1 (edited by mikey 2025-06-23 17:40:45)

Topic: Spam Policy

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.1
- Deployed with iRedMail Easy or the downloadable installer? Download
- Linux/BSD distribution name and version: cent os 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello

The spam settings don't seem to be working. (See images)
What log files would be best to check?

Thank you
Mikey

Post's attachments

Screenshot_20250623_100813_Edge.jpg 271.18 kb, file has never been downloaded. 

Screenshot_20250623_102020_Edge.jpg
Screenshot_20250623_102020_Edge.jpg 175.74 kb, 3 downloads since 2025-06-23 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Spam Policy

it logs to /var/log/maillog.

3

Re: Spam Policy

Postfix seems to be configured to send mail to Amavis on "smtp-amavis:[127.0.0.1]:10026"

And Amavis maps port 10026 to: $interface_policy{'10026'} = 'ORIGINATING';

But there’s no final_spam_destiny explicitly defined for ORIGINATING.

so does this inherit the global setting?
If so the global is:
$final_spam_destiny = D_DISCARD;

Does this now mean any spam, no matter how low the score, is discarded unless a policy bank overrides it?

4 (edited by mikey 2025-06-23 20:01:01)

Re: Spam Policy

ZhangHuangbin wrote:

it logs to /var/log/maillog.

Below email to jessica@xxxxxxxx

DKIMWL_WL_MED=-0.001
DKIM_SIGNED=0.1
DKIM_VALID=-0.1
DKIM_VALID_AU=-0.1
DKIM_VALID_EF=-0.1
HEADER_FROM_DIFFERENT_DOMAINS=0.001
HTML_MESSAGE=0.001
RCVD_IN_DNSWL_BLOCKED=0.001
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001
RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001
SPF_HELO_FAIL=0.001


Here is the output of sudo journalctl | grep '5zGMNXJ9VN5L'

(402344-02) Blocked SPAM {DiscardedInbound,Quarantined}, [198.2.179.39]:12643 [54.194.174.44] ESMTP/ESMTP <bounce-md_30790748.68593c30.v1-c22e77decc6348298225da61980c697c@mandrillapp.com> -> <jessica@xxxxx.co.uk>, (ESMTPS://[198.2.179.39]:12643 < 54.194.174.44), quarantine: 5zGMNXJ9VN5L, Queue-ID: 4bQmHq3pvfzbkm0, Message-ID: <30790748.20250623113616.68593c30697270.37773590@mail179-39.suw41.mandrillapp.com>, mail_id: 5zGMNXJ9VN5L, b: 2pzrYiKVQ, Hits: 0.889, size: 46263, Subject: "This week's Insights for your classes (raw: =?utf-8?Q?This=20week's=20Insights=20for=20your=20classes?=)", From: <support@century.tech> (dkim:AUTHOR), helo=mail179-39.suw41.mandrillapp.com, Tests: [DKIMWL_WL_MED=-0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_BLOCKED=0.001,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,SPF_HEL...
Jun 23 11:37:54 mx1.syntaxlink.co.uk iredadmin[1605]: [90.250.11.178] GET /iredadmin/activities/quarantined/raw/5zGMNXJ9VN5L 200 45440 "https://xxxxxx"

Post's attachments

Screenshot_20250623_125451_Edge.jpg
Screenshot_20250623_125451_Edge.jpg 90.91 kb, 1 downloads since 2025-06-23 

You don't have the permssions to download the attachments of this post.

5

Re: Spam Policy

I have had to currently disable spam checking as it keeps quarantining mail with very low scores and I cannot see why it is doing it.

If anyone has any ideas please let me know.

