1

Topic: Spam tagging and spam threshold

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: FreeBSD 11.1-RELEASE-p8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

This server's spam threshold is set to 6.0 but it classifies many messages with lower X-Spam-Score: values as spam.

Below are headers from an example message. In this case, the X-Spam-Score: is only 2.325 but the server classified it as spam. In this case, the sender address "@.citibank.com" is also whitelisted, but I mention that for information only. The key point is that regardless of whitelist status messages with scores < 6.0 get tagged as spam.

Is this expected behavior? If so, what are some strategies for reducing the false-positive rate?

Thanks.

Return-Path: <1a5970c2blayfivciarwxpcaaaaaabibo5c6itx3bamyaaaaa@info.citibank.com>
Delivered-To: user@example.com
Received: from mail8.networktest.com (localhost [127.0.0.1])
    by mail8.networktest.com (Postfix) with ESMTP id 8072B5E60BD
    for <user@example.com>; Thu,  8 Mar 2018 20:19:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at mail8.networktest.com
X-Spam-Flag: YES
X-Spam-Score: 2.325
X-Spam-Level: **
X-Spam-Status: Yes, score=2.325 tagged_above=0 required=0
    tests=[BAYES_40=-0.001, DCC_CHECK=1.1, DKIM_SIGNED=0.1,
    DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001,
    RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_NONE=-0.0001,
    RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
    SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail8.networktest.com (amavisd-new);
    dkim=pass (1024-bit key) header.d=info.citibank.com;
    domainkeys=pass (1024-bit key) header.from=citicards@info.citibank.com
    header.d=info.citibank.com
Received: from mail8.networktest.com ([127.0.0.1])
    by mail8.networktest.com (mail8.networktest.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id sAv4f9OyNfhm for <user@example.com>;
    Thu,  8 Mar 2018 20:19:56 -0800 (PST)
Received: from bigfootinteractive.com (arm186.bigfootinteractive.com [206.132.3.186])
    by mail8.networktest.com (Postfix) with ESMTP id 0460F5E60BC
    for <user@example.com>; Thu,  8 Mar 2018 20:19:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; d=info.citibank.com; s=ei; c=simple/simple;
    q=dns/txt; i=@info.citibank.com; t=1520569190;
    h=From:Subject:Date:To:MIME-Version:Content-Type;
    bh=W9PMW+xR7dw3hrijnrIgWyHfcak=;
    b=b2HCGRNhxOQpB9lhGDnajYnvXmfkYT5EG7xDeuN+2cbK9YdAjO+d0Zzam4jZCxJP
    Pr0lcgBNK3RD2ryW4X7SX+nxtPSzyVC48tMzV/5OCmBMb4qsCTI+mvGggmliE7zy
    HttzM36f7rjexR6YXH3kWAvpYAB2Lja5er4/jajHzqQ=;
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
    s=ei; d=info.citibank.com;
    h=Received:Reply-To:Bounces_to:Message-ID:X-SS:X-BFI:Date:From:Subject:To:MIME-Version:Content-Type;
    b=qsHh9DyZDLpN/5JFDPXPyPM33ij/VlL9fDV9FEZDDS0O7rdgStbXvpaJ7QwTtiUt
    3zRFbteX1IhPwAi+VynclRUVq/A1t9ZI6T964somm5FfSXreYnA6TbdXC+pjFHVF
    QwM57n5OmbI2voaDZtx0wIlA7gCIIsxiepzBFKvDPKc=
Received: from [192.168.3.50] ([192.168.3.50:54291] helo=unjdrmmailerpv25)
    by pimta07.epsiloninteractive.com (envelope-from <1a5970c2blayfivciarwxpcaaaaaabibo5c6itx3bamyaaaaa@info.citibank.com>)
    (ecelerity 2.2.2.45 r(34222M)) with ESMTP
    id 19/60-17715-66B02AA5; Thu, 08 Mar 2018 23:19:50 -0500
Reply-To: =?iso-8859-1?B?ImNpdGljYXJkcyI=?= <1a5970c2blayfivciarwxpcaaaaaabibo5c6itx3bamyaaaaa@info.citibank.com>
Bounces_to: citicards.1a5970c2blayfivciarwxpcaaaaaabibo5c6itx3bamyaaaaa@info.citibank.com
Message-ID: <1a5970c2blayfivciarwxpcaaaaaabibo5c6itx3bamyaaaaa.9376.3955.unjdrmmailerpv25.DumpShot.2@info.citibank.com>
X-SS: 1-1-6540082-939189857
X-BFI: 1a5970c2blayfivciarwxpcaaaaaabibo5c6itx3bamyaaaaa
Date: Thu, 08 Mar 2018 23:18:10 EST
From: =?iso-8859-1?B?Q29zdGNvIEFueXdoZXJlIFZpc2GuIENhcmQ=?= <citicards@info.citibank.com>
Subject: ***Spam*** Reminder: We have emailed your 2018 reward certificate to
    you
To: user@example.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="ABCD-1a5970c2blayfivciarwxpcaaaaaabibo5c6itx3bamyaaaaa-EFGH"

