1 (edited by mayday 2011-08-25 07:04:14)

Topic: [CLOSED] SPAM Filtering doesn't work

==== Provide basic information to help troubleshoot ====
- iRedMail version: 0.7.3
- Linux/BSD distribution name and version: Centos 6

Hello,

i am getting all the spam e-mails delivered instead of discarded.
@local_domains_maps are setup with the right domains. I do not want any of the e-mail that go past the threshold to be delivered they should just be quarantined and discarded.
@mynetworks is setup.

$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.6;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 5;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_DISCARD;
$final_bad_header_destiny = D_BOUNCE;

I think the problem is that all of the e-mails are put into the LOCAL and bypass the discard.

Aug 24 18:21:21 footfetish7 amavis[28867]: (28867-02) Passed SPAM, LOCAL [182.185.114.186] [66.221.79.226] <valentin.black@arizonaguns.net> -> <user@domain.com>, quarantine: spam-jQZ5VdoQAhpr.gz, Message-ID: <000e01cc519c$9c8aec80$ba72b9b6@arizonaguns.net>, mail_id: jQZ5VdoQAhpr, Hits: 21.875, size: 3366, queued_as: C0417A80F87, 1374 ms
Aug 24 18:21:21 footfetish7 postfix/smtp[28988]: 9D6E2A80F67: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=1.1/0/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as C0417A80F87)
Aug 24 18:21:21 footfetish7 postfix/qmgr[475]: 9D6E2A80F67: removed
Aug 24 18:21:22 footfetish7 postfix/pipe[28993]: C0417A80F87: to=<user@domain.com>, relay=dovecot, delay=0.51, delays=0.08/0/0/0.42, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 24 18:21:22 footfetish7 postfix/qmgr[475]: C0417A80F87: removed

another example
ug 24 18:46:46 footfetish7 postfix/smtpd[29784]: disconnect from localhost[127.0.0.1]
Aug 24 18:46:46 footfetish7 postfix/qmgr[29565]: 34B79A80F87: from=<user@domain.com>, size=1278, nrcpt=1 (queue active)
Aug 24 18:46:46 footfetish7 amavis[29465]: (29465-02) Passed SPAM, LOCAL [174.121.183.146] [174.121.183.146] <user@domain.com> -> <user@localdomain.com>, Message-ID: <id@hostt>, mail_id: aTdidsinYDq0, Hits: 10.991, size: 570, queued_as: 34B79A80F87, 571 ms

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: [CLOSED] SPAM Filtering doesn't work

Additional Tests ran on this server.

