1 Topic by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Topic: Spam behaviour is odd

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySql
- Linux/BSD distribution name and version: Wheezy
- Related log if you're reporting an issue:
====

I tested spam behaviour with this free online service: http://www.emailsecuritycheck.net/
This service sends seven emails which should get banned. What happend? All emails except for email2 did enter my mailbox:

- 1) Test mail 1/7 (ID=c6nbPKFQuvszu3lCPSHYAA==)
- 2) -> not received
- 3) *** SPAM *** Test mail 3/7 (ID=c6nbPKFQuvszu3lCPSHYAA==)
- 4) Test mail 4/7 (ID=c6nbPKFQuvszu3lCPSHYAA==)
- 5) Test mail 5/7 (ID=c6nbPKFQuvszu3lCPSHYAA==)
- 6) Test mail 6/7 (ID=c6nbPKFQuvszu3lCPSHYAA==)
- 7) Test mail 7/7 (ID=c6nbPKFQuvszu3lCPSHYAA==)


Postmaster received seven emails:

- 1) BANNED contents (application/x-msdownload,.asc,attached.bat) in mail FROM LOCAL [78.47.119.33]:46094 <securitycheck@emailsecuritycheck.net>
- 2) VIRUS (Eicar-Test-Signature) in mail FROM LOCAL [78.47.119.33]:45631 <securitycheck@emailsecuritycheck.net>
- 3) Spam FROM LOCAL [78.47.119.33]:58287 <securitycheck@emailsecuritycheck.net>
- 4) BANNED contents (application/x-msdownload,.asc,attached.bat,attached.bat) in mail FROM LOCAL [78.47.119.33]:39333 <securitycheck@emailsecuritycheck.net>
- 5) BANNED contents (application/x-msdownload,.asc) in mail FROM LOCAL [78.47.119.33]:57379 <securitycheck@emailsecuritycheck.net>
- 6) BANNED contents (application/x-msdownload,.asc,attached.()bat) in mail FROM LOCAL [78.47.119.33]:53361 <securitycheck@emailsecuritycheck.net>
- 7) BANNED contents (application/x-msdownload,.asc,attached\) in mail FROM LOCAL [78.47.119.33]:43625 <securitycheck@emailsecuritycheck.net>


Now my questions:

- why are those emails not moved to junk server side?
- why did postmaster get all those message from iredmail?

This is still a test system. This spam behaviour doesn't seem to be production ready for me.


Do I miss something?

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Spam behaviour is odd

Peter wrote:

- why are those emails not moved to junk server side?

iRedMail configures Amavisd to bypass detected spam/banned emails, if you want to quarantine them into SQL database, please check our tutorial here:
http://www.iredmail.org/docs/quarantining.html

If you just need to DISCARD them, please just update '$final_[XXX]_destiny' variables.

Virus will be DISCARD directly without quarantining by default.

Peter wrote:

- why did postmaster get all those message from iredmail?

If you check Amavisd config file, if will find many alerts will be sent to 'root@[myhostname]', it's root user.
And, we have some alias entries in /etc/postfix/aliases, several system accounts are aliased to 'postmaster@[xxx]' (the admin account created during iRedMail installation). So all emails sent to these system accounts are delivered to 'postmaster@xxx', that's why.

Hope it helps.

3 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: Spam behaviour is odd

Thanks for your clarification that helps a lot.

This default behaviour from iRedMail isn't the best in my opinion. Is quarantining enabled by default in paid version of iRedMail?

However right now recipients receive emails with dangerous attachements. The emails go directly to the inbox! And they are not even marked in the subject.

I suggest to change this default behaviour to get more happy customers;-)


How about this:

1) append some text to the subject. A user must see instantly there is something wrong with this email.
2) move those emails to junk directory

Can this be done with amavisd and sieve?

4 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: Spam behaviour is odd

I did succeed half of it:

1) amavis cannot manipulate email subject, only exception is spam which is processed by spamassassin
2) you can write a global sieve which moves marked spam and banned attachements to junk folder

vi /etc/dovecot/dovecot.conf

sieve_before = /var/vmail/sieve/dovecot.sieve.global

vi /var/vmail/sieve/dovecot.sieve.global

require ["fileinto"];

# rule:[Move Spam to Junk Folder]
if header :is "X-Spam-Flag" "YES"
{
    fileinto "Junk";
    stop;
}

if header :is "X-Amavis-Alert" "BANNED"
{
    fileinto "Junk";
    stop;
}

If iredmail decides to pass junk by default then please move them to junk folder. And if somebody knows a hack about 1) I would be happy if you let me know.