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Spam tagging and spam threshold

cvcvelo wrote:

X-Spam-Status: Yes, score=2.325 tagged_above=0 required=0

"tagged_above=0" means all emails have score higher than 0 is spam.
Do you have this setting somewhere?

3 (edited by cvcvelo 2018-03-27 03:18:59)

Re: Spam tagging and spam threshold

ZhangHuangbin wrote:
cvcvelo wrote:

X-Spam-Status: Yes, score=2.325 tagged_above=0 required=0

"tagged_above=0" means all emails have score higher than 0 is spam.
Do you have this setting somewhere?

What specific string to look for, and where, on a FreeBSD server?

I did these checks:

1. Searching /usr/local/etc/amavisd.conf for the strings "=0" and "= 0" returned the following:

$log_level = 0;              # verbosity 0..5, -d
$enable_db = 0;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$sa_local_tests_only = 0;    # only tests which do not require internet access?
$defang_banned = 0;  # MIME-wrap passed mail containing banned name
$smtp_connection_cache_enable = 0;
$signed_header_fields{'received'} = 0;
$log_level = 0;
$sa_debug = 0;
$allowed_header_tests{'multiple'} = 0;
$allowed_header_tests{'missing'} = 0;

2. The command "grep -iR 'tagged_above' /etc/* /var/* /usr/local/etc/*" didn't turn up anything relevant.

Also, sorry I didn't respond sooner, but the email alert about your response got classified as spam. :-)

4

Re: Spam tagging and spam threshold

have you changed your amavis config file settings "sa_tag2_level_deflt" and "sa_kill_level_deflt" ? check them

5

Re: Spam tagging and spam threshold

Thanks for your response.

sayso wrote:

have you changed your amavis config file settings "sa_tag2_level_deflt" and "sa_kill_level_deflt" ? check them

I haven't changed either setting. Here are their values:

$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)

6

Re: Spam tagging and spam threshold

Could still use troubleshooting help with this.

Still getting too many false positives tagged as spam, and don't see anything obvious in /usr/local/etc/amavisd.conf as to why messages are getting "tagged_above = 0" labels.

Thanks in advance.

7

Re: Spam tagging and spam threshold

Try to query SQL table "amavisd.policy" like this:

SELECT * FROM policy WHERE policy_name='@.' \G

Show us the output please.

8

Re: Spam tagging and spam threshold

ZhangHuangbin wrote:

Try to query SQL table "amavisd.policy" like this:

SELECT * FROM policy WHERE policy_name='@.' \G

Show us the output please.

Here you are -- I think that last "\G" might be a typo, as it produced an error.

