1 Topic by stevej

  • stevej
  • Member
  • Offline
  • Registered: 2014-03-14
  • Posts: 5

Topic: Spam and blocked attachments are getting through

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian 7.4 (wheezy)
- Related log if you're reporting an issue:
====

I have set up iRedMail and it is working fine sending and receiving mail.
I am having difficulty getting:

Spam headers to be added to all/any mails (only checked received, not sent)
Spam feels like it is getting through. Hard to tell without the headers from SpamAssassin.
Messages with banned attachments are coming though with the banned attachment intact.

I've tried tweaking various conf settings, but it didn't seem to help. I am the first to admit that I don't know what I am doing, but I am trying.

I found this site to help me debug/validate email system
http://www.emailsecuritycheck.net/

There are seven test mails our server will try to send:

    The first mail (1/7) contains a harmless executable attachment. Even though it is harmless, it should be removed (or replaced) by your attachment blocker. Depending on the configuration of your attachment blocker, this mail may never reach you.
    The next mail (2/7) contains a harmless executable attachment, the EICAR anti virus test file in a .zip archive. This file should be detected by every virus checker. Depending on the configuration of your virus checker, this mail may never reach you.
    The third mail (3/7) is harmless spam message (GTUBE spam signature), and should be detected by every spam filter. Depending on the configuration of your spam filter, this mail may never reach you.
    The remaining four mails (4/7 to 7/7) contain attachments disguised in different ways. Even though the attachments are harmless, they should be removed (or replaced) by your attachment blocker. Depending on the configuration of your attachment blocker, these mails may never reach you.

My email system blocked the EICAR message, but the other 6 came through to the client
My postmaster received 1 virus alert, and 5 banned contents alerts.
My postmaster did not get notified of the GTUBE test


I ran grep spam * in /etc/amavis/conf.d to give you info on my current config.

01-debian:$dspam  = 'dspam';
05-domain_id:# to certain functionality, such as the addition of spam tags.
15-content_filter_mode:# You can modify this file to re-enable SPAM checking through spamassassin
15-content_filter_mode:# Please note, that anti-spam checking is DISABLED by 
15-content_filter_mode:@bypass_spam_checks_maps = (
15-content_filter_mode:   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
20-debian_defaults:$sa_spam_subject_tag = '***SPAM*** ';
20-debian_defaults:# changed added -100 check for spam flags
20-debian_defaults:#$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
20-debian_defaults:$sa_tag_level_deflt  = -100.0;  # add spam info headers if at, or above that level
20-debian_defaults:$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
20-debian_defaults:$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
20-debian_defaults:$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
20-debian_defaults:$final_spam_destiny       = D_BOUNCE;
20-debian_defaults:$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
20-debian_defaults:     #'spamassassin.apache.org'                => -3.0,
30-template_localization:# $notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt');
30-template_localization:# $notify_spam_admin_templ  = read_text('/var/amavis/notify_spam_admin.txt');
50-user:# Enable spam check.
50-user:@bypass_spam_checks_maps = (
50-user:    \%bypass_spam_checks,
50-user:    \@bypass_spam_checks_acl,
50-user:    $bypass_spam_checks_re,
50-user:# $mailfrom_notify_spamadmin = "root\@$mydomain";
50-user:$mailfrom_notify_spamadmin = "changed\@change.com";
50-user:# $mailfrom_notify_spamadmin = "root\@$mydomain"; # notifications sender
50-user:$mailfrom_notify_spamadmin = "changed\@change.com"; # notifications sender
50-user:#  spam_admin_maps  => ["root\@$mydomain"],
50-user:  spam_admin_maps  => ["changed\@change.com"],
50-user:  warnspamsender   => 1,
50-user:$final_spam_destiny       = D_PASS;
50-user:#    bypass_spam_checks_maps   => [1],  # don't spam-check this mail
50-user:#    bypass_spam_checks_maps   => [1],  # don't spam-check this mail
50-user:#    spam_admin_maps  => ["root\@$mydomain"],
50-user:    spam_admin_maps  => ["changed\@change.com"],
50-user:    # don't perform spam/virus/header check.
50-user:    #bypass_spam_checks_maps => [1],
50-user:#   - 'local:spam-%i-%m', quarantine mail on local file system.
50-user:$spam_quarantine_method = undef;
50-user:#$spam_quarantine_method = 'sql:';
50-user:#$spam_quarantine_to = 'spam-quarantine';
50-user:# Modify email subject, add '$sa_spam_subject_tag'.
50-user:$sa_spam_modifies_subj = 1;
50-user:#$remove_existing_spam_headers = 0;
50-user:# Notify spam sender?
50-user:#$warnspamsender = 0;
50-user:#$notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt');
50-user:#$notify_spam_admin_templ  = read_text('/var/amavis/notify_spam_admin.txt');
50-user:    #"spam-reporter@test.com"    => { d => "test.com", a => 'rsa-sha256', ttl =>  7*24*3600 },