Thanks

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Spam behaviour is odd

In the beginning, we thought not all users are accessing mailbox via IMAP, so iRedMail bypasses SPAM to INBOX folder so that POP3 users can find spams and won't miss any important emails which were incorrectly marked as spam. Maybe this default behaviour should be changed nowadays.

Peter wrote:

1) amavis cannot manipulate email subject, only exception is spam which is processed by spamassassin

This is default setting. If it's not spam, why do you want to add text in subject?

6 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: Spam behaviour is odd

ZhangHuangbin wrote:

This is default setting. If it's not spam, why do you want to add text in subject?

I'm not an expert when it comes to amavis new. That's why I investigate so much time to understand how things work. Please correct me if I'm wrong:

- amavis new uses clamav (virus), spamassassin (spam) and has internal mechanism (banned attachement, bad header)
- subject manipulation is set ONLY for spamassassin (*** SPAM ***)
- if you see my initial question I received six e-mails into inbox all of them are spam but only one email, which was handled by spamassassin, has additional *** SPAM *** in the subject.
- all other e-mails are not marked in the subject, which is in my opinion dangerous for customers

Anyway I found a solution:

$subject_tag_maps_by_ccat{+CC_BANNED} = [ '***BANNED*** ' ];

 

Still my question above: Is quarantining enabled by default in paid version of iRedMail?

So far I don't get the point to pass spam to the recipient. Of course, there must be a way to correct false negative/positiv. I imagine how unhappy our customers would be if they get hundreds of spam every day. That's not the way to go, is it?

For me iRedMail is missing good documentation. Right now I need a lot of time  to find out how things work (how iRedMail is configured). This know how is essential to run this system as a service. Once things don't work anymore as excepted I need to know what to do.

I was thinking to do some system overview. But then I need a faster channel to ask you questions. If you like the idea let me know.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Spam behaviour is odd

Peter wrote:

- amavis new uses clamav (virus), spamassassin (spam) and has internal mechanism (banned attachement, bad header)
- subject manipulation is set ONLY for spamassassin (*** SPAM ***)

correct.

Peter wrote:

- if you see my initial question I received six e-mails into inbox all of them are spam but only one email, which was handled by spamassassin, has additional *** SPAM *** in the subject.
- all other e-mails are not marked in the subject, which is in my opinion dangerous for customers

They were BANNED, not detected as spam.

Peter wrote:

Anyway I found a solution:

$subject_tag_maps_by_ccat{+CC_BANNED} = [ '***BANNED*** ' ];

This one is great, i should set it by default.

Peter wrote:

Still my question above: Is quarantining enabled by default in paid version of iRedMail?

No, it's optional but strongly recommended in our tutorial:
http://www.iredmail.org/docs/migrate.or … onal-steps

Peter wrote:

So far I don't get the point to pass spam to the recipient. Of course, there must be a way to correct false negative/positiv. I imagine how unhappy our customers would be if they get hundreds of spam every day. That's not the way to go, is it?

In the beginning, we hope customer won't miss any normal emails which were incorrectly marked as spam, so we didn't enable filter rule to move spam to Junk folder.
Anyway, next release of iRedMail will have this as default behaviour.

Peter wrote:

For me iRedMail is missing good documentation.

If you feel confuse, just ask.

Peter wrote:

I was thinking to do some system overview. But then I need a faster channel to ask you questions. If you like the idea let me know.

I check forum posts everyday and reply them all, so this forum is ok.

8 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: Spam behaviour is odd

ZhangHuangbin wrote:

They were BANNED, not detected as spam.

Wright they got banned but in my opinion it's spam. How is the flow in amavis? Does amavis first check for viruses, banned attachements and bad headers? Once a criteria matches it stops and spamassassin never sees that email? If this is the case we never know if it was spam or not. But recipient must be aware something might be wrong with that email.

ZhangHuangbin wrote:

This one is great, i should set it by default.

Good to know, thank you.


ZhangHuangbin wrote:

In the beginning, we hope customer won't miss any normal emails which were incorrectly marked as spam, so we didn't enable filter rule to move spam to Junk folder.
Anyway, next release of iRedMail will have this as default behaviour.

Makes sense to me, thanks.

ZhangHuangbin wrote:

If you feel confuse, just ask.

Thanks for your offer. There are still many questions, I'll ask;-)

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Spam behaviour is odd

Peter wrote:

Wright they got banned but in my opinion it's spam. How is the flow in amavis? Does amavis first check for viruses, banned attachements and bad headers? Once a criteria matches it stops and spamassassin never sees that email? If this is the case we never know if it was spam or not. But recipient must be aware something might be wrong with that email.

It's hard for me to explain this, i suggest you ask in Amavisd mailing list instead:
http://www.ijs.si/software/amavisd/#support