Thanks in advance for further troubleshooting clues.

mysql> SELECT * FROM policy WHERE policy_name='@.' \G;
*************************** 1. row ***************************
                          id: 1
                 policy_name: @.
                 virus_lover: Y
                  spam_lover: N
             unchecked_lover: NULL
          banned_files_lover: NULL
            bad_header_lover: N
         bypass_virus_checks: N
          bypass_spam_checks: N
        bypass_banned_checks: N
        bypass_header_checks: N
         virus_quarantine_to:
          spam_quarantine_to:
        banned_quarantine_to:
     unchecked_quarantine_to: NULL
    bad_header_quarantine_to:
         clean_quarantine_to: NULL
       archive_quarantine_to: NULL
              spam_tag_level: -100
             spam_tag2_level: 6
             spam_tag3_level: 6
             spam_kill_level: 6
       spam_dsn_cutoff_level: NULL
spam_quarantine_cutoff_level: NULL
        addr_extension_virus: NULL
         addr_extension_spam: NULL
       addr_extension_banned: NULL
   addr_extension_bad_header: NULL
              warnvirusrecip: NULL
             warnbannedrecip: NULL
               warnbadhrecip: NULL
              newvirus_admin: NULL
                 virus_admin: NULL
                banned_admin: NULL
            bad_header_admin: NULL
                  spam_admin: NULL
            spam_subject_tag: NULL
           spam_subject_tag2: NULL
           spam_subject_tag3: NULL
          message_size_limit: NULL
            banned_rulenames: NULL
          disclaimer_options: NULL
              forward_method: NULL
                 sa_userconf: NULL
                 sa_username: NULL
1 row in set (0.00 sec)

ERROR:
No query specified

mysql>

9

Re: Spam tagging and spam threshold

ps. This one is curious:

cvcvelo wrote:

spam_tag_level: -100

Curious because in /usr/local/etc/amavisd.conf the sa_tag_level_deflt is set to 2.0. Also, not all messages go into the Junk folder.

Thanks again for further troubleshooting clues.

10

Re: Spam tagging and spam threshold

spam_tag_level is ok in this case, Amavisd will insert X-Spam-* headers (no matter it's spam or not) if the score is higher than the setting.

The problem is "spam_subject_tag" and "spam_subject_tag2", "spam_subject_tag3". Could you try to set it to a higher value (e.g. 2, or 3, or 5) for testing?

11

Re: Spam tagging and spam threshold

ZhangHuangbin wrote:

spam_tag_level is ok in this case, Amavisd will insert X-Spam-* headers (no matter it's spam or not) if the score is higher than the setting.

The problem is "spam_subject_tag" and "spam_subject_tag2", "spam_subject_tag3". Could you try to set it to a higher value (e.g. 2, or 3, or 5) for testing?

Sorry, but the server still classifies as spam some messages below the configured spam threshold of 6.0, and still inserts "tagged_above=0" in email headers.  I have pasted headers below from a message classified as spam after the change.

Also, this is just cosmetic, but the server now prepends the label "5" instead of "***Spam*** " after changing the values.

What I did:

1. In MySQL, updated the amavisd.policy rows for spam_subject_tag, spam_subject_tag2, and spam_subject_tag3 from a value of NULL to a value of 5, per ZHB's suggestion.

2. Restarted the amavisd, clamav-clamd, and clamav-freshclam services.

It's clear the changes took effect because of the "5" label in the subject lines, but it still hasn't changed the false-positive rate or the "tagged_above=0" designation.

Here is a sample set of headers after the change. Thanks again for further troubleshooting advice.

Return-Path: <increased.night.driving.vision@cassionicollection.com>
Delivered-To: user@example.com
Received: from mail8.networktest.com (localhost [127.0.0.1])
    by mail8.networktest.com (Postfix) with ESMTP id 0D7BC5E6390
    for <user@example.com>; Thu, 29 Mar 2018 11:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mail8.networktest.com
X-Spam-Flag: YES
X-Spam-Score: 2.701
X-Spam-Level: **
X-Spam-Status: Yes, score=2.701 tagged_above=0 required=0 tests=[BAYES_95=3,
    DCC_CHECK=1.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.418,
    SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01,
    T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
Received: from mail8.networktest.com ([127.0.0.1])
    by mail8.networktest.com (mail8.networktest.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 9syhSUldOSii for <user@example.com>;
    Thu, 29 Mar 2018 11:28:37 -0700 (PDT)
Received: from casserole.cassionicollection.com (casserole.cassionicollection.com [181.191.179.211])
    by mail8.networktest.com (Postfix) with ESMTPS id DD06E5E610F
    for <user@example.com>; Thu, 29 Mar 2018 11:28:25 -0700 (PDT)
Subject: 5Increase your night vision when driving
Message-ID: <tRR47.1but.mDPjRSW4yLHt2FbEo@casserole.cassionicollection.com>
To: user@example.com
MIME-Version: 1
Reply-To: increased.night.driving.vision@cassionicollection.com
From: Increased Night Driving Vision <increased.night.driving.vision@cassionicollection.com>
Content-Type: multipart/alternative; boundary="n3w-578--__-0HJD.948UJD-__--25"
Date: Thu, 29 Mar 2018 14:28:29 -0400

