You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Kudyba <rk...@fordham.edu> on 2016/07/24 00:14:23 UTC
Fwd: too many missed spams/false negatives w/ SA 3.4.1 on sendmail,
help w config?
We have a user who has about a 50% missed rate on spam detection. I'm
wondering if his user prefs or something is preventing scanning of all
messages?
SpamAssassin version 3.4.1, running on Perl version 5.20.3, sendmail
Version 8.15.2
The contents of the user_prefs file:
# How many points before a mail is considered spam.
# required_score 5
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from someone@somewhere.com
blacklist_from LocalDeals@amazon.com
blacklist_from *@lormaneducation.net
blacklist_from *ncnet2.org
blacklist_from *salesengineintl.com
blacklist_from *@shedsplansstart.com
blacklist_from *@multibriefs.com
blacklist_from pimsleur_approach@*
blacklist_from HSIAlert@*
# Add your own customised scores for some tests below. The default scores
are
# read from the installed spamassassin rules files, but you can override
them
# here. To see the list of tests and their default scores, go to
# http://spamassassin.apache.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
# Speakers of Asian languages, like Chinese, Japanese and Korean, will
almost
# definitely want to uncomment the following lines. They will switch off
some
# rules that detect 8-bit characters, which commonly trigger on mails using
CJK
# character sets, or that assume a western-style charset is in use.
#
# score HTML_COMMENT_8BITS 0
# score UPPERCASE_25_50 0
# score UPPERCASE_50_75 0
# score UPPERCASE_75_100 0
# score OBSCURED_EMAIL 0
# Speakers of any language that uses non-English, accented characters may
wish
# to uncomment the following lines. They turn off rules that fire on
# misformatted messages generated by common mail apps in contravention of
the
# email RFCs.
# score SUBJ_ILLEGAL_CHARS 0
his .procmailrc file:
## only turn these on for debugging
##
##VERBOSE=on
##MAILDIR=$HOME/mail
##LOGFILE=$MAILDIR/from
##
:0:
* ? formail -x"From:" -x"From" -x"Sender:" | egrep -is -f $HOME/.whitelist
$ORGMAIL
## Silently drop all Asian language mail
:0:
*
^Subject:.*=\?(iso-2022-jp|ISO-2022-JP|iso-2022-kr|ISO-2022-KR|euc-kr|EUC-KR|gb2312|GB2312|ks_c_5601-1987|KS_C_5601-1987|koi8-r|KOI8-R)
/dev/null
:0:
* ^Content-Type:.*charset="?
?(iso-2022-jp|ISO-2022-JP|iso-2022-kr|ISO-2022-KR|euc-kr|EUC-KR|gb2312|GB2312|ks_c_5601-1987|KS_C_5601-1987|koi8-r|KOI8-R)
/dev/null
:0:
*
^X-Coding-System:.*charset="?(iso-2022-jp|ISO-2022-JP|iso-2022-kr|ISO-2022-KR|euc-kr|EUC-KR|gb2312|GB2312|ks_c_5601-1987|KS_C_5601-1987|koi8-r|KOI8-R)
/dev/null
## Chinese spam filter
:0:
* ^Subject:.*=\?utf-8\?B\?[56]
mail/Unreadable
:0:
* ^Content-Type:.*charset="?windows-1250
/dev/null
:0:
* ^Subject: Auto-discard notification
/dev/null
:0:
* ^Subject: (DELIVERY FAILURE:|failure notice$)
SpamSpoofing
:0:
* ^Subject: .*[Aa]cai.*
Caughtspam
:0:
* ^Subject: ACH payment report
Caughtspam
:0:
* ^Subject: \[SPAM\].*
Caughtspam
:0fw:
| /usr/bin/spamc
:0:
* ^X-Spam-Status: Yes
Caughtspam
:0HB:
* ? /usr/bin/bogofilter -p
Caughtspam
:0:
