1 Topic by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Topic: Tons of spam

Hello,

I have a brand new install of iRedMail, which is taking over from gmail.

We are getting a ton of spam coming through.  We are getting mail in the /var/virusmails directory, so some of it is being caught, but a bunch - too much - is getting through.

Can somebody give me some ideas as to where to start to tighten things up?

sieve.log complains about being called in group nobody instead of vmail - which I tried to fix in /etc/postfix/aliases per another post....

maillog complains amavis - all primary virus scanners failed...

Not sure what to do, or where else to look.

-e

==== Required information ====
- iRedMail version: 0.8.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Linux/BSD distribution name and version: Centos 6.3
- Related log if you're reporting an issue:
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

maillog complains amavis - all primary virus scanners failed...

ClamAV service is not running. Please execute command "freshclam" first then start ClamAV service.

ethermion wrote:

We are getting a ton of spam coming through.  We are getting mail in the /var/virusmails directory, so some of it is being caught, but a bunch - too much - is getting through.

Were these emails marked as SPAM in both subject (***SPAM***) and mail header (X-Spam-Status: Yes)?

3 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

files in /var/virusmail
X-Spam-Flag: YES

Subject line is not altered.

4 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

ZhangHuangbin wrote:
ethermion wrote:

maillog complains amavis - all primary virus scanners failed...

ClamAV service is not running. Please execute command "freshclam" first then start ClamAV service.

did the above, still getting "all primary virus scanners failed"

-e

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

did the above, still getting "all primary virus scanners failed"

Did you check whether clamav is running?

6 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

Yes, clamav is absolutely positively running.  Not sure if I need to restart anything else, but clamav is without a doubt online.

-e

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

Does restarting Amavisd service work for you?

8 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

service amavisd restart

works.  I have three processes.  One (master) two (ch#-avail).

-e

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

works.  I have three processes.  One (master) two (ch#-avail).

Be careful, major process of Postfix and Dovecot is "master" too.

- What's the value of "LocalSocket" setting in ClamAV config file /etc/clamd.conf? It should be /tmp/clamd.socket by default.
- Does the socket file (e.g. /tmp/clamd.socket) exist?

10 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

- What's the value of "LocalSocket" setting in ClamAV config file /etc/clamd.conf? It should be /tmp/clamd.socket by default.
- Does the socket file (e.g. /tmp/clamd.socket) exist?

/tmp/clamd.socket and yes it does exist.

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

still getting "all primary virus scanners failed"

Could you please paste output of below command here to help troubleshoot:

# grep 'CONTSCAN' /etc/amavisd/amavisd.conf

12 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

/etc/amavisd.conf show:

#   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],

Seems be commented out.

-e

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

- Linux/BSD distribution name and version: Centos 6.3

If you're running CentOS 6, Amavisd config file should be /etc/amavisd/amavisd.conf, not /etc/amavisd.conf.

Settings of virus scanner in amavisd.conf should look like below:

@av_scanners = (
    #### http://www.clamav.net/
    ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

Not sure why yours is commented out.

14 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

I have /etc/amavisd.conf on two machines.  The 2nd machine is current Centos 6.3 with iRedMail and not really anything else.

Here is my relevant section from amavisd.conf.  Looks different than what you posted.

@av_scanners = (

# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
#   \&ask_daemon, ["{}/\n", '/var/run/sophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],

# ### http://www.csupomona.edu/~henson/www/pr … SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],

# ### http://www.clamav.net/
# ['ClamAV-clamd',
#   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
#   qr/\bOK$/m, qr/\bFOUND$/m,
#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# #   AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".



Later on in the file there is a different call to Clam:
@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

Advice?

-e

15 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

Advice?

Add clamav related code in @av_scanners. For example (add the lines in red)

@av_scanners = (
    #### http://www.clamav.net/
    ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

16 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

Cool.  That is exactly what was in /etc/amavisd/amavisd.conf.rpmsave.
Cleared up the "all primary virus scanners failed" in /var/log/maillog

Next problem is that messages are marked as ***SPAM*** but still showup up in people's inbox.

the final...destiny settings were commented out.  I uncommented and set to D_DISCARD or D_BOUNCE.  Didn't seem to help.

Making progress, but still tons of spam.

-e

17 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

Could you please check whether it has two 'final_spam_destiny' setting in amavisd.conf? Please comment out one, and use the rest one.

