0.249, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HELO_DYNAMIC_HCC=2.762,
HELO_DYNAMIC_IPADDR2=3.607, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_PBL=3.335, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982,
TVD_SPACE_RATIO=0.001] autolearn=no autolearn_force=no
Received: from mail.lauf-forum.at ([127.0.0.1])
by localhost (lauf-forum.at [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XEjw0voShCXE for <te...@schachenhofer.net>;
Tue, 7 Feb 2017 22:57:07 +0100 (CET)
Received: by mail.lauf-forum.at (Postfix, from userid 110)
id 06E3F9400D4; Tue, 7 Feb 2017 22:57:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lauf-forum.at;
s=default; t=1486504627;
bh=fVmRvVXx23ltn/Mv0jQkP1rns8hTN22qu2EjWlAd3cE=;
h=Date:From:To:Subject:From;
b=bq/DIuP/UBRPUykRvJNVyAGRZ5GKBDdtjSEESTF5lccngpI7G3jtjqk7NN5Dk7mzl
l8DB0lBrB8K/JhzoZ1xlWAPWEYx/FQUSek3B5MKW9dHhtXR2JPYJ8xbSBMSfJ17WYw
h75lMKH/wvYd4y9wunLBL2jTxxZVZlSxNCsSR4MM=
Received: from 212-186-35-163.cable.dynamic.surfer.at
(212-186-35-163.cable.dynamic.surfer.at [212.186.35.163]) by
webmail.lauf-forum.at (Horde Framework) with HTTPS; Tue, 07 Feb 2017
21:57:06 +0000
Date: Tue, 07 Feb 2017 21:57:06 +0000
Message-ID:
<20...@webmail.lauf-forum.at>
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Problem-with-Horde-IMP-ans-Spamassassin-tp123915p123917.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem with Horde IMP ans Spamassassin
Posted by killerhorse <in...@lauf-forum.at>.
Thank you very much!
I found some information about this problem. But I thought, this is a
different problem because I thought that I have "HTTP" in both mails.
This is wrong. I actually have HTTP in one mail and HTTPS in the other
one. I completely overlooked this.
I solved the problem by changing the Horde config.
till now I used:
$conf['mailer']['params']['sendmail_path'] = '/usr/lib/sendmail';
$conf['mailer']['params']['sendmail_args'] = '-oi';
and now:
$conf['mailer']['params']['host'] = 'localhost';
$conf['mailer']['params']['port'] = 465;
$conf['mailer']['params']['secure'] = 'ssl';
$conf['mailer']['params']['username_auth'] = true;
$conf['mailer']['params']['password_auth'] = true;
$conf['mailer']['params']['auth'] = true;
$conf['mailer']['params']['lmtp'] = false;
$conf['mailer']['type'] = 'smtp';
This doesn't fix the Spamassassin problem, but it works now:
Return-Path: <te...@lauf-forum.at>
Delivered-To: test@schachenhofer.net
Received: from localhost (localhost [127.0.0.1])
by mail.lauf-forum.at (Postfix) with ESMTP id F2DFD9400D4
for <te...@schachenhofer.net>; Wed, 8 Feb 2017 12:58:15 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.lauf-forum.at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5.5
tests=[BAYES_00=-1.9, FSL_HELO_NON_FQDN_1=0.001,
RP_MATCHES_RCVD=-0.001, TVD_SPACE_RATIO=0.001]
autolearn=ham autolearn_force=no
Received: from mail.lauf-forum.at ([127.0.0.1])
by localhost (lauf-forum.at [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hfanGmHu19De for <te...@schachenhofer.net>;
Wed, 8 Feb 2017 12:58:11 +0100 (CET)
Received: from krasses-pferd6 (mail.lauf-forum.at [IPv6:2a01:4f8:190:1261::2])
by mail.lauf-forum.at (Postfix) with SMTP id A30749400D2
for <te...@schachenhofer.net>; Wed, 8 Feb 2017 12:58:09 +0100 (CET)
Received: from 212-186-35-163.cable.dynamic.surfer.at
(212-186-35-163.cable.dynamic.surfer.at [212.186.35.163]) by
webmail.lauf-forum.at (Horde Framework) with HTTPS; Wed, 08 Feb 2017
11:58:09 +0000
Date: Wed, 08 Feb 2017 11:58:09 +0000
Message-ID:
<20...@webmail.lauf-forum.at>
From: test@lauf-forum.at
To: test@schachenhofer.net
Subject: Test1234567890
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
Thank you again for your quick help.
best regards
Christian
Zitat von "Edda [via SpamAssassin]"
<ml...@n5.nabble.com>:
> Am 08.02.17 um 12:01 schrieb info@lauf-forum.at:
>
> [...]
