Discussion:
Spamassassin rules not firing correctly
Stef Morrell
2014-05-01 11:07:45 UTC
Permalink
Hi guys,

This is a very strange one.

Here is the spamassassin report for an email which passed through MailScanner.

score=2.691, required 5, BAYES_50 0.80, DCC_CHECK 1.10,
RDNS_NONE 0.79, SPF_HELO_PASS -0.00, SPF_PASS -0.00

Here is the report for the same email, when I run spamassassin manually. MS runs as postfix and I get the below running either as root, or as postfix.

X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_40,DCC_CHECK,
DIGEST_MULTIPLE,PYZOR_CHECK,RCVD_IN_BL_SPAMCOP_NET,RDNS_NONE,SPF_HELO_PASS,
URIBL_DBL_SPAM,URIBL_WS_SURBL autolearn=no autolearn_force=no version=3.4.0
X-Spam-Report:
* 2.5 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
* [URIs: moms-flowersbouquet-nice.me]
* 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?198.176.28.130>]
* 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: moms-flowersbouquet-nice.me]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
* [score: 0.2809]
* 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
* 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
* 0.3 DIGEST_MULTIPLE Message hits more than one network digest check
* 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS

As you can see, MS has skipped all the blacklist rules and (for some reason) pyzor.

I'm getting a knock on effect with this, where spam is being autolearned as ham, so my bayes is now totalled as well and I'll have to clear and recreate from scratch.

I've considered timeouts, but I'm running a cacheing DNS on the LAN and there's certainly when I run manually, the response is instant.

I'm at a bit of a loss here how to proceed and would appreciate any ideas anyone has.

Linux fedecks.level5.net 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
This is CentOS release 6.5 (Final)
This is Perl version 5.010001 (5.10.1)
This is MailScanner version 4.84.6
SpamAssassin version 3.4.0

Thanks

Stef
Kai Schaetzl
2014-05-02 09:15:58 UTC
Permalink
This is a common misunderstanding. SA via MS may not use the same config
files than SA run manually.
SA uses /etc/mail/spamassassin
MS uses /etc/mail/spamassassin/mailscanner.conf symlinked to
/etc/MailScanner/spam.assassin.prefs.conf

You may have removed the mailscanner.conf link and changed the path in
MailScanner.conf to use /etc/MailScanner/spam.assassin.prefs.conf
directly. Or something similar I don't imagine. You may also have some
extra user-specific config just for the user root.

You can run --lint -v for both (I think) to get an idea of which config
files are getting used, this should tell you how to correct it.

My general recommendation (if you know SA well enough to configure it
yourself) is:
- use only the files in /etc/mail/spamassassin for SA config
- remove the symlink and touch /etc/mail/mailscanner.conf, so that it
becomes a zero-sized file
- put the config you want to have in the traditional file
/etc/mail/spamassassin/local.cf (e.g. merge what's there with what you
want from spam.assassin.prefs.conf) (or use more than one file, as you
like, just make sure you don't have conflicting settings, merge resonably)

By doing so, you always get the same configuration, no matter which way
you run SA. And the MS rpm will not attempt to set the symlink.

Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Stef Morrell
2014-05-02 10:13:33 UTC
Permalink
Hello Kai,
Post by Kai Schaetzl
This is a common misunderstanding. SA via MS may not use the same config
Yes, I take on board the technical suggestions. I've basically been through all those checks. :)

I am now starting to believe there is actually nothing wrong and that given I'm seeing apparent fails on blacklist rules is because the domains aren't blacklisted at the time the spam is generated.

moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived early 01/05/2014
russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 hours ago.

