Spam bypassing Mailscanner w/Spamassassin.

[TheDjinn]

Lately I've been having issues with spam coming through the with a clean bill of health by Spamassassin. Around 200-300 messages a day. I checked in Mailwatch and everything seemed to be working correctly. I used the self-serve spammer at Mayflower to test against Spamassassin and those were flagged correctly.

I let about 1500 of the spam messages come in and then tried to manually train Spamassassin against them to no avail. Many of the messages contain the same body information, but they still aren't being flagged.

I'm including some headers for you to look at as well as the scores they received.

- Removed -

Bayes always gives them a -1.90 for some reason. I disabled autolearn until I could get this figured out.

Any help would be greatly appreciated.

Thank you,

 

[Infopro]

Output removed from your post.

We have no way of knowing whats spam or not spam here and there should be no need to post actual domains and email addresses on this forum. If you'd like to modify the output and repost it, you can, but please use the code tags to wrap the output, found on the advanced edit window, for your reply.

Thanks!

 

[TheDjinn]

Sorry about that, first post and all.

Here are the headers from a few of the emails that came through.

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 10 Dec 2014 10:53:17 -0500
Received: from xx.xx.xx.xx] (port=39299 helo=solvent.spam.com)
	by svr.domain.com with esmtp (Exim 4.84)
	(envelope-from <[email protected]>)
	id 1XyjZg-0000kT-UK
	for [email protected]; Wed, 10 Dec 2014 10:53:13 -0500
Date: Wed, 10 Dec 2014 10:53:12 -0500
To: [email protected]
From: Improve your vision <[email protected]>
Reply-to: Improve your vision <[email protected]>
Subject: Eyecare companies HATE this Lady
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_61c963bfcf49ce36566fb300ace958cc"
X-domain-MailScanner-Information: Please contact the ISP for more information
X-domain-MailScanner-ID: 1XyjZg-0000kT-UK
X-domain-MailScanner: Found to be clean
X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=-1.095, required 5, autolearn=disabled, BAYES_00 -1.90,
	HTML_FONT_LOW_CONTRAST 0.00, HTML_MESSAGE 0.00, RDNS_NONE 0.79,
	T_REMOTE_IMAGE 0.01)
X-domain-MailScanner-From: [email protected]
X-Spam-Status: No

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 10 Dec 2014 10:22:25 -0500
Received: from rate.spam.com ([xxx.xxx.xxx.xxx]:45052)
	by svr.domain.com with esmtp (Exim 4.84)
	(envelope-from <[email protected]>)
	id 1Xyj5g-0007uw-RE
	for [email protected]; Wed, 10 Dec 2014 10:22:13 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=spam.com;
 h=MIME-Version:Content-Type:From:To:Subject:Message-Id:Date; [email protected];
 bh=QOM/s6LvhGIHex5bI8+5xRdfTCg=;
 b=TuBjr7OhHayXKtJrGo/efU2SHpev9jKwgt0cltnt818zpvlBepUiQNEocJsYJnQEn3m0Ujkt/tnn
   M7yHcUJwzDofyyymoGYZvEbf/hQ+NQMCgmeazopjS85zOAFPqNYZSQCEWW9FnMXOMJQUhFiqjerr
   dJiy3U0su/yXB2UG1K8=
Received: by rate.spam.com id hh1iia0001gq for <[email protected]>; Wed, 10 Dec 2014 10:21:18 -0500 (envelope-from <[email protected]>)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="==============2241564209561175063=="
From: Global Who's_Who <[email protected]>
To: [email protected]
Subject: You've Been Accepted by Who's_Who.
Message-Id: <[email protected]>
Date: Wed, 10 Dec 2014 10:21:18 -0500
X-domain-MailScanner-Information: Please contact the ISP for more information
X-domain-MailScanner-ID: 1Xyj5g-0007uw-RE
X-domain-MailScanner: Found to be clean
X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=-1.997, required 5, autolearn=disabled, BAYES_00 -1.90,
	DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10,
	HTML_MESSAGE 0.00, LOTS_OF_MONEY 0.00, URIBL_BLOCKED 0.00)
X-domain-MailScanner-From: [email protected]
X-Spam-Status: No

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 10 Dec 2014 09:00:53 -0500
Received: from [xx.xx.xx.xx] (port=37906 helo=couple.spam.com)
	by svr.domain.com with esmtp (Exim 4.84)
	(envelope-from <[email protected]>)
	id 1Xyhow-0004LF-Ds
	for [email protected]; Wed, 10 Dec 2014 09:00:50 -0500
Date: Wed, 10 Dec 2014 09:00:50 -0500
To: [email protected]
From: Walk in Bathtubs <[email protected]>
Reply-to: Walk in Bathtubs <[email protected]>
Subject: Safe Bathing for Your Mom or Dad
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_88ab9362bfdd2fbf5bde5201cd25f51e"
X-domain-MailScanner-Information: Please contact the ISP for more information
X-domain-MailScanner-ID: 1Xyhow-0004LF-Ds
X-domain-MailScanner: Found to be clean
X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=-1.095, required 5, BAYES_00 -1.90,
	HTML_FONT_LOW_CONTRAST 0.00, HTML_MESSAGE 0.00, RDNS_NONE 0.79,
	T_REMOTE_IMAGE 0.01)
X-domain-MailScanner-From: [email protected]
X-Spam-Status: No

Hope that works.