Aug 24 19:06:21 footfetish7 postfix/cleanup[30738]: CEDEDA80FB4: message-id=<E1QwMWh-00025w-Uk@byteplant.com>
Aug 24 19:06:21 footfetish7 amavis[30307]: (30307-03) Passed BANNED (application/x-msdownload,.asc,attached.bat), LOCAL [78.47.119.33] [78.47.119.33] <www-data@byteplant.com> -> <test@fashion-x.info>, quarantine: banned-6CEiMKEBSDJN, Message-ID: <E1QwMWh-00025o-RV@byteplant.com>, mail_id: 6CEiMKEBSDJN, Hits: -8.727, size: 1475, queued_as: B1542A80FB3, 1117 ms
Aug 24 19:06:21 footfetish7 postfix/smtpd[30668]: disconnect from localhost[127.0.0.1]
Aug 24 19:06:21 footfetish7 amavis[30306]: (30306-03) Passed BANNED (application/x-msdownload,.asc,''attached%2E%62at), LOCAL [78.47.119.33] [78.47.119.33] <www-data@byteplant.com> -> <test@fashion-x.info>, quarantine: banned-VlyXLL5GDItF, Message-ID: <E1QwMWh-00025w-Uk@byteplant.com>, mail_id: VlyXLL5GDItF, Hits: -8.727, size: 1555, queued_as: CEDEDA80FB4, 1265 ms
Aug 24 19:06:21 footfetish7 postfix/qmgr[29565]: CEDEDA80FB4: from=<www-data@byteplant.com>, size=2145, nrcpt=1 (queue active)
Aug 24 19:06:22 footfetish7 postfix/smtp[30745]: 6D90BA80F67: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=0.26/0.04/0.49/0.86, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B1542A80FB3)
Aug 24 19:06:22 footfetish7 postfix/qmgr[29565]: 6D90BA80F67: removed
Aug 24 19:06:22 footfetish7 postfix/smtp[30658]: 873FBA80FA5: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=0.1/0.05/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CEDEDA80FB4)
Aug 24 19:06:22 footfetish7 postfix/qmgr[29565]: 873FBA80FA5: removed
Aug 24 19:06:22 footfetish7 postfix/pipe[30669]: B1542A80FB3: to=<test@fashion-x.info>, relay=dovecot, delay=0.66, delays=0.12/0/0/0.54, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 24 19:06:22 footfetish7 postfix/qmgr[29565]: B1542A80FB3: removed
Aug 24 19:06:22 footfetish7 postfix/pipe[30751]: CEDEDA80FB4: to=<test@fashion-x.info>, relay=dovecot, delay=0.61, delays=0.15/0/0/0.46, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 24 19:06:22 footfetish7 postfix/qmgr[29565]: CEDEDA80FB4: removed
Aug 24 19:06:22 footfetish7 postfix/smtpd[30749]: connect from localhost[127.0.0.1]
Aug 24 19:06:22 footfetish7 postfix/smtpd[30749]: A1415A80F67: client=localhost[127.0.0.1]
Aug 24 19:06:22 footfetish7 postfix/cleanup[30742]: A1415A80F67: message-id=<E1QwMWh-000262-WF@byteplant.com>
Aug 24 19:06:22 footfetish7 postfix/smtpd[30668]: connect from localhost[127.0.0.1]
Aug 24 19:06:22 footfetish7 postfix/smtpd[30668]: BA9ABA80FA5: client=localhost[127.0.0.1]
Aug 24 19:06:22 footfetish7 postfix/qmgr[29565]: A1415A80F67: from=<www-data@byteplant.com>, size=2066, nrcpt=1 (queue active)
Aug 24 19:06:22 footfetish7 postfix/cleanup[30657]: BA9ABA80FA5: message-id=<E1QwMWh-00025t-T4@byteplant.com>
Aug 24 19:06:22 footfetish7 amavis[30307]: (30307-04) Passed BANNED (application/x-msdownload,.asc,attached.()bat), LOCAL [78.47.119.33] [78.47.119.33] <www-data@byteplant.com> -> <test@fashion-x.info>, quarantine: banned-43nFXDWGq3FX, Message-ID: <E1QwMWh-000262-WF@byteplant.com>, mail_id: 43nFXDWGq3FX, Hits: -8.727, size: 1480, queued_as: A1415A80F67, 640 ms
Aug 24 19:06:22 footfetish7 postfix/qmgr[29565]: BA9ABA80FA5: from=<www-data@byteplant.com>, size=1999, nrcpt=1 (queue active)
Aug 24 19:06:22 footfetish7 amavis[30306]: (30306-04) Passed SPAM, LOCAL [78.47.119.33] [78.47.119.33] <www-data@byteplant.com> -> <test@fashion-x.info>, quarantine: spam-IVKXJawNJsmV.gz, Message-ID: <E1QwMWh-00025t-T4@byteplant.com>, mail_id: IVKXJawNJsmV, Hits: 991.274, size: 1192, queued_as: BA9ABA80FA5, 610 ms
Aug 24 19:06:23 footfetish7 postfix/smtp[30745]: 94641A80FB0: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.1/1.4/0.01/0.91, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A1415A80F67)
Aug 24 19:06:23 footfetish7 postfix/qmgr[29565]: 94641A80FB0: removed
Aug 24 19:06:23 footfetish7 postfix/smtp[30658]: 80ED8A80F9F: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=0.18/1.5/0/0.92, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as BA9ABA80FA5)
Aug 24 19:06:23 footfetish7 postfix/qmgr[29565]: 80ED8A80F9F: removed
Aug 24 19:06:23 footfetish7 amavis[30307]: (30307-04-2) Blocked INFECTED (), LOCAL [78.47.119.33] [78.47.119.33] <www-data@byteplant.com> -> <test@fashion-x.info>, quarantine: virus-XqnUqt11RKIT, Message-ID: <E1QwMWh-00025q-SF@byteplant.com>, mail_id: XqnUqt11RKIT, Hits: -, size: 1654, 285 ms
Aug 24 19:06:23 footfetish7 postfix/pipe[30669]: A1415A80F67: to=<test@fashion-x.info>, relay=dovecot, delay=0.73, delays=0.11/0/0/0.62, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 24 19:06:23 footfetish7 postfix/qmgr[29565]: A1415A80F67: removed