So the problem is likely not MS, it's how to detect and deal with spam from brand new domains/ip.
Martin Hepworth
2014-05-02 14:50:43 UTC
Permalink
Stef
also turn off autolearning - found this not great for a population of more
than a handful of users.
--
Martin Hepworth, CISSP
Oxford, UK
Post by Stef Morrell
Hello Kai,
Post by Kai Schaetzl
This is a common misunderstanding. SA via MS may not use the same config
Yes, I take on board the technical suggestions. I've basically been
through all those checks. :)
I am now starting to believe there is actually nothing wrong and that
given I'm seeing apparent fails on blacklist rules is because the domains
aren't blacklisted at the time the spam is generated.
moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived early 01/05/2014
russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 hours ago.
So the problem is likely not MS, it's how to detect and deal with spam
from brand new domains/ip.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/17c35542/attachment.html
Stef Morrell
2014-05-02 15:07:54 UTC
Permalink
Would you bother with bayes at all then? It would be impossible to hand sort my corpus.


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: 02 May 2014 15:51
To: MailScanner discussion
Subject: Re: Spamassassin rules not firing correctly

Stef
also turn off autolearning - found this not great for a population of more than a handful of users.


--
Martin Hepworth, CISSP
Oxford, UK

On 2 May 2014 11:13, Stef Morrell <stef at aoc-uk.com<mailto:stef at aoc-uk.com>> wrote:
Hello Kai,
Post by Kai Schaetzl
This is a common misunderstanding. SA via MS may not use the same config
Yes, I take on board the technical suggestions. I've basically been through all those checks. :)

I am now starting to believe there is actually nothing wrong and that given I'm seeing apparent fails on blacklist rules is because the domains aren't blacklisted at the time the spam is generated.

moms-flowersbouquet-nice.me<http://moms-flowersbouquet-nice.me> - registered end of 30/04/2014, spam arrived early 01/05/2014
russianbrides-dating-great.me<http://russianbrides-dating-great.me> - registered 11 hours ago, spam arrived 3 hours ago.

So the problem is likely not MS, it's how to detect and deal with spam from brand new domains/ip.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!


--
This email has been scanned by the Alpha Omega Computers Ltd MailCrusader for
viruses, spam and dangerous content.
For more information please visit Alpha Omega Computers Ltd<http://www.aoc-uk.com/>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/e1075baa/attachment.html
Jerry Benton
2014-05-02 16:03:30 UTC
Permalink
Stef,

Can you post your MailScanner conf? (A sample of your blacklist rules
specifically.)

Also, I see you have downloaded Mailborder before. If you still have the
Mailborder box running, I?d suggest entering some sample rules in the GUI
and see how the config files are built. Something as simple as using a
space instead of a tab in a rule set can cause issues.
Post by Stef Morrell
Would you bother with bayes at all then? It would be impossible to hand sort my corpus.
mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Martin Hepworth
*Sent:* 02 May 2014 15:51
*To:* MailScanner discussion
*Subject:* Re: Spamassassin rules not firing correctly
Stef
also turn off autolearning - found this not great for a population of more
than a handful of users.
--
Martin Hepworth, CISSP
Oxford, UK
Hello Kai,
Post by Kai Schaetzl
This is a common misunderstanding. SA via MS may not use the same config
Yes, I take on board the technical suggestions. I've basically been
through all those checks. :)
I am now starting to believe there is actually nothing wrong and that
given I'm seeing apparent fails on blacklist rules is because the domains
aren't blacklisted at the time the spam is generated.
moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived early 01/05/2014
russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 hours ago.
So the problem is likely not MS, it's how to detect and deal with spam
from brand new domains/ip.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This email has been scanned by the Alpha Omega Computers Ltd MailCrusader for
viruses, spam and dangerous content.
For more information please visit *Alpha Omega Computers Ltd*<http://www.aoc-uk.com/>.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/992d59b1/attachment.html
Stef Morrell
2014-05-02 16:18:35 UTC
Permalink
Really after consideration, I do think my problem is zero day spam and nothing else.

The blacklist rules in question are standard SA 3.4.0 rules, nothing special or clever of my own crafting. The problem is that the brand new domains (lots of .me domains) simply hadn?t made it to blacklists in time to match and fire rules.


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 02 May 2014 17:04
To: MailScanner discussion
Subject: Re: Spamassassin rules not firing correctly

Stef,

Can you post your MailScanner conf? (A sample of your blacklist rules specifically.)