6

Re: Spam Policy

Could you please show us the value of email header "X-Spam-*" of quarantined mail?
Or, show us the full log line which contains the matched spamassassin rules like this:

(402344-02) Blocked SPAM {DiscardedInbound,Quarantined}, [198.2.179.39]:12643 [54.194.174.44] ESMTP/ESMTP <bounce-md_30790748.68593c30.v1-c22e77decc6348298225da61980c697c@mandrillapp.com> -> <jessica@xxxxx.co.uk>, (ESMTPS://[198.2.179.39]:12643 < 54.194.174.44), quarantine: 5zGMNXJ9VN5L, Queue-ID: 4bQmHq3pvfzbkm0, Message-ID: <30790748.20250623113616.68593c30697270.37773590@mail179-39.suw41.mandrillapp.com>, mail_id: 5zGMNXJ9VN5L, b: 2pzrYiKVQ, Hits: 0.889, size: 46263, Subject: "This week's Insights for your classes (raw: =?utf-8?Q?This=20week's=20Insights=20for=20your=20classes?=)", From: <support@century.tech> (dkim:AUTHOR), helo=mail179-39.suw41.mandrillapp.com, Tests: [DKIMWL_WL_MED=-0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_BLOCKED=0.001,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,SPF_HEL...

Pasted one is not full, some text were cut.

7

Re: Spam Policy

ZhangHuangbin wrote:

Could you please show us the value of email header "X-Spam-*" of quarantined mail?
Or, show us the full log line which contains the matched spamassassin rules like this:

(402344-02) Blocked SPAM {DiscardedInbound,Quarantined}, [198.2.179.39]:12643 [54.194.174.44] ESMTP/ESMTP <bounce-md_30790748.68593c30.v1-c22e77decc6348298225da61980c697c@mandrillapp.com> -> <jessica@xxxxx.co.uk>, (ESMTPS://[198.2.179.39]:12643 < 54.194.174.44), quarantine: 5zGMNXJ9VN5L, Queue-ID: 4bQmHq3pvfzbkm0, Message-ID: <30790748.20250623113616.68593c30697270.37773590@mail179-39.suw41.mandrillapp.com>, mail_id: 5zGMNXJ9VN5L, b: 2pzrYiKVQ, Hits: 0.889, size: 46263, Subject: "This week's Insights for your classes (raw: =?utf-8?Q?This=20week's=20Insights=20for=20your=20classes?=)", From: <support@century.tech> (dkim:AUTHOR), helo=mail179-39.suw41.mandrillapp.com, Tests: [DKIMWL_WL_MED=-0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_BLOCKED=0.001,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,SPF_HEL...

Pasted one is not full, some text were cut.


Hello

Yes sorry about that.

X-Spam-Flag    YES
X-Spam-Score    0.01
X-Spam-Level   
X-Spam-Status    Yes, score=0.01 tag=0 tag2=0 kill=0 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no

Post's attachments

Screenshot 2025-06-24 135653.png
Screenshot 2025-06-24 135653.png 25.9 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

8

Re: Spam Policy

As you can see, spam scanning is working, the problem is it doesn't get high score as spam.
Try to append these rules in /etc/mail/spamassassin/local.cf to adjust scores:

#
# Adjust spam scores.
#
score ALL_TRUSTED 0.1

#
# Spamhaus
#
score URIBL_DBL_SPAM 10
score URIBL_DBL_PHISH 10
score URIBL_DBL_MALWARE 10
score URIBL_DBL_BOTNETCC 3
# Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist
score URIBL_DBL_ABUSE_SPAM 10
score URIBL_DBL_ABUSE_REDIR 3
score URIBL_DBL_ABUSE_PHISH 5
score URIBL_DBL_ABUSE_MALW 5
score URIBL_DBL_ABUSE_BOTCC 3
score URIBL_DBL_ERROR 0

# multi.surbl.org
score URIBL_WS_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_MW_SURBL 10
score URIBL_CR_SURBL 10
score URIBL_SC_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_ABUSE_SURBL 5
score SURBL_BLOCKED 0

# multi.urlbl.com
#score URIBL_BLACK 10
#score URIBL_GREY 3
#score URIBL_RED 0
score URIBL_BLOCKED 0

# DNSBL
score RCVD_IN_SBL 10
score RCVD_IN_SBL_CSS 10
score RCVD_IN_XBL 10
score RCVD_IN_PBL 10

score RCVD_IN_BL_SPAMCOP_NET 5
score RCVD_IN_PSBL 5
score RCVD_IN_RP_RNBL 5

# SPF
# sender does not match SPF record (fail)
score SPF_FAIL 5

# To == From and direct-to-MX
score TO_EQ_FM_DIRECT_MX 5
# To domain == From domain and HTML image link
score TO_EQ_FM_DOM_HTML_IMG 5
# To domain == From domain and HTML only
score TO_EQ_FM_DOM_HTML_ONLY 5
# To domain == From domain and external SPF failed
score TO_EQ_FM_DOM_SPF_FAIL 5
# To == From and HTML only
score TO_EQ_FM_HTML_ONLY 5
# To == From and external SPF failed
score TO_EQ_FM_SPF_FAIL 5

