Logwatch from local machine being flagged as spam

[Scott <te...@msxc.com>]

Centos7
Posftfix 3.2.2
Amavisd 2.11.0
spamassassin-3.4.0

I have a logwatch output that gets mailed to me daily.  Spamassassin is
scoring it high enough as exceed my threshold for whacking it as spam.  

While this is not good, I'm concerned I have something fundamental
misconfigured where it would flag anything internal at all.  Bayes is not
being used yet (tokens <200).  What is the proper way to allow messages form
the server itself to not get flagged by SA?

I have the server's IP address (y.y.y.y) in my lists of trusted and internal
as so:
trusted_networks xx.xx.xx.xx
trusted_networks y.y.y.y
trusted_networks z.z.z.z

internal_networks xx.xx.xx.xx
internal_networks y.y.y.y
internal_networks z.z.z.z

I don't see that that made any difference.  Shouldn't it have?

Header of intercepted message:

From MAILER-DAEMON  Sun Aug  6 04:02:19 2017
Return-Path: <>
X-Original-To: spam@myserver.com
Delivered-To: spam@myserver.com
X-Envelope-From: <ro...@mail2.myserver.com>
X-Envelope-To: <ro...@mail2.myserver.com>
X-Envelope-To-Blocked: <ro...@mail2.myserver.com>
X-Quarantine-ID: <oadqecN-93HM>
X-Spam-Flag: YES
X-Spam-Score: 7.332
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.332 tag=-9999 tag2=5 kill=6.4
        tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001,
        URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5,
        URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
To: root@mail2.myserver.com
From: logwatch@mail2.myserver.com
Subject: Logwatch for mail2.myserver.com (Linux)
Auto-Submitted: auto-generated
Precedence: bulk
Content-Type: text/plain; charset="iso-8859-1"
Date: Sun,  6 Aug 2017 04:02:03 -0500 (CDT)




--
View this message in context: http://spamassassin.1065346.n5.nabble.com/Logwatch-from-local-machine-being-flagged-as-spam-tp137946.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Logwatch from local machine being flagged as spam

[RW <rw...@googlemail.com>]

On Sun, 6 Aug 2017 10:37:36 -0700 (MST)
Scott wrote:

> Centos7
> Posftfix 3.2.2
> Amavisd 2.11.0
> spamassassin-3.4.0
> 
> I have a logwatch output that gets mailed to me daily.  Spamassassin
> is scoring it high enough as exceed my threshold for whacking it as
> spam.  
> 
> While this is not good, I'm concerned I have something fundamental
> misconfigured where it would flag anything internal at all.  Bayes is
> not being used yet (tokens <200).  What is the proper way to allow
> messages form the server itself to not get flagged by SA?
> 
> I have the server's IP address (y.y.y.y) in my lists of trusted and
> internal as so:
> trusted_networks xx.xx.xx.xx
> trusted_networks y.y.y.y
> trusted_networks z.z.z.z
> 
> internal_networks xx.xx.xx.xx
> internal_networks y.y.y.y
> internal_networks z.z.z.z
> 
> I don't see that that made any difference.  Shouldn't it have?
> 
> Header of intercepted message:
> 
> From MAILER-DAEMON  Sun Aug  6 04:02:19 2017
> Return-Path: <>
> X-Original-To: spam@myserver.com
> Delivered-To: spam@myserver.com
> X-Envelope-From: <ro...@mail2.myserver.com>
> X-Envelope-To: <ro...@mail2.myserver.com>
> X-Envelope-To-Blocked: <ro...@mail2.myserver.com>
> X-Quarantine-ID: <oadqecN-93HM>
> X-Spam-Flag: YES
> X-Spam-Score: 7.332
> X-Spam-Level: *******
> X-Spam-Status: Yes, score=7.332 tag=-9999 tag2=5 kill=6.4
>         tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001,
>         URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5,
>         URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no


What's happening here is that SA is picking-up spammer domains in
the text.  SA is seeing no Received headers so whitelist_from_rcvd
isn't going to work  and your internal/trusted networks are irrelevant.

What you could do is meta NO_RELAYS with a rule that's a suitable
identifier for this kind of mail. Check that you aren't seeing
NO_RELAYS in any spam.

Re: Logwatch from local machine being flagged as spam

[Alex <my...@gmail.com>]

Hi,

> I have the server's IP address (y.y.y.y) in my lists of trusted and internal
> as so:
> trusted_networks xx.xx.xx.xx
> trusted_networks y.y.y.y
> trusted_networks z.z.z.z
>
> internal_networks xx.xx.xx.xx
> internal_networks y.y.y.y
> internal_networks z.z.z.z
>
> I don't see that that made any difference.  Shouldn't it have?