Aug 24 19:06:23 footfetish7 postfix/pipe[30751]: BA9ABA80FA5: to=<test@fashion-x.info>, relay=dovecot, delay=0.62, delays=0.08/0/0/0.54, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 24 19:06:23 footfetish7 postfix/qmgr[29565]: BA9ABA80FA5: removed
Aug 24 19:06:23 footfetish7 postfix/smtp[30745]: 7C803A80F87: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=3.1, delays=0.2/2.4/0/0.53, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=30307-04-2 - INFECTED: )
Aug 24 19:06:23 footfetish7 postfix/qmgr[29565]: 7C803A80F87: removed
Aug 24 19:06:23 footfetish7 postfix/smtpd[30668]: AA6A6A80F67: client=localhost[127.0.0.1]
Aug 24 19:06:23 footfetish7 postfix/cleanup[30738]: AA6A6A80F67: message-id=<E1QwMWh-00025z-VN@byteplant.com>
Aug 24 19:06:23 footfetish7 postfix/qmgr[29565]: AA6A6A80F67: from=<www-data@byteplant.com>, size=2048, nrcpt=1 (queue active)
Aug 24 19:06:23 footfetish7 amavis[30306]: (30306-04-2) Passed BANNED (application/x-msdownload,.asc), LOCAL [78.47.119.33] [78.47.119.33] <www-data@byteplant.com> -> <test@fashion-x.info>, quarantine: banned-WJDp14Zp9emg, Message-ID: <E1QwMWh-00025z-VN@byteplant.com>, mail_id: WJDp14Zp9emg, Hits: -8.727, size: 1479, queued_as: AA6A6A80F67, 651 ms
Aug 24 19:06:23 footfetish7 postfix/smtp[30658]: 89AB0A80FAF: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=3.3, delays=0.18/2.4/0/0.74, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AA6A6A80F67)
Aug 24 19:06:23 footfetish7 postfix/qmgr[29565]: 89AB0A80FAF: removed
Aug 24 19:06:23 footfetish7 postfix/smtpd[30749]: E55E9A80F87: client=localhost[127.0.0.1]
Aug 24 19:06:23 footfetish7 postfix/cleanup[30744]: E55E9A80F87: message-id=<E1QwMWi-000265-1H@byteplant.com>
Aug 24 19:06:24 footfetish7 postfix/qmgr[29565]: E55E9A80F87: from=<www-data@byteplant.com>, size=2254, nrcpt=1 (queue active)
Aug 24 19:06:24 footfetish7 amavis[30307]: (30307-04-3) Passed BANNED (application/x-msdownload,.asc,attached\\), LOCAL [78.47.119.33] [78.47.119.33] <www-data@byteplant.com> -> <test@fashion-x.info>, quarantine: banned-4OIn4h1u6mia, Message-ID: <E1QwMWi-000265-1H@byteplant.com>, mail_id: 4OIn4h1u6mia, Hits: -8.726, size: 1481, queued_as: E55E9A80F87, 562 ms
Aug 24 19:06:24 footfetish7 postfix/pipe[30669]: AA6A6A80F67: to=<test@fashion-x.info>, relay=dovecot, delay=0.58, delays=0.11/0/0/0.47, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 24 19:06:24 footfetish7 postfix/qmgr[29565]: AA6A6A80F67: removed
Aug 24 19:06:24 footfetish7 postfix/smtp[30745]: 9D48AA80FB1: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=3, delay=3.8, delays=0.1/2.8/0/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E55E9A80F87)
Aug 24 19:06:24 footfetish7 postfix/qmgr[29565]: 9D48AA80FB1: removed
Aug 24 19:06:24 footfetish7 postfix/smtpd[30668]: 804E4A80F67: client=localhost[127.0.0.1]
Aug 24 19:06:24 footfetish7 postfix/cleanup[30740]: 804E4A80F67: message-id=<1314227188.4e5583f41cdbf@www.emailsecuritycheck.net>
Aug 24 19:06:24 footfetish7 postfix/pipe[30751]: E55E9A80F87: to=<test@fashion-x.info>, relay=dovecot, delay=0.72, delays=0.2/0/0/0.52, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 24 19:06:24 footfetish7 postfix/qmgr[29565]: E55E9A80F87: removed
Aug 24 19:06:24 footfetish7 postfix/qmgr[29565]: 804E4A80F67: from=<support@byteplant.com>, size=11347, nrcpt=1 (queue active)
Aug 24 19:06:24 footfetish7 amavis[30306]: (30306-04-3) Passed CLEAN, LOCAL [78.47.119.33] [78.47.119.33] <support@byteplant.com> -> <test@fashion-x.info>, Message-ID: <1314227188.4e5583f41cdbf@www.emailsecuritycheck.net>, mail_id: S4W5M0b-8-IA, Hits: -8.715, size: 10883, queued_as: 804E4A80F67, 794 ms
Aug 24 19:06:24 footfetish7 postfix/smtp[30658]: 36F5EA80FB2: to=<test@fashion-x.info>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=3, delay=3.7, delays=0.47/2.3/0/0.87, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 804E4A80F67)
Aug 24 19:06:24 footfetish7 postfix/qmgr[29565]: 36F5EA80FB2: removed
Aug 24 19:06:25 footfetish7 postfix/pipe[30669]: 804E4A80F67: to=<test@fashion-x.info>, relay=dovecot, delay=0.48, delays=0.16/0/0/0.32, dsn=2.0.0, status=sent (delivered via dovecot service)

3

Re: [CLOSED] SPAM Filtering doesn't work

Did you change any other amavisd settings?

Please double check setting "$final_spam_destiny", there's one comment out by default, make sure the one you updated is not comment out.

4

Re: [CLOSED] SPAM Filtering doesn't work

Thanks for the reply i managed to fix it it was not picking up the change because obviously i was modifying in the wrong place ...