12

Re: Spam tagging and spam threshold

cvcvelo wrote:

              spam_tag_level: -100

Checked Amavisd source code, "tagged_above" uses "spam_tag_level".
Please try to set sql column "policy.spam_tag_level" to, for example, 3, restart amavisd and try again.

13

Re: Spam tagging and spam threshold

ZhangHuangbin wrote:

Please try to set sql column "policy.spam_tag_level" to, for example, 3, restart amavisd and try again.

Sorry, same result as before -- the server still classifies low-scoring messages as spam. This is after

- setting spam_tag_level to 3;
- resetting the spam_subject_tag* fields to NULL; and
- restarting amavisd

I have pasted below an email classified as spam with an X-Spam-Score of 0.099. It also still shows "tagged_above=0".

Not sure if this is related, but I also could use some help understanding the relationship, if any, of the spam threshold in the iRedAdmin-Pro GUI (currently set to 6.0) and the values in the amavisd.policy table.

Thanks again.

Return-Path: <sender@example.net>
Delivered-To: user@example.com
Received: from mail8.networktest.com (localhost [127.0.0.1])
    by mail8.networktest.com (Postfix) with ESMTP id 669805E6104
    for <user@example.com>; Sat, 31 Mar 2018 17:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mail8.networktest.com
X-Spam-Flag: YES
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: Yes, score=0.099 tagged_above=0 required=0 tests=[BAYES_50=0.8,
    DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7,
    SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail8.networktest.com (amavisd-new);
    dkim=pass (2048-bit key) header.d=messagingengine.com

14

Re: Spam tagging and spam threshold

Could you please turn on debug mode in Amavisd and try again? Paste the detailed log here or pastebin.org. (you may want to hide real domain names before pasting).

15

Re: Spam tagging and spam threshold

OK, with debug enabled, here's a message tagged as spam with a score of 2.392 (set to 6.0 in iRedAdmin-Pro and 3.0 in MySQL amavisd policy.spam_tag_level. I've pasted the headers below and relevant parts from maillog here:

https://pastebin.com/BSijAQa5

Please let me know if you need anything else.

Return-Path: <annie.from.thinkthin@factthound.com>
Delivered-To: user@example.com
Received: from mail8.example.com (localhost [127.0.0.1])
    by mail8.example.com (Postfix) with ESMTP id F0E435E640B
    for <user@example.com>; Tue,  3 Apr 2018 09:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mail8.example.com
X-Spam-Flag: YES
X-Spam-Score: 2.392
X-Spam-Level: **
X-Spam-Status: Yes, score=2.392 tagged_above=0 required=0 tests=[BAYES_50=0.8,
    HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
    RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-1.418, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_DBL_SPAM=2.5]
    autolearn=no autolearn_force=no
Received: from mail8.example.com ([127.0.0.1])
    by mail8.example.com (mail8.example.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id b9m5dAGPcEmD for <user@example.com>;
    Tue,  3 Apr 2018 09:54:30 -0700 (PDT)
Received: from tower.factthound.com (tower.factthound.com [67.214.168.200])
    by mail8.example.com (Postfix) with ESMTPS id 709FF5E640A
    for <user@example.com>; Tue,  3 Apr 2018 09:53:27 -0700 (PDT)
To: user@example.com

16

Re: Spam tagging and spam threshold

An update: The server continues to tag as spam messages well below the configured threshold of 6.0, and continues to show "tagged_above=0" in the message headers.