Does anything stand out ?
I would appreciate any help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Spam and blocked attachments are getting through

You should check Amavisd log to see whether it detected them as spam or not (it logs into Postfix log file by default).

50-user:$final_spam_destiny       = D_PASS;

This setting in file /etc/amavis/conf.d/50-user will continue delivering detected spam to user's mailbox.

3 Reply by stevej

  • stevej
  • Member
  • Offline
  • Registered: 2014-03-14
  • Posts: 5

Re: Spam and blocked attachments are getting through

OK. Things are looking much better.

I changed 2 parameters in /etc/amaisd/conf.d/50-user to:
$final_banned_destiny       = D_DISCARD;
$final_spam_destiny       = D_DISCARD;

Then I re-ran the test from
http://www.emailsecuritycheck.net/

For the 7 test messages that they sent:
My test user received 0 messages.
My postmaster received 6 messages. 1 virus alert, and 5 banned contents alert.
My postmaster failed to get notified about the GTUBE test, but that is ok since I wouldn't want to get flooded with spam alerts.

See below for the data from mail.log.

Two issues remain. sa_tag_level_deflt and defang_banned

1) I am still not getting the spam scores inserted in to the header even though I have:
20-debian_defaults:$sa_tag_level_deflt  = -100.0

Do I need something else to make this work?


2) I have defang_banned = 1. One of the 7 test files sends an attachment called attach.bat. It was my desire that anything banned would be removed from the message and the rest of the message delivered. Instead the entire message was delivered. Using $final_banned_destiny = D_DISCARD stops the attachment but also the entire message is killed.

I believe killing the message entirely will be fine, but I would like to understand defang_banned. I can envision use cases where valid email disappears, and without any notification, finger pointing and tension could arise.

Thanks for the help



================================================================================================
MAIL.LOG FILE  **FINAL_BANNED_DESTINY / FINAL_SPAM_DESTINY** CHANGED TO D_DISCARD
================================================================================================
Blank lines added for readability

Mar 15 08:50:12 mail postfix/smtpd[13073]: connect from byteplant.com[78.47.119.33]
Mar 15 08:50:13 mail postfix/smtpd[13116]: connect from byteplant.com[78.47.119.33]
Mar 15 08:50:13 mail postfix/smtpd[13118]: connect from byteplant.com[78.47.119.33]
Mar 15 08:50:13 mail postfix/smtpd[13119]: connect from byteplant.com[78.47.119.33]
Mar 15 08:50:13 mail postfix/smtpd[13120]: connect from byteplant.com[78.47.119.33]
Mar 15 08:50:13 mail postfix/smtpd[13121]: connect from byteplant.com[78.47.119.33]
Mar 15 08:50:13 mail postfix/smtpd[13122]: connect from byteplant.com[78.47.119.33]
Mar 15 08:50:14 mail postfix/smtpd[13073]: 3D525C0700: client=byteplant.com[78.47.119.33]
Mar 15 08:50:14 mail postfix/smtpd[13118]: 98882C078B: client=byteplant.com[78.47.119.33]
Mar 15 08:50:14 mail postfix/smtpd[13116]: A1615C079F: client=byteplant.com[78.47.119.33]
Mar 15 08:50:14 mail postfix/smtpd[13120]: DB70EC07A0: client=byteplant.com[78.47.119.33]
Mar 15 08:50:14 mail postfix/smtpd[13119]: E4DE2C07A1: client=byteplant.com[78.47.119.33]
Mar 15 08:50:14 mail postfix/smtpd[13121]: EE960C07A2: client=byteplant.com[78.47.119.33]
Mar 15 08:50:15 mail postfix/smtpd[13122]: 533FAC07A3: client=byteplant.com[78.47.119.33]
Mar 15 08:50:15 mail postfix/cleanup[13126]: 3D525C0700: message-id=emailsecuritycheck.net.1.m*mYoj9OgYs1HytEMio1Gg==
Mar 15 08:50:15 mail postfix/qmgr[4235]: 3D525C0700: from=<securitycheck@emailsecuritycheck.net>, size=1421, nrcpt=1 (queue active)
Mar 15 08:50:15 mail postfix/smtpd[13158]: connect from localhost[127.0.0.1]
Mar 15 08:50:15 mail postfix/smtpd[13158]: AF12CC07A4: client=localhost[127.0.0.1]
Mar 15 08:50:15 mail postfix/cleanup[13126]: AF12CC07A4: message-id=<VArEqRUB49BvRX@mail.memorylane4us.com>
Mar 15 08:50:15 mail postfix/qmgr[4235]: AF12CC07A4: from=<postman@changed-domain.com>, size=2646, nrcpt=1 (queue active)
Mar 15 08:50:15 mail postfix/smtpd[13158]: disconnect from localhost[127.0.0.1]