>>
>> What is the difference between the two mail headers? I don't see one.
>> The only difference I can see ist, that the nonspam mail has only the
>> IP of the sender in the header and the spam mail has also the reverse
>> DNS entry of the IP in the header.
> The key difference is the transfer method: HTTP vs. HTTPS
>
> I tested it with spamassassin 3.4.0. With your original header,
> spamassassin parses the webmail client ip as untrusted:
>
> Feb 8 12:32:46.189 [2306] dbg: received-header: parsed as [
> ip=212.186.35.163 rdns=212-186-35-163.cable.dynamic.surfer.at
> helo=212-186-35-163.cable.dynamic.surfer.at by=webmail.lauf-forum.at
> ident= envfrom= intl=0 id= auth= msa=0 ]
> Feb 8 12:32:46.189 [2306] dbg: received-header: do not trust any hosts
> from here on
> Feb 8 12:32:46.189 [2306] dbg: received-header: relay 212.186.35.163
> trusted? no internal? no msa? no
>
> If I change only HTTPS to HTTP in the first received header, thus:
>
> Received: from 212-186-35-163.cable.dynamic.surfer.at
> (212-186-35-163.cable.dynamic.surfer.at [212.186.35.163]) by
> webmail.lauf-forum.at (Horde Framework) with HTTP; Tue, 07 Feb 2017
> 21:57:06 +0000
>
> spamassassin gets it (see the auth=HTTP):
>
> Feb 8 12:56:16.627 [2735] dbg: received-header: parsed as [
> ip=212.186.35.163 rdns=212-186-35-163.cable.dynamic.surfer.at
> helo=212-186-35-163.cable.dynamic.surfer.at by=webmail.lauf-forum.at
> ident= envfrom= intl=0 id= auth=HTTP msa=0 ]
> Feb 8 12:56:16.627 [2735] dbg: received-header: authentication method HTTP
> Feb 8 12:56:16.627 [2735] dbg: received-header: relay 212.186.35.163
> trusted? yes internal? yes msa? no
>
> With the correct parsing spamassassin identifies the relay correctly as
> trusted (ALL_TRUSTED fires for this mail) and therefore doesn't use
> 212.186.35.163 for IP checks.
>
> It's a parsing error in spamassassin. I don't know wether it's fixed in
> 3.4.1.
>
>
> Best regards,
> Edda
>
>
>
>
>
>
> _______________________________________________
> If you reply to this email, your message will be added to the
> discussion below:
> http://spamassassin.1065346.n5.nabble.com/Problem-with-Horde-IMP-ans-Spamassassin-tp123915p123922.html
>
> To unsubscribe from Problem with Horde IMP ans Spamassassin, visit
> http://spamassassin.1065346.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=123915&code=aW5mb0BsYXVmLWZvcnVtLmF0fDEyMzkxNXw2NTAzMjA5MzU=
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Problem-with-Horde-IMP-ans-Spamassassin-tp123915p123926.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem with Horde IMP ans Spamassassin
Posted by Edda <le...@sendmaid.org>.
Am 08.02.17 um 12:01 schrieb info@lauf-forum.at:
[...]
>
> What is the difference between the two mail headers? I don't see one.
> The only difference I can see ist, that the nonspam mail has only the
> IP of the sender in the header and the spam mail has also the reverse
> DNS entry of the IP in the header.
The key difference is the transfer method: HTTP vs. HTTPS
I tested it with spamassassin 3.4.0. With your original header,
spamassassin parses the webmail client ip as untrusted:
Feb 8 12:32:46.189 [2306] dbg: received-header: parsed as [
ip=212.186.35.163 rdns=212-186-35-163.cable.dynamic.surfer.at
helo=212-186-35-163.cable.dynamic.surfer.at by=webmail.lauf-forum.at
ident= envfrom= intl=0 id= auth= msa=0 ]
Feb 8 12:32:46.189 [2306] dbg: received-header: do not trust any hosts
from here on
Feb 8 12:32:46.189 [2306] dbg: received-header: relay 212.186.35.163
trusted? no internal? no msa? no
If I change only HTTPS to HTTP in the first received header, thus:
Received: from 212-186-35-163.cable.dynamic.surfer.at
(212-186-35-163.cable.dynamic.surfer.at [212.186.35.163]) by
webmail.lauf-forum.at (Horde Framework) with HTTP; Tue, 07 Feb 2017
21:57:06 +0000
spamassassin gets it (see the auth=HTTP):
Feb 8 12:56:16.627 [2735] dbg: received-header: parsed as [
ip=212.186.35.163 rdns=212-186-35-163.cable.dynamic.surfer.at
helo=212-186-35-163.cable.dynamic.surfer.at by=webmail.lauf-forum.at
ident= envfrom= intl=0 id= auth=HTTP msa=0 ]
Feb 8 12:56:16.627 [2735] dbg: received-header: authentication method HTTP
Feb 8 12:56:16.627 [2735] dbg: received-header: relay 212.186.35.163
trusted? yes internal? yes msa? no
With the correct parsing spamassassin identifies the relay correctly as
trusted (ALL_TRUSTED fires for this mail) and therefore doesn't use
212.186.35.163 for IP checks.
