• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2842
  • Last Modified:

SpamAssassin not filtering spam

Hi experts.

I have a redhat server running spamassassin version 2.55 integrated with  MailScanner. I have recently added some new rules to spamassassin, but spam is still arriving. I checked out some of this messages and all of them have a score above the required one (5) but they are getting whitelisted. Here is an Example:

Reply-To: "Jannie Butts" <amuvzatbh@lilli.freeserve.co.uk>
From: "Jannie Butts" <amuvzatbh@lilli.freeserve.co.uk>
To: <jorgep@eurolatina.com.co>
Subject: fill your girlfriend's asshole to the max!
Date: Wed, 28 Jul 2004 02:54:27 -0500
Message-ID: <DXVFBQDBYTVVJJNVWDXCLKKI@msgbox.com>
MIME-Version: 1.0
Content-Type: text/html;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-Euro-MailScanner-Information: Please contact the ISP for more information
X-Euro-MailScanner: Found to be clean
X-Euro-MailScanner-SpamCheck: not spam (whitelisted),SpamAssassin (score=45.9, required 5, autolearn=spam,BigEvilList_1670 3.00, DISGUISE_VIAGRA 1.00, DRUGS_DEPRESSION 0.10,DRUGS_DEPR_EREC 2.00, DRUGS_DIET 2.00, DRUGS_DIET_EREC 2.00,DRUGS_DIET_PAIN 3.00, DRUGS_ERECTILE 3.00, DRUGS_ERECTILE_OBFU 0.10,DRUGS_MANYKINDS 2.50, DRUGS_PAIN 2.00, DRUGS_PAIN_EREC 2.00,DRUGS_PAIN_OBFU 1.00, FH_FAKE_RCVD_LINE 3.00, HTML_20_30 1.16,HTML_FONT_COLOR_RED 0.10, HTML_MESSAGE 0.10,MIME_HTML_NO_CHARSET 0.76, MIME_HTML_ONLY 0.10, NO_RDNS2 0.01,RATWR19_MESSID 0.41, RCVD_IN_NJABL 0.85, RCVD_IN_ORBS 0.50,RCVD_IN_RFCI 1.45, RM_bw_Generic 0.30, RM_bw_VIAGRA 3.00,SARE_BOUNDARY_07 2.22, SARE_FROM_SPAM_WORD3 0.75,SARE_HTML_NO_BODY3 0.10, SARE_HTML_NO_HTML2 0.10,SARE_HTML_NO_HTML4 0.20, SARE_RECV_IP_061052 1.11,SARE_RECV_IP_FROMIP1 1.67, SARE_RECV_SUSP_1 2.22,SARE_RECV_SUSP_3 1.67, SPECIAL_OFFER 0.30)
X-MailScanner-From: amuvzatbh@lilli.freeserve.co.uk
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Webmail-Time: Wed, 28 Jul 2004 10:56:27 +0300

As you can see in the X-Euro-MailScanner-SpamCheck header, the score is 45.9 and the required is 5.0.. i thas to clasify this message as Spam but it doesn't.

My question is, why??.. what should i do??.. what is wrong with the configuration??.

Thanks for your help.
0
rbraym
Asked:
rbraym
  • 4
  • 3
  • 2
1 Solution
 
pablouruguayCommented:
check if you dont have this address in the  /usr/share/spamassassin/60_whitelist.cf

whitelist_from_rcvd  *@lilli.freeserve.co.uk

or something like this

or in your home directory you have

/home/you/.spamassassin/user_prefs
0
 
jlevieCommented:
I'd suggest also checking MailScanner's spam.assassin.prefs.conf and spam.whitelist.rules
0
 
pablouruguayCommented:
yep i forget this options :)

i use spamassasin with procmail and mailscanner for separated ways.

is simple

the messages received
Mailscanner
procmail
Spamassasin
bogofilter
deliver to folder or mbox

i deactivated the options from mailscanner with spamassasin.

0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
rbraymAuthor Commented:
nop..
this address is not in tha file. If you can see above, i wrote " I checked out some of this messages and all of them have a score above the required one (5) but they are getting whitelisted" so it's not only this message.

And the options are for all users, not for a specific user.

thanx
0
 
jlevieCommented:
"X-Euro-MailScanner-SpamCheck: not spam (whitelisted)" says that MailScanner believes that you've told it to whitelist the site(s).  I'd suggest carefully checking the files I mentioned earlier for explict whitelisting.
0
 
rbraymAuthor Commented:
here's my  spam.assassin.prefs.conf file:

# MailScanner
# MailScanner users, please see the comments at the bottom of this file.
# MailScanner
#
# SpamAssassin user preferences file.
#
# Format:
#
#   required_hits n
#            (how many hits are required to tag a mail as spam.)
#
#   score SYMBOLIC_TEST_NAME n
#            (if this is omitted, 1 is used as a default score.
#            Set the score to 0 to ignore the test.)
#
# # starts a comment, whitespace is not significant.
#
###########################################################################

# JKF 25/10/2002
# These next 3 lines add a local rule to SpamAssassin to help protect you
# from the friendlygreetings.com nasty-gram which will send lots of spam
# from your PC if you let it. Not really a virus, but you don't want your
# users all clicking on it.

header   FRIEND_GREETINGS      Subject =~ /you have an E-Card from/i
describe FRIEND_GREETINGS      Nasty E-card from FriendGreetings.com
score    FRIEND_GREETINGS      100.0
header   FRIEND_GREETINGS2      Subject =~ /you have a greeting card from/i
describe FRIEND_GREETINGS2      Nasty E-card from FriendGreetings.com
score    FRIEND_GREETINGS2      100.0

###########################################################################
# First of all, the generally useful stuff; thresholds and the whitelist
# of addresses which, for some reason or another, often trigger false
# positives.