Mar 15 08:50:15 mail amavis[13034]: (13034-01) Blocked BANNED (application/x-msdownload,.asc,attached.bat) {DiscardedOutbound}, LOCAL [78.47.119.33]:58035 [78.47.119.33] <securitycheck@emailsecuritycheck.net> -> <spamtest@changed-domain.com>, Queue-ID: 3D525C0700, Message-ID: <emailsecuritycheck.net.1.m*mYoj9OgYs1HytEMio1Gg==>, mail_id: rEqRUB49BvRX, Hits: -, size: 1421, 242 ms
Mar 15 08:50:15 mail postfix/smtp[13154]: 3D525C0700: to=<spamtest@changed-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=1.5/0.01/0.01/0.3, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=13034-01 - BANNED: application/x-msdownload,.asc,attached.bat)
Mar 15 08:50:15 mail postfix/qmgr[4235]: 3D525C0700: removed
Mar 15 08:50:15 mail postfix/smtpd[13073]: disconnect from byteplant.com[78.47.119.33]
Mar 15 08:50:15 mail postfix/cleanup[13137]: 98882C078B: message-id=emailsecuritycheck.net.3.m*mYoj9OgYs1HytEMio1Gg==
Mar 15 08:50:16 mail postfix/cleanup[13138]: A1615C079F: message-id=emailsecuritycheck.net.2.m*mYoj9OgYs1HytEMio1Gg==
Mar 15 08:50:16 mail postfix/qmgr[4235]: 98882C078B: from=<securitycheck@emailsecuritycheck.net>, size=1138, nrcpt=1 (queue active)
Mar 15 08:50:16 mail postfix/qmgr[4235]: A1615C079F: from=<securitycheck@emailsecuritycheck.net>, size=1600, nrcpt=1 (queue active)
Mar 15 08:50:16 mail postfix/cleanup[13143]: DB70EC07A0: message-id=emailsecuritycheck.net.5.m*mYoj9OgYs1HytEMio1Gg==
Mar 15 08:50:16 mail postfix/qmgr[4235]: DB70EC07A0: from=<securitycheck@emailsecuritycheck.net>, size=1425, nrcpt=1 (queue active)
Mar 15 08:50:16 mail postfix/cleanup[13151]: EE960C07A2: message-id=emailsecuritycheck.net.6.m*mYoj9OgYs1HytEMio1Gg==
Mar 15 08:50:16 mail postfix/cleanup[13144]: E4DE2C07A1: message-id=emailsecuritycheck.net.4.m*mYoj9OgYs1HytEMio1Gg==
Mar 15 08:50:16 mail postfix/qmgr[4235]: EE960C07A2: from=<securitycheck@emailsecuritycheck.net>, size=1426, nrcpt=1 (queue active)
Mar 15 08:50:16 mail postfix/qmgr[4235]: E4DE2C07A1: from=<securitycheck@emailsecuritycheck.net>, size=1501, nrcpt=1 (queue active)
Mar 15 08:50:16 mail postfix/pipe[13159]: AF12CC07A4: to=<postman@changed-domain.com>, relay=dovecot, delay=0.62, delays=0.04/0.01/0/0.57, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 15 08:50:16 mail postfix/qmgr[4235]: AF12CC07A4: removed
Mar 15 08:50:16 mail postfix/smtpd[13158]: connect from localhost[127.0.0.1]
Mar 15 08:50:16 mail postfix/smtpd[13158]: 68070C0700: client=localhost[127.0.0.1]
Mar 15 08:50:16 mail postfix/cleanup[13126]: 68070C0700: message-id=<VAOw1SLz7sH7Tq@mail.memorylane4us.com>
Mar 15 08:50:16 mail postfix/smtpd[13118]: disconnect from byteplant.com[78.47.119.33]
Mar 15 08:50:16 mail postfix/qmgr[4235]: 68070C0700: from=<postman@changed-domain.com>, size=2727, nrcpt=1 (queue active)