No, I don't believe that is its purpose. trusted/internal networks is
intended to define the demarc between you and the outside world to,
for example, know at which point the headers are trustworthy, not to
automatically stop scanning.

Since you're using amavisd, add something like this to your config:

$policy_bank{'TRUSTED'} = {
  originating => 1,
  bypass_virus_checks_maps  => [1],
  bypass_spam_checks_maps   => [1],
  bypass_banned_checks_maps => [1],
  bypass_header_checks_maps => [1],
};

Then add the IPs you wish to bypass scanning to your client_ipaddr_policy:

@client_ipaddr_policy = (
  [qw( 1.2.3.4/32 )] => 'TRUSTED',
  [qw( 5.6.7.8/32 )] => 'TRUSTED',
  [qw( 4.3.2.0/24 )] => 'TRUSTED',
);

Restart/reload amavisd or just wait for it to do that itself
periodically. Look up amavisd policy banks for more info.

Re: Logwatch from local machine being flagged as spam

[David Jones <dj...@ena.com>]

On 08/06/2017 05:10 PM, msxc wrote:
>>> I have a logwatch output that gets mailed to me daily.  Spamassassin is
>>> scoring it high enough as exceed my threshold for whacking it as spam.
>> Please subscribe to the list for future posts.
>>
>> However, I would argue that this is expected behavior because your
>> logwatch notice almost certainly contains lots of information about spam
>> emails. You'll want to look at whitelisting/exempting it from scanning.
> 
> KAM, thanks.
> 
> Re subscribe, I am, I may have my sending address crossed up as I migrate to a new server.  I'll try to get that straightened out.  Sorry about that.
> 
> I understand/agree whit your point.  If it smells like spam, tag it if asked to analyze it.  Perhaps I incorrectly assumed it shouldn't be smelling for trusted networks. :)
> 
> Anyway, I found a potential cause, or at least a misconfiguration.  I've got Amavisd calling SA and I missed a primary IP in its mynetworks setting.  If that doesn't clear it I'll see about whitelisting.
> 

As Alex already mentioned, the mynetworks setting isn't about 
whitelisting. That only controls the ALL_TRUSTED rule hit and some other 
RBL checks based on last_external.  Basically it provides a little trust 
based on IP reputation and has nothing to do with content-based rules 
that are most likely the problem with logwatch emails.

I would and have setup a whitelist_from_rcvd entry something like:

whitelist_from_rcvd root@* [ip.ad.dr.ess]

or

whitelist_from_rcvd root@* mycompany.com

Note the second one is going going to be useful if you have setup 
correct FCrDNS which is not common on internal RFC 1918 network space so 
I would recommend the IP address version.

-- 
David Jones

RE: Logwatch from local machine being flagged as spam

[msxc <we...@msxc.com>]

>> I have a logwatch output that gets mailed to me daily.  Spamassassin is
>> scoring it high enough as exceed my threshold for whacking it as spam.
>Please subscribe to the list for future posts.
>
>However, I would argue that this is expected behavior because your
>logwatch notice almost certainly contains lots of information about spam
>emails. You'll want to look at whitelisting/exempting it from scanning.

KAM, thanks.

Re subscribe, I am, I may have my sending address crossed up as I migrate to a new server.  I'll try to get that straightened out.  Sorry about that.

I understand/agree whit your point.  If it smells like spam, tag it if asked to analyze it.  Perhaps I incorrectly assumed it shouldn't be smelling for trusted networks. :)

Anyway, I found a potential cause, or at least a misconfiguration.  I've got Amavisd calling SA and I missed a primary IP in its mynetworks setting.  If that doesn't clear it I'll see about whitelisting.

Thanks,
Scott

Re: Logwatch from local machine being flagged as spam

["Kevin A. McGrail" <ke...@mcgrail.com>]

On 8/6/2017 1:37 PM, Scott wrote:
> I have a logwatch output that gets mailed to me daily.  Spamassassin is
> scoring it high enough as exceed my threshold for whacking it as spam.
Please subscribe to the list for future posts.

However, I would argue that this is expected behavior because your 
logwatch notice almost certainly contains lots of information about spam 
emails. You'll want to look at whitelisting/exempting it from scanning.

Regards,
KAM

Re: Logwatch from local machine being flagged as spam

[Ian Zimmerman <it...@very.loosely.org>]

On 2017-08-06 10:37, Scott wrote:

> Centos7
> Posftfix 3.2.2
> Amavisd 2.11.0
> spamassassin-3.4.0

> To: root@mail2.myserver.com
> From: logwatch@mail2.myserver.com

Since these are locally submitted messages (i.e. not SMTP), IMO the best
and cleanest way to deal with it is to tell the MTA not to pass them to
amavisd, if you can.  This is easy to do with Exim, for example - I'm
not sure about Postfix.  Then you don't have to care about the IP
addresses or domains.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.