* ^From: Vitale
Caughtspam
##
#
# The condition line ensures that only messages smaller than 250 kB
# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
# isn't bigger than a few k and working with big messages can bring
# SpamAssassin to its knees.
#
# The lock file ensures that only 1 spamassassin invocation happens
# at 1 time, to keep the load down.
#
:0fw: spamassassin.lock
* < 256000
| spamassassin
# Mails with a score of 15 or higher are almost certainly spam (with 0.05%
# false positives according to rules/STATISTICS.txt). Let's put them in a
# different mbox. (This one is optional.)
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
almost-certainly-spam
# All mail tagged as spam (eg. with a score higher than the set threshold)
# is moved to Caughtspam
:0:
* ^X-Spam-Status: Yes
Caughtspam
# Work around procmail bug: any output on stderr will cause the "F" in
"From"
# to be dropped. This will re-add it.
:0
* ^^rom[ ]
{
LOG="*** Dropped F off From_ header! Fixing up. "
:0 fhw
| sed -e '1s/^/F/'
}
# :0:
# $DEFAULT
default /root/.spamassassin/user_prefs file:
# SpamAssassin user preferences file. See 'perldoc
Mail::SpamAssassin::Conf'
# for details of what can be tweaked.
###########################################################################
# How many points before a mail is considered spam.
# required_score 5
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from someone@somewhere.com
# Add your own customised scores for some tests below. The default scores
are
# read from the installed spamassassin rules files, but you can override
them
# here. To see the list of tests and their default scores, go to
# http://spamassassin.apache.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
# Speakers of Asian languages, like Chinese, Japanese and Korean, will
almost
# definitely want to uncomment the following lines. They will switch off
some
# rules that detect 8-bit characters, which commonly trigger on mails using
CJK
# character sets, or that assume a western-style charset is in use.
#
# score HTML_COMMENT_8BITS 0
# score UPPERCASE_25_50 0
# score UPPERCASE_50_75 0
# score UPPERCASE_75_100 0
# score OBSCURED_EMAIL 0
# Speakers of any language that uses non-English, accented characters may
wish
# to uncomment the following lines. They turn off rules that fire on
# misformatted messages generated by common mail apps in contravention of
the
# email RFCs.
# score SUBJ_ILLEGAL_CHARS 0
[root@dsm ~]# cat /etc/mail/spamassassin/local.cf
# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)
# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
required_hits 5
report_safe 1
rewrite_header Subject [SPAM]
use_pyzor 1
use_razor2 1
dcc_path /usr/local/bin/dccproc
header RCVD_IN_MSPIKE_BL eval:check_rbl('mspike-lastexternal',
'bl.mailspike.net.')
tflags RCVD_IN_MSPIKE_BL net
score RCVD_IN_MSPIKE_BL 3.5
header RCVD_IN_MSPIKE_WL eval:check_rbl('mspike-lastexternal',
'wl.mailspike.net.')
tflags RCVD_IN_MSPIKE_WL net
score RCVD_IN_MSPIKE_WL -2.1
header SMF_BRACKETS_TO To:raw =~ /<<[^<>]+>>/
describe SMF_BRACKETS_TO Double-brackets around To header address
score SMF_BRACKETS_TO 1.5
score DNS_FROM_AHBL_RHSBL 0
score __RFC_IGNORANT_ENVFROM 0
score DNS_FROM_RFC_DSN 0
score DNS_FROM_RFC_BOGUSMX 0
score __DNS_FROM_RFC_POST 0
score __DNS_FROM_RFC_ABUSE 0
score __DNS_FROM_RFC_WHOIS 0
score FSL_RU_URL 0
# whitelist_from 150.x.x.x
sample header of a missed spam/false negative:
http://txt.do/5em14
I had to use an external site as my messages were not getting through to
the list.
Re: too many missed spams/false negatives w/ SA 3.4.1 on sendmail,
help w config?
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.07.2016 um 02:55 schrieb Reindl Harald:
> STAY ON LIST
>
> Am 24.07.2016 um 02:50 schrieb Robert Kudyba:
>> OK then the next question is why would some messages not be getting
>> scanned whilst others are? What else can I check? Could another config
>> file be bypassing? There's nothing in the whitelist unless I'm not
>> checking all the possible paths to whitelists?
>
> i don't see how spamassassin is supposed to be called in your setup at
> all, in my setups with spamass-milter (postfix) talking to spamd it's
> impossible to skip it at all
BTW:
a sane RBL scoring before the contentfilter would have bocked the
message unconditional (source-ip 5.175.226.119) independent of it's content
dnsbl.inps.de LISTED 127.0.0.2
css.spamhaus.org LISTED 127.0.0.3
dnsbl-1.uceprotect.net LISTED 127.0.0.2
sbl.spamhaus.org LISTED 127.0.0.3
spam.dnsbl.sorbs.net LISTED 127.0.0.6
dnsbl-2.uceprotect.net LISTED 127.0.0.2
senderscore.com LISTED 127.0.4.0
DUNNO if sendmail has something similar and if not consider it as the
wrong tool for a inbound mailserver in 2016 since you can get rid of
90-95% of all junk with very low to zero false positives very cheap
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_whitelist_threshold = -6
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?3}${stress:10}s
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.10*9
dnsbl.sorbs.net=127.0.0.14*9
zen.spamhaus.org=127.0.0.[10;11]*8
dnsbl.sorbs.net=127.0.0.5*7
zen.spamhaus.org=127.0.0.[4..7]*7
b.barracudacentral.org=127.0.0.2*7
zen.spamhaus.org=127.0.0.3*7
dnsbl.inps.de=127.0.0.2*7
hostkarma.junkemailfilter.com=127.0.0.2*4
dnsbl.sorbs.net=127.0.0.7*4
bl.spamcop.net=127.0.0.2*4
bl.spameatingmonkey.net=127.0.0.[2;3]*4
dnsrbl.swinog.ch=127.0.0.3*4
ix.dnsbl.manitu.net=127.0.0.2*4
psbl.surriel.com=127.0.0.2*4
bl.mailspike.net=127.0.0.[10;11;12]*4
bl.mailspike.net=127.0.0.2*4
zen.spamhaus.org=127.0.0.2*3
score.senderscore.com=127.0.4.[0..20]*3
bl.spamcannibal.org=127.0.0.2*3
dnsbl.sorbs.net=127.0.0.6*3
dnsbl.sorbs.net=127.0.0.8*2
hostkarma.junkemailfilter.com=127.0.0.4*2
dnsbl.sorbs.net=127.0.0.9*2
dnsbl-1.uceprotect.net=127.0.0.2*2
all.spamrats.com=127.0.0.38*2
bl.nszones.com=127.0.0.[2;3]*1
dnsbl-2.uceprotect.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.4*1
score.senderscore.com=127.0.4.[0..69]*1
dnsbl.sorbs.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.1.2*1
dnsbl.sorbs.net=127.0.0.15*1
ips.backscatterer.org=127.0.0.2*1
bl.nszones.com=127.0.0.5*-1
score.senderscore.com=127.0.4.[90..100]*-1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
ips.whitelisted.org=127.0.0.2*-2
list.dnswl.org=127.0.[0..255].0*-2
dnswl.inps.de=127.0.[0;1].[2..10]*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
>> On Sat, Jul 23, 2016 at 8:44 PM, Reindl Harald <h.reindl@thelounge.net
>> <ma...@thelounge.net>> wrote:
>>
>>
>> Am 24.07.2016 um 02:14 schrieb Robert Kudyba:
>>
>> sample header of a missed spam/false negative:
>>
>> http://txt.do/5em14
>>
>>
>> there are no spamassassin headers - so what is your evidence that
>> this message ever went through spamassassin?
Re: too many missed spams/false negatives w/ SA 3.4.1 on sendmail,
help w config?
Posted by Robert Kudyba <rk...@fordham.edu>.
Forgot to include the hook to procmailrc:
cat /etc/procmailrc
DROPPRIVS=yes
PATH=/bin:/usr/bin:/usr/local/bin
SHELL=/bin/sh
# Spamassassin
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
:0fw
* <300 000
|/usr/bin/spamassassin
[root@dsm ~]# cat /etc/mail/spamassassin/spamassassin-spamc.rc
# send mail through spamassassin
:0fw
| /usr/bin/spamc
On Sat, Jul 23, 2016 at 9:31 PM, Robert Kudyba <rk...@fordham.edu> wrote:
> Sorry forgot to reply all.
>
> Sendmail has a .mc file which creates a .cf file here's ours:
>
> include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
>
> VERSIONID(`setup for linux')dnl
>
> OSTYPE(`linux')dnl
>
> dnl #
>
> dnl # Do not advertize sendmail version.
>
> dnl #
>
> dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
>
> dnl #
>
> dnl # default logging level is 9, you might want to set it higher to
>
> dnl # debug the configuration
>
> dnl #
>
> dnl define(`confLOG_LEVEL', `9')dnl
>
> dnl #
>
> dnl # Uncomment and edit the following line if your outgoing mail needs to
>
> dnl # be sent out through an external mail server:
>
> dnl #
>
> dnl define(`SMART_HOST', `smtp.your.provider')dnl
>
> dnl #
>
> define(`confDEF_USER_ID', ``8:12'')dnl
>
> dnl define(`confAUTO_REBUILD')dnl
>
> define(`confTO_CONNECT', `1m')dnl
>
> define(`confTRY_NULL_MX_LIST', `True')dnl
>
> define(`confDONT_PROBE_INTERFACES', `True')dnl
>
> define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
>
> define(`ALIAS_FILE', `/etc/aliases')dnl
>
> define(`STATUS_FILE', `/var/log/mail/statistics')dnl
>
> define(`UUCP_MAILER_MAX', `2000000')dnl
>
> define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
>
> define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
>
> define(`confAUTH_OPTIONS', `A')dnl
>
> dnl #
>
> dnl # The following allows relaying if the user authenticates, and
> disallows
>
> dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
>
> dnl #
>
> dnl define(`confAUTH_OPTIONS', `A p')dnl
>
> dnl #
>
> dnl # PLAIN is the preferred plaintext authentication method and used by
>
> dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
>
> dnl # use LOGIN. Other mechanisms should be used if the connection is not
>
> dnl # guaranteed secure.
>
> dnl # Please remember that saslauthd needs to be running for AUTH.
>
> dnl #
>
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>
> dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
>
> dnl #
>
> dnl # Rudimentary information on creating certificates for sendmail TLS:
>
> dnl # cd /etc/pki/tls/certs; make sendmail.pem
>
> dnl # Complete usage:
>
> dnl # make -C /etc/pki/tls/certs usage
>
> dnl #
>
> dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
>
> dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
>
> dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
>
> dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
>
> dnl #
>
> dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
>
> dnl # slapd, which requires the file to be readble by group ldap
>
> dnl #
>
> dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
>
> dnl #
>
> dnl define(`confTO_QUEUEWARN', `4h')dnl
>
> dnl define(`confTO_QUEUERETURN', `5d')dnl
>
> dnl define(`confQUEUE_LA', `12')dnl
>
> dnl define(`confREFUSE_LA', `18')dnl
>
> define(`confTO_IDENT', `0')dnl
>
> dnl FEATURE(delay_checks)dnl
>
> FEATURE(`no_default_msa', `dnl')dnl
>
> FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
>
> FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
>
> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
>
> FEATURE(redirect)dnl
>
> FEATURE(always_add_domain)dnl
>
> FEATURE(use_cw_file)dnl
>
> FEATURE(use_ct_file)dnl
>
> FEATURE(`dnsbl',`relays.ordb.org', `"550 5.7.1 Access denied(O):
> Unsolicited e-mail from " $&{client_addr} " refused. "',`t')dnl
>
> dnl #FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} "
> found in dnsbl.sorbs.net"', `t')dnl
>
> FEATURE(`dnsbl', `b.barracudacentral.org', `', `"550 Mail from "
> $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP
> server " in http://www.barracudacentral.org/lookups "')dnl
>
> FEATURE(`dnsbl',`zen.spamhaus.org')dnl
>
> FEATURE(`dnsbl',`l2.apews.org')
>
> FEATURE(`dnsbl',`bl.spamcop.net')
>
> FEATURE(`dnsbl', `psbl.surriel.com')
>
> dnl HACK(`milter-greylist')
>
>
> INPUT_MAIL_FILTER(`greylist',`S=local:/var/run/milter-greylist/milter-greylist.sock')dnl
>
> define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
>
> define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
>
> define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
>
> define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl
>
>
> #Optional
>
> dnl #
>
> dnl # Added by agw, 21 Sept 2005
>
> dnl #
>
> FEATURE(`domaintable')dnl
>
> dnl #
>
> dnl # The following limits the number of processes sendmail can fork to
> accept
>
> dnl # incoming messages or process its message queues to 20.) sendmail
> refuses
>
> dnl # to accept connections once it has reached its quota of child
> processes.
>
> dnl #
>
> dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
>
> dnl #
>
> dnl # Limits the number of new connections per second. This caps the
> overhead
>
> dnl # incurred due to forking new sendmail processes. May be useful
> against
>
> dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP
> address
>
> dnl # limit would be useful but is not available as an option at this
> writing.)
>
> dnl #
>
> dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
>
> dnl #
>
> dnl # The -t option will retry delivery if e.g. the user runs over his
> quota.
>
> dnl #
>
> FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
>
> FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
>
> FEATURE(`blacklist_recipients')dnl
>
> EXPOSED_USER(`root')dnl
>
> dnl #
>
> dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery
> uncomment
>
> dnl # the following 2 definitions and activate below in the MAILER section
> the
>
> dnl # cyrusv2 mailer.
>
> dnl #
>
> dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
>
> dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
>
> dnl #
>
> dnl # The following causes sendmail to only listen on the IPv4 loopback
> address
>
> dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
>
> dnl # address restriction to accept email from the internet or intranet.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>
> dnl #
>
> dnl # The following causes sendmail to additionally listen to port 587 for
>
> dnl # mail from MUAs that authenticate. Roaming users who can't reach their
>
> dnl # preferred sendmail daemon due to port 25 being blocked or redirected
> find
>
> dnl # this useful.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
>
> dnl #
>
> dnl # The following causes sendmail to additionally listen to port 465, but
>
> dnl # starting immediately in TLS mode upon connecting. Port 25 or 587
> followed
>
> dnl # by STARTTLS is preferred, but roaming clients using Outlook Express
> can't
>
> dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use
> STARTTLS
>
> dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
>
> dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
>
> dnl #
>
> dnl # For this to work your OpenSSL certificates must be configured.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>
> dnl #
>
> dnl # The following causes sendmail to additionally listen on the IPv6
> loopback
>
> dnl # device. Remove the loopback address restriction listen to the
> network.
>
> dnl #
>
> dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
>
> dnl #
>
> dnl # enable both ipv6 and ipv4 in sendmail:
>
> dnl #
>
> dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
>
> dnl #
>
> dnl # We strongly recommend not accepting unresolvable domains if you want
> to
>
> dnl # protect yourself from spam. However, the laptop and users on
> computers
>
> dnl # that do not have 24x7 DNS do need this.
>
> dnl #
>
> dnl FEATURE(`accept_unresolvable_domains')dnl
>
> dnl #
>
> dnl FEATURE(`relay_based_on_MX')dnl
>
> dnl #
>
> dnl # Also accept email sent to "localhost.localdomain" as local email.
>
> dnl #
>
> dnl LOCAL_DOMAIN(`localhost.localdomain')dnl
>
> dnl #
>
> dnl # The following example makes mail from this host and any additional
>
> dnl # specified domains appear to be sent from mydomain.com
>
> dnl #
>
> MASQUERADE_AS(`our domain’)dnl
>
> dnl #
>
> dnl # masquerade not just the headers, but the envelope as well
>
> dnl #
>
> FEATURE(masquerade_envelope)dnl
>
> dnl #
>
> dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as
> well
>
> dnl #
>
> dnl FEATURE(masquerade_entire_domain)dnl
>
> dnl #
>
> dnl MASQUERADE_DOMAIN(localhost)dnl
>
> dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
>
> dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
>
> dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
>
>
> # SMTP greet delay may deter spam, as per
>
> # https://wiki.apache.org/spamassassin/OtherTricks
>
> # agw 22 June 2014 (H0.5BDAGW)
>
> FEATURE(`greet_pause', `10000')
>
>
> MAILER(smtp)dnl
>
> MAILER(procmail)dnl
>
> dnl MAILER(cyrusv2)dnl
>
>
> LOCAL_RULE_3
>
> # custom S3 begin ... courtesy of Andrzej Filip <an...@bigfoot.com>
>
> R$-/FACULTY/FIRE $@ $>3 $1@ ourdomain
>
> R$-/GUEST/FIRE $@ $>3 $1@ ourdomain
>
> R$-/STAFF/FIRE $@ $>3 $1@ ourdomain
>
> R$-/STUDENTS/FIRE $@ $>3 $1@ourdomain
>
> # custom S3 end
>
>
> On Sat, Jul 23, 2016 at 8:55 PM, Reindl Harald <h....@thelounge.net>
> wrote:
>
>> STAY ON LIST
>>
>> Am 24.07.2016 um 02:50 schrieb Robert Kudyba:
>>
>>> OK then the next question is why would some messages not be getting
>>> scanned whilst others are? What else can I check? Could another config
>>> file be bypassing? There's nothing in the whitelist unless I'm not
>>> checking all the possible paths to whitelists?
