1

Topic: Spam filtering not working

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5
- Linux/BSD distribution name and version:   CentOS Linux release 7.0.1406 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL (mariadb)
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?  yes - 2.4.4
====

Hi there

We just migrated to a new server and it seems that the spam filtering is simply not working.
Amavis is configured correctly and we have the same configuration as in the old server, but the amount of spam we get is really high.

Spam and virus do not seem to be going to quarantine. Please check the attached image

If I check the logs, all emails have a low score, and clear spam messages are passing through:

May 23 16:05:10 ns8 amavis[1297]: (01297-04) Passed CLEAN {RelayedInbound}, [79.142.64.180]:41589 [79.142.64.180] <return@newsjornais3.com.br> -> <ers@ersempreendimentos.com.br>, Queue-ID: 3F90CDF8AF, Message-ID: <037eeec75b3cd6e79dc9468bdc011516@newsjornais3.com.br>, mail_id: ygezI_wVzErf, Hits: 1.277, size: 17841, queued_as: 007C5DF7F4, dkim_sd=default:newsjornais3.com.br, 7226 ms, Tests: [DATE_IN_PAST_06_12=1.103,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HTML_MESSAGE=0.001,RP_MATCHES_RCVD=-1.426,SPF_PASS=-0.001,URIBL_BLACK=1.7]
May 23 16:05:11 ns8 amavis[29567]: (29567-14) Passed CLEAN {RelayedInbound}, [209.85.217.172]:35101 [209.85.217.172] <eventos.fcbc@gmail.com> -> <presidencia.fcbc@balneariocamboriu.sc.gov.br>, Queue-ID: A782CDF7F4, Message-ID: <CABqyKVey7ZG28uk6HbKUxKwKqURu_5_ys+f=K6Nd59bwDCXEiA@mail.gmail.com>, mail_id: 6c5Ek7ENN-jp, Hits: -, size: 4300, queued_as: EDFCDDF8B5, dkim_sd=20120113:gmail.com, 145 ms
May 23 16:05:13 ns8 amavis[2017]: (02017-02) Passed CLEAN {RelayedInbound}, [187.61.34.165]:59835 [187.61.34.165] <dma_4486@enviocorpbusiness.com.br> -> <atendimento@queirozmello.com.br>, Queue-ID: A7908DF8AC, Message-ID: <0.1.3B.E29.1D1B5260190C5C2.32D0@f165.e.expvtinboxonline.net>, mail_id: c0QV-hhumlEt, Hits: 2.485, size: 13893, queued_as: 51C4DDF7F4, dkim_sd=k1:dkim.vttrack.com.br, 5637 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,HTML_IMAGE_RATIO_02=0.805,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_MSPIKE_H3=-0.01,RCVD_IN_MSPIKE_WL=-0.01,SPF_PASS=-0.001,URIBL_BLACK=1.7]
May 23 16:05:17 ns8 amavis[29279]: (29279-17) Passed CLEAN {RelayedInbound}, [198.52.142.167]:60108 [198.52.142.167] <return@classvida.com.br> -> <atendimento@fortecconstrutora.com.br>, Queue-ID: A9F9EDF8AF, Message-ID: <617660de6350e514807e125f87a18a93@classvida.com.br>, mail_id: GnZl6KfUdqzp, Hits: -1.423, size: 10785, queued_as: 8A625DF911, dkim_sd=my-selector-name:classvida.com.br, 5721 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,HTML_FONT_LOW_CONTRAST=0.001,HTML_IMAGE_RATIO_06=0.001,HTML_MESSAGE=0.001,RP_MATCHES_RCVD=-1.426]
May 23 16:05:20 ns8 amavis[29916]: (29916-14) Passed CLEAN {RelayedInbound}, [78.41.202.19]:34108 [78.41.202.19] <contato@timebis.com.br> -> <ana@mondoconstrutora.com.br>, Queue-ID: 122A9DF7F4, Message-ID: <1463610666843a52656b417d8519bfddd910b0b3d9_@timebis.com.br>, mail_id: 8zFxVCWaG_XX, Hits: 2.362, size: 2505, queued_as: 124DEDF8FD, dkim_sd=default:timebis.com.br, 5782 ms, Tests: [DATE_IN_PAST_06_12=1.103,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,FROM_EXCESS_BASE64=0.105,RCVD_IN_MSPIKE_H4=-0.01,RCVD_IN_MSPIKE_WL=-0.01,RCVD_IN_PSBL=2.7,RP_MATCHES_RCVD=-1.426,SPF_PASS=-0.001,URIBL_DBL_ABUSE_REDIR=0.001]
May 23 16:05:20 ns8 amavis[1502]: (01502-02) Passed CLEAN {RelayedInbound}, [94.46.251.129]:48353 [94.46.251.129] <bounce+95857-2-5abd3b070c+vendas=vtrade.com.br@72.dtikm4.com> -> <cidi@vtrade.com.br>, Queue-ID: 16AB3DF8AC, Message-ID: <6ef3155b8c668a37da11f10d88e93cf5@smtp129.1-hostingservice.com>, mail_id: MGxVJjMrDwcD, Hits: 0.014, size: 17163, queued_as: 7A8DDDF958, dkim_sd=email:1-hostingservice.com, 5665 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_FONT_LOW_CONTRAST=0.001,HTML_IMAGE_RATIO_08=0.001,HTML_MESSAGE=0.001,T_REMOTE_IMAGE=0.01]
May 23 16:05:21 ns8 amavis[27049]: (27049-19) Passed CLEAN {RelayedInbound}, [94.46.251.129]:48353 [94.46.251.129] <bounce+95857-2-5abd3b070c+vendas=vtrade.com.br@72.dtikm4.com> -> <marcio@vtrade.com.br>, Queue-ID: 16AB3DF8AC, Message-ID: <6ef3155b8c668a37da11f10d88e93cf5@smtp129.1-hostingservice.com>, mail_id: WBwZ9FpR_HzD, Hits: 0.012, size: 17163, queued_as: 15654DF8E3, dkim_sd=email:1-hostingservice.com, 6250 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_FONT_LOW_CONTRAST=0.001,HTML_IMAGE_RATIO_08=0.001,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_MSPIKE_H2=-0.001,SPF_PASS=-0.001,T_REMOTE_IMAGE=0.01]