# JKF 25/10/2002
# The required_hits value is now specified in the MailScanner configuration
# file, not here. Look for the word "Required" in there and you will find it.

required_hits            5

#
# JKF 28/04/2003
# The following settings has been pretty much superceded by the "Advanced
# SpamAssassin Settings" in MailScanner.conf.
#
# JKF 26/03/2003
# If your root filesystem is filling up because SpamAssassin is putting
# large databases in /.spamassassin or /root/.spamassassin, you can move
# them using the following lines to point to their new locations.
# The last part of the path is not a directory name, but actually the
# start of the filenames. So with the settings below, the Bayes files will
# be created as /var/spool/spamassassin/bayes_msgcount, etc.
#
#auto_whitelist_path        /var/spool/spamassassin/auto-whitelist
#auto_whitelist_file_mode   0600
#bayes_path                 /var/spool/spamassassin/bayes
#bayes_file_mode            0600

# MailScanner: When using the scheduled Bayes expiry feature, you probably
# MailScanner: want to turn off auto-expiry as it will rarely complete before
# MailScanner: it is killed for taking too long. You will just end up with
# MailScanner: big bayes_toks.new files wasting space.
# bayes_auto_expire 0

# Whitelist and blacklist addresses are *not* patterns; they're just normal
# strings.  one exception is that "*@isp.com" is allowed.  They should be in
# lower-case.  You can either add multiple addrs on one line,
# whitespace-separated, or you can use multiple lines.
#
# Monty Solomon: he posts from an ISP that has often been the source of spam
# (no fault of his own ;), and sometimes uses Bcc: when mailing.
#
whitelist_from            monty@roscom.com

# Add your blacklist entries in the same format...
#
# blacklist_from      friend@public.com

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
#
#ok_locales            en

# By default, SpamAssassin will run RBL checks.  If your ISP already
# does this, set this to 1.
#
skip_rbl_checks 0

###########################################################################
# Add your own customised scores for some tests below.  The default scores are
# read from the installed "spamassassin.cf" file, but you can override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.taint.org/tests.html .

# MailScanner: Comment out the next line to enable DCC checking if you
#              have dcc installed (optional part of SpamAssassin)
# JKF Commented out as it no longer generates maillog warnings
#score DCC_CHECK 0.0
dcc_path /usr/local/bin/dccproc

#
# Added for MailScanner 23/5/2003
# The timeouts for blacklists and Razor are rather generous in the default
# state that SpamAssassin is shipped. Reducing these stops a lot of timeouts
# from removing SpamAssassin scores altogether.
#
rbl_timeout 20
razor_timeout 10
pyzor_timeout 10

#
# Added for MailScanner 14/6/2002
# If you specify these scores, SpamAssassin will do RBL checks as well as
# MailScanner, which just wastes CPU power and network bandwidth. Either
# do them here by uncommenting the rules below (if you have paid for them)
# or else uncomment the "skip_rbl_checks" line above and let MailScanner
# do the checks instead.
#
#score RCVD_IN_BL_SPAMCOP_NET    4
# These next 3 will cost you money, see mailscanner.conf.
#score RCVD_IN_RBL               10
#score RCVD_IN_RSS               1
#score RCVD_IN_DUL               1

# Osirusoft is dead
score RCVD_IN_OSIRUSOFT_COM 0.0
score X_OSIRU_OPEN_RELAY 0.0
score X_OSIRU_DUL 0.0
score X_OSIRU_SPAM_SRC 0.0
score X_OSIRU_SPAMWARE_SITE 0.0
score X_OSIRU_DUL_FH 0.0

# For spam and notspam bins
bayes_ignore_header X-MailScanner
bayes_ignore_header X-MailScanner-SpamCheck
bayes_ignore_header X-MailScanner-SpamScore
bayes_ignore_header X-MailScanner-Information

# By default, the Bayesian engine is used. This is a real CPU hog and uses
# a lot of system resources to work.
# On a small overloaded system, you might need to disable it.
# use_bayes 0

I can't see any problem on it.. maybe you can. And   spam.whitelist.rules:

# This is where you can build a Spam WhiteList
# Addresses matching in here, with the value
# "yes" will never be marked as spam.
#From:            152.78.            yes
#From:            130.246.      yes
FromOrTo:      default            no
FromOrTo:      *@eurolatina.com.co      yes
FromOrTo:      *@eurosistemas.com.co      yes
FromOrTo:      postmaster@eurosistemas.com.co            yes
FromOrTo:       postmaster@eurolatina.com.co          yes
FromOrTo:       postmaster@master.eurolatina.com.co          yes

The same. Can't see any problem with it.

What could it be?

0
 
jlevieCommented:
Here's your problem:

FromOrTo:     *@eurolatina.com.co     yes
FromOrTo:     *@eurosistemas.com.co     yes

That says that messages from or to any user at either of those domains is to be whitelisted. The sample above is "To: <jorgep@eurolatina.com.co>" which satisfies the first rule and the mail is marked as whitelisted. The only time you'd want to use a construct like that would be when you host a virtual domain that doesn't want any sort on anti-spam protection.
0
 
rbraymAuthor Commented:
Thanks a lot jlevie, i didn't notice it..

one more question.. i need all the mails from those domains not to be marked as spam because they're our clients, so the only thing i have to do is put "From" instead of "FromOrTo"???.

Thanks.
0
 
jlevieCommented:
From instead of FromTo would be correct.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now