You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chad <ch...@mercuryemail.net> on 2022/02/07 18:43:31 UTC
Emails from gmail.com bypassing Spamassassin scoring
RE: Emails from gmail.com bypassing Spamassassin scoring
Posted by Marc <Ma...@f1-outsourcing.eu>.
>
> All of the other emails that were sent before and after this particular
> email have the X-Spam-Status and X-spam-Report scoring,
>
> So Spamassassin was running correctly.
>
So something went wrong with this one. It should have headers, maybe some communication problem. I have configured the MTA to process the messages anyway if spamd is not available. You can also configure to bounce the message with an 'Temporary unable to process'..
Re: Emails from gmail.com bypassing Spamassassin scoring
Posted by Chad <ch...@mercuryemail.net>.
Thank you for responding
You were correct it was the size limit that bypassed the scanning
I created a spamc.conf in the spam assassin folder with the “-s option” and increased the scanning size to avoid bypassing on smaller attachments.
On Feb 7, 2022, at 5:24 PM, David B Funk <db...@engineering.uiowa.edu> wrote:
How big was the message? (attached images can be pretty big).
Depending on the "glue" you use to connect your mail MTA to SA, it may have some kind of size restriction.
For example, the 'spamc' client has a 'max-size' parameter (which defaults to 500KB). Any message larger than that size will not be passed to SA (IE it will skip scanning).
Does your MTA log the SA processing? Can you see any logged errors associated with that particular message?
On Mon, 7 Feb 2022, Chad wrote:
> All of the other emails that were sent before and after this particular email have the X-Spam-Status and X-spam-Report scoring,
>
> So Spamassassin was running correctly.
>
>
>
> -----Original Message-----
> From: Marc <Ma...@f1-outsourcing.eu>
> Date: Monday, February 7, 2022 at 1:49 PM
> To: Chad <ch...@mercuryemail.net>, "users@spamassassin.apache.org" <us...@spamassassin.apache.org>
> Subject: RE: Emails from gmail.com bypassing Spamassassin scoring
>
>> I have been getting numerous emails lately from various gmail.com
>> accounts. They are spam or phishing emails and today I got one that
>> had a subject of RECEIPT 5454 and only a JPG image of an invoice.
>> There was no content in the email.
>>
>>
>>
>> It bypassed Spamassassin scoring. Do you know why or what setting I
>> need to set so EVERY email goes through Spamassassin scoring procedures?
>>
>>
>
> I do not see X-Spam headers[1], so your spamassassin was not working?
>
>
> [1]
> X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
> TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
> version=3.4.6
> X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
> 4422b522-8a2b-4864-9498-4f2d06aca485
>
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Emails from gmail.com bypassing Spamassassin scoring
Posted by David B Funk <db...@engineering.uiowa.edu>.
How big was the message? (attached images can be pretty big).
Depending on the "glue" you use to connect your mail MTA to SA, it may have some
kind of size restriction.
For example, the 'spamc' client has a 'max-size' parameter (which defaults to
500KB). Any message larger than that size will not be passed to SA (IE it will
skip scanning).
Does your MTA log the SA processing? Can you see any logged errors associated
with that particular message?
On Mon, 7 Feb 2022, Chad wrote:
> All of the other emails that were sent before and after this particular email have the X-Spam-Status and X-spam-Report scoring,
>
> So Spamassassin was running correctly.
>
>
>
> -----Original Message-----
> From: Marc <Ma...@f1-outsourcing.eu>
> Date: Monday, February 7, 2022 at 1:49 PM
> To: Chad <ch...@mercuryemail.net>, "users@spamassassin.apache.org" <us...@spamassassin.apache.org>
> Subject: RE: Emails from gmail.com bypassing Spamassassin scoring
>
>> I have been getting numerous emails lately from various gmail.com
>> accounts. They are spam or phishing emails and today I got one that
>> had a subject of RECEIPT 5454 and only a JPG image of an invoice.
>> There was no content in the email.
>>
>>
>>
>> It bypassed Spamassassin scoring. Do you know why or what setting I
>> need to set so EVERY email goes through Spamassassin scoring procedures?
>>
>>
>
> I do not see X-Spam headers[1], so your spamassassin was not working?
>
>
> [1]
> X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
> TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
> version=3.4.6
> X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
> 4422b522-8a2b-4864-9498-4f2d06aca485
>
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Emails from gmail.com bypassing Spamassassin scoring
Posted by Chad <ch...@mercuryemail.net>.
RE: Emails from gmail.com bypassing Spamassassin scoring
Posted by Marc <Ma...@f1-outsourcing.eu>.
> I have been getting numerous emails lately from various gmail.com
> accounts. They are spam or phishing emails and today I got one that
> had a subject of RECEIPT 5454 and only a JPG image of an invoice.
> There was no content in the email.
>
>
>
> It bypassed Spamassassin scoring. Do you know why or what setting I
> need to set so EVERY email goes through Spamassassin scoring procedures?
>
>
I do not see X-Spam headers[1], so your spamassassin was not working?
[1]
X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
4422b522-8a2b-4864-9498-4f2d06aca485
Re: Emails from gmail.com bypassing Spamassassin scoring
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2022-02-07 at 13:43:31 UTC-0500 (Mon, 07 Feb 2022 13:43:31 -0500)
Chad <ch...@mercuryemail.net>
is rumored to have said:
> I have been getting numerous emails lately from various gmail.com accounts. They are spam or phishing emails and today I got one that had a subject of RECEIPT 5454 and only a JPG image of an invoice. There was no content in the email.
>
>
>
> It bypassed Spamassassin scoring. Do you know why or what setting I need to set so EVERY email goes through Spamassassin scoring procedures?
>
>
>
> My email server is: mercury2022.mercuryemail.net
[...]
> Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172])
>
> by mercury2022.mercuryemail.net (Postfix) with ESMTPS id A5F7E8043D4A
>
> for <ch...@mercuryemail.net>; Mon, 7 Feb 2022 10:44:18 -0500 (EST)
OK, so we know that your mail server is running Postfix but not how you've integrated SpamAssassin. There are many possibilities, with 2 independent attributes:
1. Interface to Postfix:
a. content_filter setting to pipe mail to a bespoke script (maybe distro-provided)
b. milter (amavis, spamass-milter, mimedefang, etc.)
c. SMTP Proxy (usually amavis)
d. FILTER action in an access map to a bespoke script.
e. NONE: Integrated with a downstream delivery agent (e.g. Dovecot LMTP) or MUA.
2. Interface to SA:
a. Load Mail::SpamAssassin Perl modules and use them directly
b. Use a spamc binary built from the SA distribution to contact a local spamd instance
c. Use a spamc binary built from the SA distribution to contact a remote spamd instance
d. Use a custom implementation of the spamc protocol to contact a local spamd instance
e. Use a custom implementation of the spamc protocol to contact a remote spamd instance
f. Run the spamassassin script and handle its output.
So, yeah: 30 possible combinations. It is hard to say what is broken without knowing how you have SA working when it works. This sort of problem is never technically in SpamAssassin itself, as SpamAssassin itself doesn't include any software that could act as a gatekeeper.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire