1 Topic by jarkkolinnanvirta

  • jarkkolinnanvirta
  • Member
  • Offline
  • Registered: 2012-10-25
  • Posts: 11

Topic: Spam coming through (0.8.3)

======== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 12.04.2 LTS
- Related log if you're reporting an issue: Part of /var/log/mail.log
====

How could I improve spam detection? As the log shows below, amavis is working, but it just does not prevent all the spam. Most of the spam is still rejected, so it's only the top of the iceberg that gets through. But this problem did not exist a few weeks ago. The specific mail in the log is definitely spam. kpelit.fi is my own domain. Also one of my customer's domain is receiving spam nowadays.

I know my iRedMail installation is a couple of versions behind, but I haven't updated it because I fear I would break something during the update and secondly I did not notice any spam related entries in the upgrade notes of 0.8.4 and 0.8.5. I want to be careful when updating a production environment.

Please let me know what else information you need, as the log below may not be enough. I can also consider paid support, if you do want to investigate this in my environment. Thank you for your help!

Jul 22 19:20:42 taitava postfix/cleanup[30737]: DF2A8A0109: message-id=<20130722.1374510005772.342948753@cluster.happyfeet-in.com>
Jul 22 19:20:48 taitava postfix/cleanup[30737]: AB0AEA04E1: message-id=<20130722.1374510005772.342948753@cluster.happyfeet-in.com>
Jul 22 19:20:48 taitava amavis[24583]: (24583-06) Passed CLEAN, LOCAL [5.133.203.244] [5.133.203.244] <alex@SYDNEYKITCHENDESIGNS.COM> -> <jare@kpelit.fi>, Message-ID: <20130722.1374510005772.342948753@cluster.happyfeet-in.com>, mail_id: eePhndmjCb8e, Hits: 0.8, size: 4601, queued_as: AB0AEA04E1, 5282 ms

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spam coming through (0.8.3)

jarkkolinnanvirta wrote:

But this problem did not exist a few weeks ago.

Did you modify any config files on this server? Let's see whether it impacts spam scanning or not.

It's hard to say why it occurs, spammers are learning and improving too. If those spams have the same finger, e.g. same sender domain, same subject, etc, you can add/update SpamAssassin rules to block them, or blacklist sender domain/IP directly.

3 Reply by jarkkolinnanvirta

  • jarkkolinnanvirta
  • Member
  • Offline
  • Registered: 2012-10-25
  • Posts: 11

Re: Spam coming through (0.8.3)

ZhangHuangbin wrote:
jarkkolinnanvirta wrote:

But this problem did not exist a few weeks ago.

Did you modify any config files on this server? Let's see whether it impacts spam scanning or not.

No, I don't think I have modified any config files that relate to spam detection. The only config I remember changing in the last few weeks is dovecot.conf (to increase imap login process limit). In the beginning of June I migrated many domains from another mail server to this one, which increased traffic (and also increased heavily the amout of quarantined spam), but the domains that now receive spam did exist on this server before the migration (and did not receive spam then). I'm not sure if the increased traffic has anything to do with this.

I can see spam scores in the headers of blocked mail. Is there an option to make this score appear in headers of passed mail also?

The IP addresses and domains vary, so I can't ban them. I think I will try to create subject based rules, but I fear that I also block some legitimate mail because the subjects are very short and perhaps common (like "Last notify"), so I should'n put too high score to these new rules. If I knew the score of mail that currently pass filters, I could adjust the new rules more better.

I happend to check also fail2ban log. Example:

2013-07-09 15:23:13,011 fail2ban.actions: WARNING [postfix-iredmail] Ban 188.214.33.253
2013-07-09 16:23:13,021 fail2ban.actions: WARNING [postfix-iredmail] Unban 188.214.33.253

Why this happens? An IP gets banned only for an hour. Another IP was banned only for ten minutes. But this just my wondering, it shouldn't affect this spam issue, I guess?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spam coming through (0.8.3)

I guess some of your clients public his/her email address on internet, spammers got this email address and flood it.

Did you check mail header of these spams? Low score? You can decrease value of Amavisd parameter $sa_tag_level_deflt, so that amavisd will insert mail headers in almost all mails which 'X-Spam-Score' larger than it. For example:

$sa_tag_level_deflt  = -100;  # add spam info headers if at, or above that level

About Fail2ban, default ban time is 1 hour. You can increase it in /etc/fail2ban/jail.local if necessary.

5 Reply by jarkkolinnanvirta

  • jarkkolinnanvirta
  • Member
  • Offline
  • Registered: 2012-10-25
  • Posts: 11

Re: Spam coming through (0.8.3)

ZhangHuangbin wrote:

You can decrease value of Amavisd parameter $sa_tag_level_deflt, so that amavisd will insert mail headers in almost all mails which 'X-Spam-Score' larger than it. For example:

$sa_tag_level_deflt  = -100;  # add spam info headers if at, or above that level

I put that to /etc/amavis/conf.d/50-user and restarted amavisd, but it has no effect. The only thing I found from Google was that the tag is only added to messages whose receivers are local. As this is the case, everything should be ok, but no spam headers appear in new mail that comes from outside to kpelit.fi. I also tried to search for a way to actually see what config values amavis has loaded up (some command for this), but found nothing. Is there a way to do it?

Thanks for support, I appreciate it! smile I really like iRedMail as it has helped me a lot in the past months I've used it and support is very good in this forum. smile

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spam coming through (0.8.3)

No effect? You cannot find any 'X-Spam-*' header in incoming emails?
Does it work if you list all your local domains in Amavsdi "@local_domains_maps"?

7 Reply by jarkkolinnanvirta

  • jarkkolinnanvirta
  • Member
  • Offline
  • Registered: 2012-10-25
  • Posts: 11

Re: Spam coming through (0.8.3)

Thanks, now it's working! I thought that amavis would already know all the local domains from mysql. Well, it's not a big deal to insert manually the domains that needs to be checked for incoming spam. Now I just have to wait until new spam arrives and gets the score inserted into headers.

Still another little question. I noticed I've also received spam that seems to come from no-reply@facebook.com (that's the sender address), but it definitely doesn't. How do I check if SPF checking is working on my server? Thanks.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spam coming through (0.8.3)

jarkkolinnanvirta wrote:

Still another little question. I noticed I've also received spam that seems to come from no-reply@facebook.com (that's the sender address), but it definitely doesn't. How do I check if SPF checking is working on my server? Thanks.

Check mail header. Amavisd will invoke SpamAssassin to check SPF.