18 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

Saw that in the other thread.  Don't have that problem.  Only one occurance of final_spam_destiny which is currently set to D_DISCARD

19 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

Next problem is that messages are marked as ***SPAM*** but still showup up in people's inbox.

Oops, i misunderstood. Sorry.

You have to enable global sieve rule to deliver SPAM to Junk folder. Reference:
http://www.iredmail.org/forum/topic365- … older.html

Note: Mail user can set this sieve rule in Roundcube webmail: Settings -> Filters. There's a sample sieve rule available there, user just need to enable it. That's all.

20 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

Misunderstood again...

With "final_spam_destiny = D_DISCARD;" in amavisd, SPAM should be discarded by Amavisd.
Are you sure you're updating the correct amavisd.conf? /etc/amavisd.conf or /etc/amavisd/amavisd.conf?

21 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

Great.  Thanks for your help.

I think we are getting close.  The owner is only getting 80 spams overnight rather than 800.

Nnw I want to get RBL working.  Most of our spam is from domains in spamhaus.  I have searched this forum and googled around, but am confused.

For rbl in postfix, I see the smtpd_client_trestrictions  setting, but mine is in master.cf not main.cf as for everyone else.

For rbl in spamassassin, i went to the sa wiki over at apache, so now I am really, really confused!

I am pretty sure if I can get RBL working, I am good to go.

22 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

You can append rbl restrictions at the end of smtpd_recipient_restrictions. For example:

smtpd_recipient_restrictions = 
    ...
    reject_rhsbl_client blackhole.securitysage.com,
    reject_rhsbl_sender blackhole.securitysage.com,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client blackholes.easynet.nl,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client proxies.blackholes.wirehub.net,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client dnsbl.njabl.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client multihop.dsbl.org

References:

- http://www.akadia.com/services/postfix_uce.html
- http://farrokhi.net/blog/index.php/archives/60

23 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

Thre results are impresive.  Spam is down to a trickle.  Huge improvement.

Though, from time to time we are getting spam from blacklisted domains. 

I tested the setup at http://www.crynwr.com/spam

I see lots of blacklist rejects in maillog.

Here is a sample header - fjoralde.info is in spamhaus - should not have come through:

Return-Path: <hypothermic@fjoralde.info>
Delivered-To: me@mydomain.com
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id C28DD2C296B
for <me@mydomain.com>; Fri, 24 Aug 2012 11:57:39 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 4.879
X-Spam-Level: ****
X-Spam-Status: No, score=4.879 tagged_above=-100 required=6.2
tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=1.157,
MIME_HTML_MOSTLY=0.428, RDNS_NONE=0.793, URIBL_DBL_SPAM=1.7]
autolearn=no
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id f-tkZm3cIZQy for <me@mydomain.com>;
Fri, 24 Aug 2012 11:57:37 -0400 (EDT)
X-Original-Helo: fjoralde.info (iRedMail: http://www.iredmail.org/)
Received: from fjoralde.info (unknown [93.190.140.125])
by mail.mydomain.com (Postfix) with ESMTP id E11102C1CD8
for <me@mydomain.com>; Fri, 24 Aug 2012 11:56:36 -0400 (EDT)
Subject: For The Smoker You Care About
From: Free Electronic Cigarette <benefit@pharyngoscope.fjoralde.info>
To: "Recipient" <cbellew@eastman.com>
Content-Type: multipart/related; boundary="907329a037d13e5fcb6e547dbb4ec2e5"
MIME-Version: 1.0
Message-ID: <0.0.0.38.1CD820ED86D425E.0@fjoralde.info>
Date: Fri, 24 Aug 2012 08:40:53 -0700

24 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Tons of spam

ethermion wrote:

X-Spam-Status: No, score=4.879 tagged_above=-100 required=6.2
tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=1.157,
MIME_HTML_MOSTLY=0.428, RDNS_NONE=0.793, URIBL_DBL_SPAM=1.7]

it's pretty clear here: it's not considered as a SPAM by SpamAssassin.

You can try to decrease scores in Amavisd parameters: sa_tag_level_deflt, sa_tag2_level_deflt. Restarting amavisd service is required after change.

25 Reply by ethermion

  • ethermion
  • Member
  • Offline
  • Registered: 2012-08-07
  • Posts: 17

Re: Tons of spam

But, with your help, I told Postfix to check the blacklists.

return path is a blacklisted domain
X-Original-Helo is a blacklisted domain
Received: from is a blacklisted domain
From: is a blacklisted domain

Why didn't postfix catch it?  It catches lots of others.  Why not this one?