Also, I see you have downloaded Mailborder before. If you still have the Mailborder box running, I?d suggest entering some sample rules in the GUI and see how the config files are built. Something as simple as using a space instead of a tab in a rule set can cause issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140502/d2f3fca4/attachment.html
Martin Hepworth
2014-05-03 11:13:21 UTC
Permalink
You can hand feed corrections via trusyed users, but Ive found that
autolearn just stuffs up the bayes db

Martin
Post by Stef Morrell
Would you bother with bayes at all then? It would be impossible to hand sort my corpus.
mailscanner-bounces at lists.mailscanner.info<javascript:_e(%7B%7D,'cvml','mailscanner-bounces at lists.mailscanner.info');>]
*On Behalf Of *Martin Hepworth
*Sent:* 02 May 2014 15:51
*To:* MailScanner discussion
*Subject:* Re: Spamassassin rules not firing correctly
Stef
also turn off autolearning - found this not great for a population of more
than a handful of users.
--
Martin Hepworth, CISSP
Oxford, UK
On 2 May 2014 11:13, Stef Morrell <stef at aoc-uk.com<javascript:_e(%7B%7D,'cvml','stef at aoc-uk.com');>>
Hello Kai,
Post by Kai Schaetzl
This is a common misunderstanding. SA via MS may not use the same config
Yes, I take on board the technical suggestions. I've basically been
through all those checks. :)
I am now starting to believe there is actually nothing wrong and that
given I'm seeing apparent fails on blacklist rules is because the domains
aren't blacklisted at the time the spam is generated.
moms-flowersbouquet-nice.me - registered end of 30/04/2014, spam arrived early 01/05/2014
russianbrides-dating-great.me - registered 11 hours ago, spam arrived 3 hours ago.
So the problem is likely not MS, it's how to detect and deal with spam
from brand new domains/ip.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info<javascript:_e(%7B%7D,'cvml','mailscanner at lists.mailscanner.info');>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This email has been scanned by the Alpha Omega Computers Ltd MailCrusader for
viruses, spam and dangerous content.
For more information please visit *Alpha Omega Computers Ltd*<http://www.aoc-uk.com/>.
--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140503/a67e6421/attachment.html
Kai Schaetzl
2014-05-09 09:31:04 UTC
Permalink
Post by Martin Hepworth
You can hand feed corrections via trusyed users, but Ive found that
autolearn just stuffs up the bayes db
Autolearning is effective in many cases. But you may want to adjust the
thresholds. e.g. lower especially the ham threshold to something way below
zero, so misdetected spam "on the brink" isn't autolearned as ham. Also
very effective is the autolearning of spamtrapped spam. One or two
accounts that are distributed and surely can only get spam casn already
have good impact.
I agree that a few users who subscribe just to every list they can find
and attract shitloads of "legitimate" advertising spam can be a real
nuisance and may spoil the Bayes DB to an extent that it's not helpful. It
very much depends on your userbase.
With autolearning one has also to remember that it is not the "raw" hit
count that gets used. Autolearning discards several rule groups, for
instance I think it doesn't count the network rules. So, what you think
should be autolearned because the hits are above threshold may not
actually hit the required threshold.

Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Kai Schaetzl
2014-05-09 09:31:04 UTC
Permalink
Post by Stef Morrell
Would you bother with bayes at all then
Bayes is very effective, especially when it comes to spam that cannot be
identified otherwise, especially by technical or sender-based (RBL) rules.

Anyway, I find that a lot of spam (say 90% or more) is already blocked by
technical measures, e.g. do you check for existing hostnames of clients
and senders? Or even reverse hostnames? Helos? A lot of the spam gets sent
from provider networks that don't even set a hostname for their IP
addresses.

Also, if there are common characteristics like a lot having senders in the
me domain - why don't you add a rule for that. Not to block those senders
with just one rule, but to add up with other hits, so it finally reaches
the 5.0 threshold. Did you check if you have any legitimate .me senders?

Educate your users to stop using wildcard accounts, if you have a client
structure that can use wildcard accounts. Actually, might be a good idea
to tell people that you stop scanning wildcard accounts.

Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Loading...