Solved

SpamAssassin not filtering spam

Posted on 2004-07-30
9
2,783 Views
Last Modified: 2008-01-09
Hi experts.

I have a redhat server running spamassassin version 2.55 integrated with  MailScanner. I have recently added some new rules to spamassassin, but spam is still arriving. I checked out some of this messages and all of them have a score above the required one (5) but they are getting whitelisted. Here is an Example:

Reply-To: "Jannie Butts" <amuvzatbh@lilli.freeserve.co.uk>
From: "Jannie Butts" <amuvzatbh@lilli.freeserve.co.uk>
To: <jorgep@eurolatina.com.co>
Subject: fill your girlfriend's asshole to the max!
Date: Wed, 28 Jul 2004 02:54:27 -0500
Message-ID: <DXVFBQDBYTVVJJNVWDXCLKKI@msgbox.com>
MIME-Version: 1.0
Content-Type: text/html;
      charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-Euro-MailScanner-Information: Please contact the ISP for more information
X-Euro-MailScanner: Found to be clean
X-Euro-MailScanner-SpamCheck: not spam (whitelisted),SpamAssassin (score=45.9, required 5, autolearn=spam,BigEvilList_1670 3.00, DISGUISE_VIAGRA 1.00, DRUGS_DEPRESSION 0.10,DRUGS_DEPR_EREC 2.00, DRUGS_DIET 2.00, DRUGS_DIET_EREC 2.00,DRUGS_DIET_PAIN 3.00, DRUGS_ERECTILE 3.00, DRUGS_ERECTILE_OBFU 0.10,DRUGS_MANYKINDS 2.50, DRUGS_PAIN 2.00, DRUGS_PAIN_EREC 2.00,DRUGS_PAIN_OBFU 1.00, FH_FAKE_RCVD_LINE 3.00, HTML_20_30 1.16,HTML_FONT_COLOR_RED 0.10, HTML_MESSAGE 0.10,MIME_HTML_NO_CHARSET 0.76, MIME_HTML_ONLY 0.10, NO_RDNS2 0.01,RATWR19_MESSID 0.41, RCVD_IN_NJABL 0.85, RCVD_IN_ORBS 0.50,RCVD_IN_RFCI 1.45, RM_bw_Generic 0.30, RM_bw_VIAGRA 3.00,SARE_BOUNDARY_07 2.22, SARE_FROM_SPAM_WORD3 0.75,SARE_HTML_NO_BODY3 0.10, SARE_HTML_NO_HTML2 0.10,SARE_HTML_NO_HTML4 0.20, SARE_RECV_IP_061052 1.11,SARE_RECV_IP_FROMIP1 1.67, SARE_RECV_SUSP_1 2.22,SARE_RECV_SUSP_3 1.67, SPECIAL_OFFER 0.30)
X-MailScanner-From: amuvzatbh@lilli.freeserve.co.uk
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Webmail-Time: Wed, 28 Jul 2004 10:56:27 +0300

As you can see in the X-Euro-MailScanner-SpamCheck header, the score is 45.9 and the required is 5.0.. i thas to clasify this message as Spam but it doesn't.

My question is, why??.. what should i do??.. what is wrong with the configuration??.

Thanks for your help.
0
Comment
Question by:rbraym
  • 4
  • 3
  • 2
9 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11679761
check if you dont have this address in the  /usr/share/spamassassin/60_whitelist.cf

whitelist_from_rcvd  *@lilli.freeserve.co.uk

or something like this

or in your home directory you have

/home/you/.spamassassin/user_prefs
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11681143
I'd suggest also checking MailScanner's spam.assassin.prefs.conf and spam.whitelist.rules
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11681176
yep i forget this options :)

i use spamassasin with procmail and mailscanner for separated ways.

is simple

the messages received
Mailscanner
procmail
Spamassasin
bogofilter
deliver to folder or mbox

i deactivated the options from mailscanner with spamassasin.

0
 

Author Comment

by:rbraym
ID: 11681456
nop..
this address is not in tha file. If you can see above, i wrote " I checked out some of this messages and all of them have a score above the required one (5) but they are getting whitelisted" so it's not only this message.

And the options are for all users, not for a specific user.

thanx
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 40

Expert Comment

by:jlevie
ID: 11681584
"X-Euro-MailScanner-SpamCheck: not spam (whitelisted)" says that MailScanner believes that you've told it to whitelist the site(s).  I'd suggest carefully checking the files I mentioned earlier for explict whitelisting.
0
 

Author Comment

by:rbraym
ID: 11681772
here's my  spam.assassin.prefs.conf file:

# MailScanner
# MailScanner users, please see the comments at the bottom of this file.
# MailScanner
#
# SpamAssassin user preferences file.
#
# Format:
#
#   required_hits n
#            (how many hits are required to tag a mail as spam.)
#
#   score SYMBOLIC_TEST_NAME n
#            (if this is omitted, 1 is used as a default score.
#            Set the score to 0 to ignore the test.)
#
# # starts a comment, whitespace is not significant.
#
###########################################################################

# JKF 25/10/2002
# These next 3 lines add a local rule to SpamAssassin to help protect you
# from the friendlygreetings.com nasty-gram which will send lots of spam
# from your PC if you let it. Not really a virus, but you don't want your
# users all clicking on it.

header   FRIEND_GREETINGS      Subject =~ /you have an E-Card from/i
describe FRIEND_GREETINGS      Nasty E-card from FriendGreetings.com
score    FRIEND_GREETINGS      100.0
header   FRIEND_GREETINGS2      Subject =~ /you have a greeting card from/i
describe FRIEND_GREETINGS2      Nasty E-card from FriendGreetings.com
score    FRIEND_GREETINGS2      100.0

###########################################################################
# First of all, the generally useful stuff; thresholds and the whitelist
# of addresses which, for some reason or another, often trigger false
# positives.