Anything we should look at?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Spam filtering not working

*) The spam score is low (<= 2.x). You may try to decrease the score in Amavisd setting "$sa_tag2_level_deflt". It's also configurable with iRedAdmin-Pro: System -> Anti Spam -> Global Spam Policy.

*) Since they're not detected as spam, no quarantining will be triggered at all. Also, make sure you have quarantining properly configured: http://www.iredmail.org/docs/quarantining.html

*) Do you have postscreen or DNSBL services enabled to help reduce spam? Greylisting?

3

Re: Spam filtering not working

Hi there

- Spam score is the same as in the old server, but I lowered it a little bid more

- Quarantining was not properly configured. I changed the configuration

- Yes, we have greylist and postscreen enabled:
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_greet_action = enforce
postscreen_dnsbl_action = enforce
postscreen_blacklist_action = enforce

Anything else you would suggest us to do to be more strict with spam?
New server seems to be giving a low score to messages we know are spam. The old server was more strict

4

Re: Spam filtering not working

*) Decrease the score of '$sa_tag2_level_deflt'.
*) Check the SpamAssassin rules in Amavisd log, e.g.

Adrianom wrote:

May 23 16:05:20 ns8 amavis[1502]: (01502-02) Passed CLEAN {RelayedInbound}, [94.46.251.129]:48353 [94.46.251.129] <bounce+95857-2-5abd3b070c+vendas=vtrade.com.br@72.dtikm4.com> -> <cidi@vtrade.com.br>, Queue-ID: 16AB3DF8AC, Message-ID: <6ef3155b8c668a37da11f10d88e93cf5@smtp129.1-hostingservice.com>, mail_id: MGxVJjMrDwcD, Hits: 0.014, size: 17163, queued_as: 7A8DDDF958, dkim_sd=email:1-hostingservice.com, 5665 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_FONT_LOW_CONTRAST=0.001,HTML_IMAGE_RATIO_08=0.001,HTML_MESSAGE=0.001,T_REMOTE_IMAGE=0.01]

See why it has a low score, and you may want to increase the score of some rules.
*) SpamAssassin takes some time to get more info about spam mails (a.k.a. training), so you need to give it some more time.