>>>
>>
>> i don't see how spamassassin is supposed to be called in your setup at
>> all, in my setups with spamass-milter (postfix) talking to spamd it's
>> impossible to skip it at all
>>
>> On Sat, Jul 23, 2016 at 8:44 PM, Reindl Harald <h.reindl@thelounge.net
>>> <ma...@thelounge.net>> wrote:
>>>
>>>
>>> Am 24.07.2016 um 02:14 schrieb Robert Kudyba:
>>>
>>> sample header of a missed spam/false negative:
>>>
>>> http://txt.do/5em14
>>>
>>>
>>> there are no spamassassin headers - so what is your evidence that
>>> this message ever went through spamassassin?
>>>
>>
>>
>
Re: too many missed spams/false negatives w/ SA 3.4.1 on sendmail,
help w config?
Posted by Robert Kudyba <rk...@fordham.edu>.
Sorry forgot to reply all.
Sendmail has a .mc file which creates a .cf file here's ours:
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST', `smtp.your.provider')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /etc/pki/tls/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /etc/pki/tls/certs usage
dnl #
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(`dnsbl',`relays.ordb.org', `"550 5.7.1 Access denied(O):
Unsolicited e-mail from " $&{client_addr} " refused. "',`t')dnl
dnl #FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} "
found in dnsbl.sorbs.net"', `t')dnl
FEATURE(`dnsbl', `b.barracudacentral.org', `', `"550 Mail from "
$&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP
server " in http://www.barracudacentral.org/lookups "')dnl
FEATURE(`dnsbl',`zen.spamhaus.org')dnl
FEATURE(`dnsbl',`l2.apews.org')
FEATURE(`dnsbl',`bl.spamcop.net')
FEATURE(`dnsbl', `psbl.surriel.com')
dnl HACK(`milter-greylist')
INPUT_MAIL_FILTER(`greylist',`S=local:/var/run/milter-greylist/milter-greylist.sock')dnl
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl
#Optional
dnl #
dnl # Added by agw, 21 Sept 2005
dnl #
FEATURE(`domaintable')dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to
accept
dnl # incoming messages or process its message queues to 20.) sendmail
refuses
dnl # to accept connections once it has reached its quota of child
processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the
overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP
address
dnl # limit would be useful but is not available as an option at this
writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his
quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery
uncomment
dnl # the following 2 definitions and activate below in the MAILER section
the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback
address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected
find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587
followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express
can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6
loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want
to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
dnl LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
MASQUERADE_AS(`our domain’)dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as
well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
# SMTP greet delay may deter spam, as per
# https://wiki.apache.org/spamassassin/OtherTricks
# agw 22 June 2014 (H0.5BDAGW)
FEATURE(`greet_pause', `10000')
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
LOCAL_RULE_3
# custom S3 begin ... courtesy of Andrzej Filip <an...@bigfoot.com>
R$-/FACULTY/FIRE $@ $>3 $1@ ourdomain
R$-/GUEST/FIRE $@ $>3 $1@ ourdomain
R$-/STAFF/FIRE $@ $>3 $1@ ourdomain
R$-/STUDENTS/FIRE $@ $>3 $1@ourdomain
# custom S3 end
On Sat, Jul 23, 2016 at 8:55 PM, Reindl Harald <h....@thelounge.net>
wrote:
> STAY ON LIST
>
> Am 24.07.2016 um 02:50 schrieb Robert Kudyba:
>
>> OK then the next question is why would some messages not be getting
>> scanned whilst others are? What else can I check? Could another config
>> file be bypassing? There's nothing in the whitelist unless I'm not
>> checking all the possible paths to whitelists?
>>
>
> i don't see how spamassassin is supposed to be called in your setup at
> all, in my setups with spamass-milter (postfix) talking to spamd it's
> impossible to skip it at all
>
> On Sat, Jul 23, 2016 at 8:44 PM, Reindl Harald <h.reindl@thelounge.net
>> <ma...@thelounge.net>> wrote:
>>
>>
>> Am 24.07.2016 um 02:14 schrieb Robert Kudyba:
>>
>> sample header of a missed spam/false negative:
>>
>> http://txt.do/5em14
>>
>>
>> there are no spamassassin headers - so what is your evidence that
>> this message ever went through spamassassin?