Mar 15 08:50:16 mail amavis[13034]: (13034-02) Blocked INFECTED (Eicar-Test-Signature) {DiscardedOutbound,Quarantined}, LOCAL [78.47.119.33]:42885 [78.47.119.33] <securitycheck@emailsecuritycheck.net> -> <spamtest@changed-domain.com>, quarantine: O/virus-Ow1SLz7sH7Tq, Queue-ID: A1615C079F, Message-ID: <emailsecuritycheck.net.2.m*mYoj9OgYs1HytEMio1Gg==>, mail_id: Ow1SLz7sH7Tq, Hits: -, size: 1600, 387 ms
Mar 15 08:50:16 mail postfix/smtpd[13121]: disconnect from byteplant.com[78.47.119.33]
Mar 15 08:50:16 mail postfix/smtpd[13120]: disconnect from byteplant.com[78.47.119.33]
Mar 15 08:50:16 mail postfix/smtpd[13116]: disconnect from byteplant.com[78.47.119.33]
Mar 15 08:50:16 mail postfix/smtpd[13119]: disconnect from byteplant.com[78.47.119.33]
Mar 15 08:50:16 mail postfix/smtp[13164]: A1615C079F: to=<spamtest@changed-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.7/0.02/0/0.46, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=13034-02 - INFECTED: Eicar-Test-Signature)
Mar 15 08:50:16 mail postfix/qmgr[4235]: A1615C079F: removed
Mar 15 08:50:16 mail postfix/cleanup[13153]: 533FAC07A3: message-id=emailsecuritycheck.net.7.m*mYoj9OgYs1HytEMio1Gg==
Mar 15 08:50:16 mail postfix/smtpd[13158]: CF79CC07A7: client=localhost[127.0.0.1]
Mar 15 08:50:16 mail postfix/cleanup[13151]: CF79CC07A7: message-id=<VAyu-17k9aBraj@mail.memorylane4us.com>
Mar 15 08:50:16 mail postfix/qmgr[4235]: CF79CC07A7: from=<postman@changed-domain.com>, size=2607, nrcpt=1 (queue active)
Mar 15 08:50:16 mail postfix/qmgr[4235]: 533FAC07A3: from=<securitycheck@emailsecuritycheck.net>, size=1427, nrcpt=1 (queue active)