It's a parsing error in spamassassin. I don't know wether it's fixed in
3.4.1.
Best regards,
Edda
Re: Problem with Horde IMP ans Spamassassin
Posted by in...@lauf-forum.at.
Zitat von Reindl Harald <h....@thelounge.net>:
> Am 08.02.2017 um 11:16 schrieb info@lauf-forum.at:
>> Zitat von Reindl Harald <h....@thelounge.net>:
>>
>>>> I also don't understand why I didn't have the problem till some
>>>> months ago.
>>>> I can't remember that I changed anything on the Mailserver
>>>> configuration.
>>>>
>>>> Does anyone have an idea what's going wrong?
>
> https://wiki.apache.org/spamassassin/TrustPath
>
> ALL_TRUSTED is missing
Yes, but why?
If I rescan the "nonspam" mail it is still no spam:
Content analysis details: (-1.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
0.0 TVD_SPACE_RATIO No description available.
What is the difference between the two mail headers? I don't see one.
The only difference I can see ist, that the nonspam mail has only the
IP of the sender in the header and the spam mail has also the reverse
DNS entry of the IP in the header.
Re: Problem with Horde IMP ans Spamassassin
Posted by in...@lauf-forum.at.
Zitat von Reindl Harald <h....@thelounge.net>:
>
>> I also don't understand why I didn't have the problem till some months ago.
>> I can't remember that I changed anything on the Mailserver configuration.
>>
>> Does anyone have an idea what's going wrong?
>
> that messages within the server itself are piped through the
> spamfilter at all
I did this always and it never was a problem (see the "wrong" mail
header of my first post).
The heder of the mail which was tagged as Spam ist this one:
Return-Path: <in...@lauf-forum.at>
Delivered-To: christian@schachenhofer.net
Received: from localhost (localhost [127.0.0.1])
by mail.lauf-forum.at (Postfix) with ESMTP id A11CD940017
for <ch...@schachenhofer.net>; Tue, 7 Feb 2017 22:57:11 +0100 (CET)
X-Quarantine-ID: <XEjw0voShCXE>
X-Virus-Scanned: Debian amavisd-new at mail.lauf-forum.at
X-Spam-Flag: YES
X-Spam-Score: 11.884
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.884 tagged_above=-999 required=5.5
tests=[BAYES_00=-1.9, CK_HELO_DYNAMIC_SPLIT_IP=1.498,
CK_HELO_GENERIC=0.249, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HELO_DYNAMIC_HCC=2.762,
HELO_DYNAMIC_IPADDR2=3.607, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_PBL=3.335, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982,
TVD_SPACE_RATIO=0.001] autolearn=no autolearn_force=no
Received: from mail.lauf-forum.at ([127.0.0.1])
by localhost (lauf-forum.at [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XEjw0voShCXE for <ch...@schachenhofer.net>;
Tue, 7 Feb 2017 22:57:07 +0100 (CET)
Received: by mail.lauf-forum.at (Postfix, from userid 110)
id 06E3F9400D4; Tue, 7 Feb 2017 22:57:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lauf-forum.at;
s=default; t=1486504627;
bh=fVmRvVXx23ltn/Mv0jQkP1rns8hTN22qu2EjWlAd3cE=;
h=Date:From:To:Subject:From;
b=bq/DIuP/UBRPUykRvJNVyAGRZ5GKBDdtjSEESTF5lccngpI7G3jtjqk7NN5Dk7mzl
l8DB0lBrB8K/JhzoZ1xlWAPWEYx/FQUSek3B5MKW9dHhtXR2JPYJ8xbSBMSfJ17WYw
h75lMKH/wvYd4y9wunLBL2jTxxZVZlSxNCsSR4MM=
Received: from 212-186-35-163.cable.dynamic.surfer.at
(212-186-35-163.cable.dynamic.surfer.at [212.186.35.163]) by
webmail.lauf-forum.at (Horde Framework) with HTTPS; Tue, 07 Feb 2017
21:57:06 +0000
Date: Tue, 07 Feb 2017 21:57:06 +0000
Message-ID:
<20...@webmail.lauf-forum.at>