Thanks,

 

[cPanelMichael]

Hello

It looks like the spammers are developing their messages to avoid detection by SpamAssassin. Have you considered enabling additional options beyond SpamAssassin to help combat these messages? For instance, you can browse to "WHM Home » Service Configuration » Exim Configuration Manager" and enable options such as RBL blacklisting and SPF record verification.

These options are documented here:

Exim Configuration Editor

Thank you.

 

[TheDjinn]

Hello

It looks like the spammers are developing their messages to avoid detection by SpamAssassin. Have you considered enabling additional options beyond SpamAssassin to help combat these messages? For instance, you can browse to "WHM Home » Service Configuration » Exim Configuration Manager" and enable options such as RBL blacklisting and SPF record verification.

These options are documented here:

Exim Configuration Editor

Thank you.

I do have SPF record verification enabled, and I have Spamassassin handling the RBL blocks. Is it better to let Exim handle them directly?

Thanks,

 

[cPanelMichael]

You could enable the RBL blocking through Exim to see if it helps. If specific accounts are targeted, then "Account Level Filters" with rules to block messages with specific content might also help.

Thank you.

 

[TheDjinn]

I do have some account level filters in place, but the spam is varied greatly. For instance I might get 200 messages, but only 2-5 will be debt consulting. Some are gibberish and have no coherency at all.

- - - Updated - - -

Sorry for the second reply, but the Bayes filter always seems to qualify the most obvious of spam as clean, while picking up on the obscure ones.

 

[cPanelMichael]

You may also find this thread helpful:

SpamAssassin Improvements

Thank you.

 

[TheDjinn]

I'm attempting to get DCC updated and working with Spamassassin. Do you have any information on how I can test that I'm using the latest DCC?

Thanks,

 

[cPanelMichael]

I'm attempting to get DCC updated and working with Spamassassin. Do you have any information on how I can test that I'm using the latest DCC?

You can find a test SPAM message at:

http://spamassassin.apache.org/gtube/gtube.txt

This will allow you to test SpamAssassin with a message that is detected as SPAM and review the message headers to see what was checked.

Thank you.

 

[sawbuck]

I'm attempting to get DCC updated and working with Spamassassin. Do you have any information on how I can test that I'm using the latest DCC?

From the command line run dccproc -V and compare the version here: Distributed Checksum Clearinghouses currently 1.3.155

 

[TheDjinn]

Awesome I'm updated. Also I'm not getting the thread update alerts from Cpanel Forums oddly enough. Sorry for the late reply.

Possibly stupid question, but I want to check and see if DCC is implemented correctly. I can't seem to find documentation on how to verify if Spamassassin is using DCC correctly. Any ideas?

 

[sawbuck]

I can't seem to find documentation on how to verify if Spamassassin is using DCC correctly. Any ideas?

Now try using Michael's suggestion for sending a spam message and check the MW interface to see whether SA scoring is including DCC.

 

[TheDjinn]

Sorry for the delay in reply. I was out of town for a week. I tried that and all seems well. However I do have one other issue that has cropped up. Spamassassin seems to be refusin to enable bayes autolearn. I disabled it temporarily until I could retrain it and now I can't seem to re-enable it.

#   Use Bayesian classifier (default: 1)
#
 use_bayes 1


#   Bayesian classifier auto-learning (default: 1)
#
 bayes_auto_learn 1

Am I missing something?

Thanks,

 

[cPanelMichael]

What specific file did you modify, and did you restart SpamAssassin after making the change?

Thank you.

 

[TheDjinn]

erased for idiocy

 

[TheDjinn]

I used the /etc/mail/spamassassin/local.cf file. Same one I used to disable bayes and yes I restarted spamassassin and mailscanner.

Thanks,

 

[cPanelMichael]

The issue might be isolated to MailScanner. Do you notice the change to the configuration if you temporarily disable MailScanner on your system?

Thank you.

 

[TheDjinn]

I've elected to just disable bayes for now. It's never worked correctly for me and every message it flags is flagged incorrectly. Unless there is a solid argument for keeping bayes enabled, I think this is for the best.

Last edit: I wanted to thank everyone for all the assistance. The spam levels have dropped significantly since enabling pyzor, razor2, and getting DCC working correctly. Now that i've disabled bayes, spam that was once being saved by the bayes system is now being caught so we are down to around 5 or so messages a day. Which is a huge improvement over the 300 that were bypassing it before.

Thanks again,