With amavisd debugging enabled, here is an example set of message headers and the related entries from maillog:

https://pastebin.com/ihsP16wv

The system scored this message at 1.683. I don't understand why the system classifies messages below the configured level (6.0) as spam.

Thanks in advance for more troubleshooting clues.

17

Re: Spam tagging and spam threshold

You replied nearly 2 months later ... i have to recheck all posts in this thread, this is a pain. sad

Pasted log was filtered with 'grep', it's useless because it may hide something important for troubleshooting. Please paste FULL log.

Also, seems you just turn on debug for SpamAssassin, we need debug mode for Amavisd itself:
https://docs.iredmail.org/debug.amavisd.html

18

Re: Spam tagging and spam threshold

ZhangHuangbin wrote:

You replied nearly 2 months later ... i have to recheck all posts in this thread, this is a pain. sad

Please recheck the chronology. I replied consistently through March and April, most recently on April 3, and did not hear back after that.

You were doing new releases at the time, and I figured you were busy when I didn't hear back.

Asking again now because this is still a problem.

ZhangHuangbin wrote:

Pasted log was filtered with 'grep', it's useless because it may hide something important for troubleshooting. Please paste FULL log.

OK. I can send an entire maillog file if you like, but I will need to anonymize sender and recipient names and addresses. But...see below.

ZhangHuangbin wrote:

Also, seems you just turn on debug for SpamAssassin, we need debug mode for Amavisd itself:
https://docs.iredmail.org/debug.amavisd.html

This is already set per the instructions. Is there something else you want me to set?

Thanks again.

$ sudo grep ^\$log_level /usr/local/etc/amavisd.conf
$log_level = 5;
$ sudo grep ^\$sa_debug /usr/local/etc/amavisd.conf
$sa_debug = 1;

19

Re: Spam tagging and spam threshold

cvcvelo wrote:

OK. I can send an entire maillog file if you like, but I will need to anonymize sender and recipient names and addresses. But...see below.

We just need the log lines related to your testing email, do not send the whole log file, it's too much work for me to find which log lines are related to the testing email.

20

Re: Spam tagging and spam threshold

cvcvelo wrote:

Please recheck the chronology. I replied consistently through March and April, most recently on April 3, and did not hear back after that.

My fault. sorry.

21

Re: Spam tagging and spam threshold

ZhangHuangbin wrote:

My fault. sorry.

No worries -- I know (and very much appreciate!) how hard you work to make iRedMail a great product.

Also, that last problem about no amavisd logging might be my fault. For temporary troubleshooting, I added something in amavisd.conf to log to /var/log/amavisd.conf instead, and touched that log file. BUT I didn't change ownership to the vscan user, so it remained a zero-length file for all these weeks.

Deleted that bit and restarted the amavisd service, and it looks like there is now amavisd debug info in maillog.

Waiting now for the next false positive, and will send you a link to a sanitized, complete maillog, as well as the message headers.

Thanks again!

22

Re: Spam tagging and spam threshold

OK, here is an example from Spotify with an X-Spam-Score of 4.967, below the iRedAdmin Pro configured threshold of 6.0.

https://pastebin.com/gJMadFFz

This is the message headers and (I believe) all the relevant maillog entries for this message. If you need anything else from maillog or any other file, please let me know.

Thanks in advance.

23

Re: Spam tagging and spam threshold

Weird that no Amavisd debug log (but has SA debug log). We need Amavisd debug log for troubleshooting, not SA debug log.

24

Re: Spam tagging and spam threshold

These are the current log settings in amavisd.conf. What else needs to be set for amavisd debugging to work? Thanks!

# Amavisd log level. Verbosity: 0, 1, 2, 3, 4, 5, -d.
$log_level = 5;
# SpamAssassin debugging (require $log_level). Default if off (0).
$sa_debug = 1;

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$do_syslog = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string

25

Re: Spam tagging and spam threshold

The "log_level" setting seems doesn't working. You have to stop amavisd service first, then run command "amavisd debug" to start it with debug mode.