Mar 15 08:50:17 mail amavis[13034]: (13034-03) Blocked BANNED (application/x-msdownload,.asc) {DiscardedOutbound}, LOCAL [78.47.119.33]:47666 [78.47.119.33] <securitycheck@emailsecuritycheck.net> -> <spamtest@changed-domain.com>, Queue-ID: DB70EC07A0, Message-ID: <emailsecuritycheck.net.5.m*mYoj9OgYs1HytEMio1Gg==>, mail_id: yu-17k9aBraj, Hits: -, size: 1425, 445 ms
Mar 15 08:50:17 mail postfix/pipe[13159]: 68070C0700: to=<postman@changed-domain.com>, relay=dovecot, delay=0.65, delays=0.1/0/0/0.54, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 15 08:50:17 mail postfix/qmgr[4235]: 68070C0700: removed
Mar 15 08:50:17 mail postfix/smtp[13164]: DB70EC07A0: to=<spamtest@changed-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=1.6/0.4/0.01/0.54, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=13034-03 - BANNED: application/x-msdownload,.asc)
Mar 15 08:50:17 mail postfix/qmgr[4235]: DB70EC07A0: removed
Mar 15 08:50:17 mail postfix/smtpd[13122]: disconnect from byteplant.com[78.47.119.33]
Mar 15 08:50:17 mail postfix/pipe[13171]: CF79CC07A7: to=<postman@changed-domain.com>, relay=dovecot, delay=0.39, delays=0.02/0.01/0/0.35, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 15 08:50:17 mail postfix/qmgr[4235]: CF79CC07A7: removed
Mar 15 08:50:17 mail postfix/smtpd[13158]: 592C4C0700: client=localhost[127.0.0.1]
Mar 15 08:50:17 mail postfix/cleanup[13126]: 592C4C0700: message-id=<VAJP65vUVMxddl@mail.memorylane4us.com>
Mar 15 08:50:17 mail postfix/qmgr[4235]: 592C4C0700: from=<postman@changed-domain.com>, size=2656, nrcpt=1 (queue active)

Mar 15 08:50:17 mail amavis[13034]: (13034-03-2) Blocked BANNED (application/x-msdownload,.asc,attached.()bat) {DiscardedOutbound}, LOCAL [78.47.119.33]:44213 [78.47.119.33] <securitycheck@emailsecuritycheck.net> -> <spamtest@changed-domain.com>, Queue-ID: EE960C07A2, Message-ID: <emailsecuritycheck.net.6.m*mYoj9OgYs1HytEMio1Gg==>, mail_id: JP65vUVMxddl, Hits: -, size: 1426, 240 ms
Mar 15 08:50:17 mail postfix/smtp[13164]: EE960C07A2: to=<spamtest@changed-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=2.6, delays=1.4/0.91/0/0.28, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=13034-03-2 - BANNED: application/x-msdownload,.asc,attached.()bat)
Mar 15 08:50:17 mail postfix/qmgr[4235]: EE960C07A2: removed
Mar 15 08:50:17 mail postfix/smtpd[13158]: 92A26C07A0: client=localhost[127.0.0.1]
Mar 15 08:50:17 mail postfix/cleanup[13153]: 92A26C07A0: message-id=<VAdfrZzy-umkBN@mail.memorylane4us.com>
Mar 15 08:50:17 mail postfix/pipe[13159]: 592C4C0700: to=<postman@changed-domain.com>, relay=dovecot, delay=0.25, delays=0.03/0/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 15 08:50:17 mail postfix/qmgr[4235]: 592C4C0700: removed
Mar 15 08:50:17 mail postfix/qmgr[4235]: 92A26C07A0: from=<postman@changed-domain.com>, size=2712, nrcpt=1 (queue active)

Mar 15 08:50:17 mail amavis[13034]: (13034-03-3) Blocked BANNED (application/x-msdownload,.asc,attached.bat,=??Q?attached.bat?=) {DiscardedOutbound}, LOCAL [78.47.119.33]:49290 [78.47.119.33] <securitycheck@emailsecuritycheck.net> -> <spamtest@changed-domain.com>, Queue-ID: E4DE2C07A1, Message-ID: <emailsecuritycheck.net.4.m*mYoj9OgYs1HytEMio1Gg==>, mail_id: dfrZzy-umkBN, Hits: -, size: 1501, 218 ms
Mar 15 08:50:17 mail postfix/smtp[13164]: E4DE2C07A1: to=<spamtest@changed-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=3, delay=3, delays=1.6/1.2/0/0.27, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=13034-03-3 - BANNED: application/x-msdownload,.asc,attached.bat,=??Q?attached.bat?=)
Mar 15 08:50:17 mail postfix/qmgr[4235]: E4DE2C07A1: removed
Mar 15 08:50:17 mail postfix/pipe[13171]: 92A26C07A0: to=<postman@changed-domain.com>, relay=dovecot, delay=0.28, delays=0.06/0/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 15 08:50:17 mail postfix/qmgr[4235]: 92A26C07A0: removed
Mar 15 08:50:17 mail postfix/smtpd[13158]: E0EBAC07A0: client=localhost[127.0.0.1]
Mar 15 08:50:17 mail postfix/cleanup[13138]: E0EBAC07A0: message-id=<VAmbg9MnVu9YZm@mail.memorylane4us.com>
Mar 15 08:50:17 mail postfix/qmgr[4235]: E0EBAC07A0: from=<postman@changed-domain.com>, size=2748, nrcpt=1 (queue active)