>>
>
>
Re: too many missed spams/false negatives w/ SA 3.4.1 on sendmail,
help w config?
Posted by Reindl Harald <h....@thelounge.net>.
STAY ON LIST
Am 24.07.2016 um 02:50 schrieb Robert Kudyba:
> OK then the next question is why would some messages not be getting
> scanned whilst others are? What else can I check? Could another config
> file be bypassing? There's nothing in the whitelist unless I'm not
> checking all the possible paths to whitelists?
i don't see how spamassassin is supposed to be called in your setup at
all, in my setups with spamass-milter (postfix) talking to spamd it's
impossible to skip it at all
> On Sat, Jul 23, 2016 at 8:44 PM, Reindl Harald <h.reindl@thelounge.net
> <ma...@thelounge.net>> wrote:
>
>
> Am 24.07.2016 um 02:14 schrieb Robert Kudyba:
>
> sample header of a missed spam/false negative:
>
> http://txt.do/5em14
>
>
> there are no spamassassin headers - so what is your evidence that
> this message ever went through spamassassin?
Re: too many missed spams/false negatives w/ SA 3.4.1 on sendmail,
help w config?
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.07.2016 um 02:14 schrieb Robert Kudyba:
> sample header of a missed spam/false negative:
>
> http://txt.do/5em14
there are no spamassassin headers - so what is your evidence that this
message ever went through spamassassin?
Re: Fwd: too many missed spams/false negatives w/ SA 3.4.1 on
sendmail, help w config?
Posted by Robert Kudyba <rk...@fordham.edu>.
>
> :0:
> * ? formail -x"From:" -x"From" -x"Sender:" | egrep -is -f $HOME/.whitelist
> $ORGMAIL
>
>>>I assume you checked his explicit whitelisted senders file????
Indeed only 2 addresses:
redacted@comcast.net
redacted@pegasus.rutgers.edu
>>>
> :0fw:
> | /usr/bin/spamc
>
...
:0fw: spamassassin.lock
> * < 256000
> | spamassassin
>
You pass it through spamc, and if spamc doesn't score it as spam you then
pass it through spamassassin?
Why the duplication?>>>
This is what I walked into a month ago and why I'm posting here. I'm
looking for advice on best practice here to get it right. Also, doesn't the
user's .procmailrc take precedence and skip the other configuration files?
>>>>
> :0
> * ^^rom[ ]
> {
> LOG="*** Dropped F off From_ header! Fixing up. "
> :0 fhw
> | sed -e '1s/^/F/'
> }
>
This should probably be before you attempt delivery to CaughtSpam,
otherwise you might be corrupting that folder.>>>>
Thanks I moved it just above the Caughspam rule.
>>>To echo Reindl, it doesn't look like that message was scanned by SA at
all.>>>
So what else can I check?
Re: Fwd: too many missed spams/false negatives w/ SA 3.4.1 on
sendmail, help w config?
Posted by John Hardin <jh...@impsec.org>.
On Sat, 23 Jul 2016, Robert Kudyba wrote:
> :0:
> * ? formail -x"From:" -x"From" -x"Sender:" | egrep -is -f $HOME/.whitelist
> $ORGMAIL
I assume you checked his explicit whitelisted senders file?
> :0fw:
> | /usr/bin/spamc
...
> :0fw: spamassassin.lock
> * < 256000
> | spamassassin
You pass it through spamc, and if spamc doesn't score it as spam you
then pass it through spamassassin?
Why the duplication?
And your followup suggests you might be trying to pass it through SA
*three* times...
> :0
> * ^^rom[ ]
> {
> LOG="*** Dropped F off From_ header! Fixing up. "
> :0 fhw
> | sed -e '1s/^/F/'
> }
This should probably be before you attempt delivery to CaughtSpam,
otherwise you might be corrupting that folder.
> sample header of a missed spam/false negative:
>
> http://txt.do/5em14
To echo Reindl, it doesn't look like that message was scanned by SA at
all.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Sheep have only two speeds: graze and stampede. -- LTC Grossman
-----------------------------------------------------------------------
214 days since the first successful real return to launch site (SpaceX)