# Malformed From address
score FROM_ADDR_WS 5

# From: has too many raw illegal characters
score SUBJ_ILLEGAL_CHARS 5

# Link to hosted firebase web application, possible phishing.
#score URI_FIREBASEAPP 5

# Email sent from free email service providers.
# From address is in To and Subject
score FROM_IN_TO_AND_SUBJ 5
# From and body contain different freemails.
score FREEMAIL_REPLY 5

# Many false positives reported by dnswl.org. Disable it here.
score RCVD_IN_DNSWL_HI 0

9 (edited by mikey 2025-06-25 20:15:50)

Re: Spam Policy

ZhangHuangbin wrote:

As you can see, spam scanning is working, the problem is it doesn't get high score as spam.
Try to append these rules in /etc/mail/spamassassin/local.cf to adjust scores:

#
# Adjust spam scores.
#
score ALL_TRUSTED 0.1

#
# Spamhaus
#
score URIBL_DBL_SPAM 10
score URIBL_DBL_PHISH 10
score URIBL_DBL_MALWARE 10
score URIBL_DBL_BOTNETCC 3
# Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist
score URIBL_DBL_ABUSE_SPAM 10
score URIBL_DBL_ABUSE_REDIR 3
score URIBL_DBL_ABUSE_PHISH 5
score URIBL_DBL_ABUSE_MALW 5
score URIBL_DBL_ABUSE_BOTCC 3
score URIBL_DBL_ERROR 0

# multi.surbl.org
score URIBL_WS_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_MW_SURBL 10
score URIBL_CR_SURBL 10
score URIBL_SC_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_ABUSE_SURBL 5
score SURBL_BLOCKED 0

# multi.urlbl.com
#score URIBL_BLACK 10
#score URIBL_GREY 3
#score URIBL_RED 0
score URIBL_BLOCKED 0

# DNSBL
score RCVD_IN_SBL 10
score RCVD_IN_SBL_CSS 10
score RCVD_IN_XBL 10
score RCVD_IN_PBL 10

score RCVD_IN_BL_SPAMCOP_NET 5
score RCVD_IN_PSBL 5
score RCVD_IN_RP_RNBL 5

# SPF
# sender does not match SPF record (fail)
score SPF_FAIL 5

# To == From and direct-to-MX
score TO_EQ_FM_DIRECT_MX 5
# To domain == From domain and HTML image link
score TO_EQ_FM_DOM_HTML_IMG 5
# To domain == From domain and HTML only
score TO_EQ_FM_DOM_HTML_ONLY 5
# To domain == From domain and external SPF failed
score TO_EQ_FM_DOM_SPF_FAIL 5
# To == From and HTML only
score TO_EQ_FM_HTML_ONLY 5
# To == From and external SPF failed
score TO_EQ_FM_SPF_FAIL 5

# Malformed From address
score FROM_ADDR_WS 5

# From: has too many raw illegal characters
score SUBJ_ILLEGAL_CHARS 5

# Link to hosted firebase web application, possible phishing.
#score URI_FIREBASEAPP 5

# Email sent from free email service providers.
# From address is in To and Subject
score FROM_IN_TO_AND_SUBJ 5
# From and body contain different freemails.
score FREEMAIL_REPLY 5

# Many false positives reported by dnswl.org. Disable it here.
score RCVD_IN_DNSWL_HI 0

Sorry I don't understand.
Are you recommending me to change the rules in etc/mail/spamassassin/local.cf to the ones you have linked here? Can I just backup my etc/mail/spamassassin/local.cf and use exact output you have here? Or would you recommend changing anything else before?

10

Re: Spam Policy

ZhangHuangbin wrote:

Try to append these rules in /etc/mail/spamassassin/local.cf to adjust scores:

Append them to the file, not replace the content in file.