# JKF 25/10/2002
# The required_hits value is now specified in the MailScanner configuration
# file, not here. Look for the word "Required" in there and you will find it.

required_hits            5

#
# JKF 28/04/2003
# The following settings has been pretty much superceded by the "Advanced
# SpamAssassin Settings" in MailScanner.conf.
#
# JKF 26/03/2003
# If your root filesystem is filling up because SpamAssassin is putting
# large databases in /.spamassassin or /root/.spamassassin, you can move
# them using the following lines to point to their new locations.
# The last part of the path is not a directory name, but actually the
# start of the filenames. So with the settings below, the Bayes files will
# be created as /var/spool/spamassassin/bayes_msgcount, etc.
#
#auto_whitelist_path        /var/spool/spamassassin/auto-whitelist
#auto_whitelist_file_mode   0600
#bayes_path                 /var/spool/spamassassin/bayes
#bayes_file_mode            0600

# MailScanner: When using the scheduled Bayes expiry feature, you probably
# MailScanner: want to turn off auto-expiry as it will rarely complete before
# MailScanner: it is killed for taking too long. You will just end up with
# MailScanner: big bayes_toks.new files wasting space.
# bayes_auto_expire 0

# Whitelist and blacklist addresses are *not* patterns; they're just normal
# strings.  one exception is that "*@isp.com" is allowed.  They should be in
# lower-case.  You can either add multiple addrs on one line,
# whitespace-separated, or you can use multiple lines.
#
# Monty Solomon: he posts from an ISP that has often been the source of spam
# (no fault of his own ;), and sometimes uses Bcc: when mailing.
#
whitelist_from            monty@roscom.com

# Add your blacklist entries in the same format...
#
# blacklist_from      friend@public.com

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
#
#ok_locales            en

# By default, SpamAssassin will run RBL checks.  If your ISP already
# does this, set this to 1.
#
skip_rbl_checks 0

###########################################################################
# Add your own customised scores for some tests below.  The default scores are
# read from the installed "spamassassin.cf" file, but you can override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.taint.org/tests.html .

# MailScanner: Comment out the next line to enable DCC checking if you
#              have dcc installed (optional part of SpamAssassin)
# JKF Commented out as it no longer generates maillog warnings
#score DCC_CHECK 0.0
dcc_path /usr/local/bin/dccproc

#
# Added for MailScanner 23/5/2003
# The timeouts for blacklists and Razor are rather generous in the default
# state that SpamAssassin is shipped. Reducing these stops a lot of timeouts
# from removing SpamAssassin scores altogether.
#
rbl_timeout 20
razor_timeout 10
pyzor_timeout 10

#
# Added for MailScanner 14/6/2002
# If you specify these scores, SpamAssassin will do RBL checks as well as
# MailScanner, which just wastes CPU power and network bandwidth. Either
# do them here by uncommenting the rules below (if you have paid for them)
# or else uncomment the "skip_rbl_checks" line above and let MailScanner
# do the checks instead.
#
#score RCVD_IN_BL_SPAMCOP_NET    4
# These next 3 will cost you money, see mailscanner.conf.
#score RCVD_IN_RBL               10
#score RCVD_IN_RSS               1
#score RCVD_IN_DUL               1

# Osirusoft is dead
score RCVD_IN_OSIRUSOFT_COM 0.0
score X_OSIRU_OPEN_RELAY 0.0
score X_OSIRU_DUL 0.0
score X_OSIRU_SPAM_SRC 0.0
score X_OSIRU_SPAMWARE_SITE 0.0
score X_OSIRU_DUL_FH 0.0

# For spam and notspam bins
bayes_ignore_header X-MailScanner
bayes_ignore_header X-MailScanner-SpamCheck
bayes_ignore_header X-MailScanner-SpamScore
bayes_ignore_header X-MailScanner-Information

# By default, the Bayesian engine is used. This is a real CPU hog and uses
# a lot of system resources to work.
# On a small overloaded system, you might need to disable it.
# use_bayes 0

I can't see any problem on it.. maybe you can. And   spam.whitelist.rules:

# This is where you can build a Spam WhiteList
# Addresses matching in here, with the value
# "yes" will never be marked as spam.
#From:            152.78.            yes
#From:            130.246.      yes
FromOrTo:      default            no
FromOrTo:      *@eurolatina.com.co      yes
FromOrTo:      *@eurosistemas.com.co      yes
FromOrTo:      postmaster@eurosistemas.com.co            yes
FromOrTo:       postmaster@eurolatina.com.co          yes
FromOrTo:       postmaster@master.eurolatina.com.co          yes

The same. Can't see any problem with it.

What could it be?

0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 11682587
Here's your problem:

FromOrTo:     *@eurolatina.com.co     yes
FromOrTo:     *@eurosistemas.com.co     yes

That says that messages from or to any user at either of those domains is to be whitelisted. The sample above is "To: <jorgep@eurolatina.com.co>" which satisfies the first rule and the mail is marked as whitelisted. The only time you'd want to use a construct like that would be when you host a virtual domain that doesn't want any sort on anti-spam protection.
0
 

Author Comment

by:rbraym
ID: 11685229
Thanks a lot jlevie, i didn't notice it..

one more question.. i need all the mails from those domains not to be marked as spam because they're our clients, so the only thing i have to do is put "From" instead of "FromOrTo"???.

Thanks.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11685930
From instead of FromTo would be correct.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now