Mar 15 08:50:17 mail amavis[13034]: (13034-03-4) Blocked BANNED (application/x-msdownload,.asc,attached\\) {DiscardedOutbound}, LOCAL [78.47.119.33]:49339 [78.47.119.33] <securitycheck@emailsecuritycheck.net> -> <spamtest@changed-domain.com>, Queue-ID: 533FAC07A3, Message-ID: <emailsecuritycheck.net.7.m*mYoj9OgYs1HytEMio1Gg==>, mail_id: mbg9MnVu9YZm, Hits: -, size: 1429, 243 ms
Mar 15 08:50:18 mail postfix/smtp[13164]: 533FAC07A3: to=<spamtest@changed-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=4, delay=2.8, delays=1.7/0.85/0/0.28, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=13034-03-4 - BANNED: application/x-msdownload,.asc,attached\\\\)
Mar 15 08:50:18 mail postfix/qmgr[4235]: 533FAC07A3: removed
Mar 15 08:50:18 mail postfix/pipe[13159]: E0EBAC07A0: to=<postman@changed-domain.com>, relay=dovecot, delay=0.29, delays=0.04/0/0/0.25, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 15 08:50:18 mail postfix/qmgr[4235]: E0EBAC07A0: removed

Mar 15 08:50:20 mail amavis[13033]: (13033-02) Blocked SPAM {DiscardedOutbound}, LOCAL [78.47.119.33]:46024 [78.47.119.33] <securitycheck@emailsecuritycheck.net> -> <spamtest@changed-domain.com>, Queue-ID: 98882C078B, Message-ID: <emailsecuritycheck.net.3.m*mYoj9OgYs1HytEMio1Gg==>, mail_id: VE2HziYTEM0F, Hits: 997.967, size: 1138, 4052 ms
Mar 15 08:50:20 mail postfix/smtp[13154]: 98882C078B: to=<spamtest@changed-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.9, delays=1.7/0.01/0/4.1, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=13033-02 - spam)
Mar 15 08:50:20 mail postfix/qmgr[4235]: 98882C078B: removed
Mar 15 08:52:03 mail postfix/scache[13169]: statistics: start interval Mar 15 08:50:16
Mar 15 08:52:03 mail postfix/scache[13169]: statistics: domain lookup hits=3 miss=1 success=75%
Mar 15 08:52:03 mail postfix/scache[13169]: statistics: address lookup hits=0 miss=1 success=0%
Mar 15 08:52:03 mail postfix/scache[13169]: statistics: max simultaneous domains=1 addresses=1 connection=1

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Spam and blocked attachments are getting through

stevej wrote:

1) I am still not getting the spam scores inserted in to the header even though I have:

Testing emails were discarded, so you didn't receive them, right? Then how do you know no spam scores inserted in header?

stevej wrote:

I believe killing the message entirely will be fine, but I would like to understand defang_banned.

It's better to ask in Amavisd mailing list instead: http://www.ijs.si/software/amavisd/#support

5 Reply by stevej

  • stevej
  • Member
  • Offline
  • Registered: 2014-03-14
  • Posts: 5

Re: Spam and blocked attachments are getting through

This iRedMail install replaced an old mail server I set up from
http://www.howtoforge.com/

I replaced it because my OpenSuse install had become way out of date and was worrying me regarding security updates.
I understand your feelings about dropping OpenSuse, but it was a bummer for me.

In my previous mail server, every mail item delivered to every user had spam headers inserted. Then Thunderbird could use them or not as the user saw fit. And the subject line was rewritten with *** SPAM *** inserted in the front.

In this Debian iRedMail install, no messages get spam headers, or *** SPAM *** inserted in the subject line.

Testing emails were discarded, so you didn't receive them, right? Then how do you know no spam scores inserted in header?

It is true the messages were discarded, but before I made that last change, the messages were delivered intact. No spam headers, and no subject line alteration.


I do appreciate your time in responding
I will check out the link for amavisd support.