1 Topic by steveaggie

  • steveaggie
  • Member
  • Offline
  • Registered: 2017-11-27
  • Posts: 6

Topic: Default installation - SPAM getting through like crazy.

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7 MYSQL
- Linux/BSD distribution name and version: Ubuntu 16.0.4.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I used to have a mail server with Spamassassin and it was great at blocking spam.  Hardly any ever made it to my inbox.  I recently reinstalled Ubuntu and decided to give iRedMail a chance.  The spam scores that are coming in have very low scores (usually between 0 and 1.5).  I modified my config to add the X-Spam tag to everything over -999.  And I lowered my mark as SPAM threshold to 1.0.

Can someone help me understand why SPAM is getting scored so low?

Here's an example from one SPAM email.  They're all fairly similar in overall score.

X-Virus-Scanned: Debian amavisd-new at <FQDN of mail server>
X-Spam-Flag: NO
X-Spam-Score: 0.283
X-Spam-Level:
X-Spam-Status: No, score=0.283 tagged_above=-9999 required=1
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
    RCVD_IN_IADB_DK=-0.223, RCVD_IN_IADB_LISTED=-0.38,
    RCVD_IN_IADB_RDNS=-0.167, RCVD_IN_IADB_SENDERID=-0.001,
    RCVD_IN_IADB_SPF=-0.001, RCVD_IN_MSPIKE_H4=-0.01,
    RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
    T_RP_MATCHES_RCVD=-0.01, URIBL_GREY=1.084]
    autolearn=no autolearn_force=no

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by steveaggie

  • steveaggie
  • Member
  • Offline
  • Registered: 2017-11-27
  • Posts: 6

Re: Default installation - SPAM getting through like crazy.

I lowered my threshold down to 0 and am still getting a ton of low scoring SPAM:

X-Virus-Scanned: Debian amavisd-new at nas.hodgsonfam.local
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-9999 required=0
    tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7,
    SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01]
    autolearn=ham autolearn_force=no
...

X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedttddrleelgddutdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecu


HELP!!!

3 Reply by agroshong

  • agroshong
  • Member
  • Offline
  • Registered: 2016-03-25
  • Posts: 36

Re: Default installation - SPAM getting through like crazy.

I would try increasing the scores in your local.cf file

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Default installation - SPAM getting through like crazy.

steveaggie wrote:

I lowered my threshold down to 0

Which setting did you update?

You should update Amavisd config file, parameter:

$sa_tag2_level_deflt =

Restarting Amavisd service is requried after change.

P.S. It's easier to manage global / per-domain / per-user spam policy with iRedAdmin-Pro, screenshot attached.
https://docs.iredmail.org/images/iredadmin/system_global_spam_policy.png

5 Reply by steveaggie

  • steveaggie
  • Member
  • Offline
  • Registered: 2017-11-27
  • Posts: 6

Re: Default installation - SPAM getting through like crazy.

ZhangHuangbin wrote:
steveaggie wrote:

I lowered my threshold down to 0

Which setting did you update?

You should update Amavisd config file, parameter:

$sa_tag2_level_deflt =

Restarting Amavisd service is requried after change.

P.S. It's easier to manage global / per-domain / per-user spam policy with iRedAdmin-Pro, screenshot attached.
https://docs.iredmail.org/images/iredadmin/system_global_spam_policy.png

Hello,

Yes, that is the one I configured (in Amavis).  I also restarted the service.

I have looked into changing the scoring as mentioned above but i don't see how to do that.  I read the parameters guide for the local.cf file, but it doesn't tell you how to change scores.  It's weird that I have so much SPAM now.  Previously when using spam assassin I had very little getting through.

I would love to use iRedAdmin-Pro, but don't want to pay for it if I can't get the free version working properly first.

I still don't understand why so much SPAM is being scored so low (very similar to legit email.)  If there is a way to differentiate the two more, that would really help.


Thanks
Steven

6 Reply by agroshong

  • agroshong
  • Member
  • Offline
  • Registered: 2016-03-25
  • Posts: 36

Re: Default installation - SPAM getting through like crazy.

steveaggie wrote:

I have looked into changing the scoring as mentioned above but i don't see how to do that.  I read the parameters guide for the local.cf file, but it doesn't tell you how to change scores.  It's weird that I have so much SPAM now.  Previously when using spam assassin I had very little getting through.

I would love to use iRedAdmin-Pro, but don't want to pay for it if I can't get the free version working properly first.

I still don't understand why so much SPAM is being scored so low (very similar to legit email.)  If there is a way to differentiate the two more, that would really help.


Thanks
Steven

Hello,

To the adjust the default settings of spamassassin add the below section to the bottom of your local.cf file, you will need to find the settings that are right for your server. This is an example from mine, I had to increase the default settings of these two spamassassin tests

# Spamassassin Score increases
score RDNS_NONE 2.5
score URIBL_ABUSE_SURBL 2.5

7 Reply by steveaggie

  • steveaggie
  • Member
  • Offline
  • Registered: 2017-11-27
  • Posts: 6

Re: Default installation - SPAM getting through like crazy.

agroshong wrote:
steveaggie wrote:

I have looked into changing the scoring as mentioned above but i don't see how to do that.  I read the parameters guide for the local.cf file, but it doesn't tell you how to change scores.  It's weird that I have so much SPAM now.  Previously when using spam assassin I had very little getting through.

I would love to use iRedAdmin-Pro, but don't want to pay for it if I can't get the free version working properly first.

I still don't understand why so much SPAM is being scored so low (very similar to legit email.)  If there is a way to differentiate the two more, that would really help.


Thanks
Steven

Hello,

To the adjust the default settings of spamassassin add the below section to the bottom of your local.cf file, you will need to find the settings that are right for your server. This is an example from mine, I had to increase the default settings of these two spamassassin tests

# Spamassassin Score increases
score RDNS_NONE 2.5
score URIBL_ABUSE_SURBL 2.5

Thanks, but unfortunately that didn't really make a dent.  At certain times a day I have spam coming in every few seconds it seems.  I don't know why this is occurring but it started when I installed iRedPro.  Here's another example of the very low score.  Please tell me what I can do to fix this!

X-Spam-Status: No, score=-0.155 tagged_above=-9999 required=0
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
    RCVD_IN_MSPIKE_H2=-0.055, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Default installation - SPAM getting through like crazy.

*) Do you have DNSBL service enabled in Postfix?
*) Do you have greylisting service enabled?

The last sample mail header does look like legit email, it has valid SPF/DKIM DNS records, also DKIM is valid, and it didn't trigger other SpamAssassin rules, so it's a low score.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Default installation - SPAM getting through like crazy.

steveaggie wrote:

it started when I installed iRedPro

Are you running iRedAdmin-Pro now?

10 Reply by steveaggie

  • steveaggie
  • Member
  • Offline
  • Registered: 2017-11-27
  • Posts: 6

Re: Default installation - SPAM getting through like crazy.

ZhangHuangbin wrote:
steveaggie wrote:

it started when I installed iRedPro

Are you running iRedAdmin-Pro now?

Thanks for the reply.  I'm just using the default installation settings other than what I described above about SPAM levels.  It looks like the DNSBL feature wasn't enabled in postfix so I enabled it.  I couldn't tell if greylisting was enabled, so whatever the default setting is there.

I'll let it run for a while and see if SPAM levels are reduced and report back..

Thank you.

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Default installation - SPAM getting through like crazy.

steveaggie wrote:

I couldn't tell if greylisting was enabled

Try command:

cd /opt/iredapd/tools/
python greylisting_admin.py --list

12 Reply by steveaggie

  • steveaggie
  • Member
  • Offline
  • Registered: 2017-11-27
  • Posts: 6

Re: Default installation - SPAM getting through like crazy.

ZhangHuangbin wrote:
steveaggie wrote:

I couldn't tell if greylisting was enabled

Try command:

cd /opt/iredapd/tools/
python greylisting_admin.py --list

It looks like it's enabled.

root@nas:/opt/iredapd/tools# python greylisting_admin.py --list
Status   Sender                             -> Local Account                 
------------------------------------------------------------------------------
enabled  @. (anyone)                        -> @. (anyone)

The current status right now is that the spam filtering has gotten a little better.  I'm getting 10-15 per day in my inbox instead of 100.  My spam threshold is set very low though so I'm getting a lot of false positives.  The spam that is getting through often has lower scores than legitimate email.  So right now I'm trying to train the bayes filter to recognize what is and isn't spam.

Correct me if I'm wrong, but it looks like the bayes process is enabled by default.

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Default installation - SPAM getting through like crazy.

steveaggie wrote:

Correct me if I'm wrong, but it looks like the bayes process is enabled by default.

It's enabled, but not trained.

You can try this:
https://wiki2.dovecot.org/Pigeonhole/Si … /IMAPSieve