Spam bypassing Mailscanner w/Spamassassin.

TheDjinn

December 10, 2014 16:39

Lately I've been having issues with spam coming through the with a clean bill of health by Spamassassin. Around 200-300 messages a day. I checked in Mailwatch and everything seemed to be working correctly. I used the self-serve spammer at Mayflower to test against Spamassassin and those were flagged correctly. I let about 1500 of the spam messages come in and then tried to manually train Spamassassin against them to no avail. Many of the messages contain the same body information, but they still aren't being flagged. I'm including some headers for you to look at as well as the scores they received. - Removed - Bayes always gives them a -1.90 for some reason. I disabled autolearn until I could get this figured out. Any help would be greatly appreciated. Thank you,

Comments

18 comments

Infopro

December 10, 2014 21:46
Output removed from your post. We have no way of knowing whats spam or not spam here and there should be no need to post actual domains and email addresses on this forum. If you'd like to modify the output and repost it, you can, but please use the code tags to wrap the output, found on the advanced edit window, for your reply. Thanks!
0
TheDjinn

December 10, 2014 21:57
Sorry about that, first post and all. Here are the headers from a few of the emails that came through.
Return-path: Envelope-to: me@mydomain.com Delivery-date: Wed, 10 Dec 2014 10:53:17 -0500 Received: from xx.xx.xx.xx] (port=39299 helo=solvent.spam.com) by svr.domain.com with esmtp (Exim 4.84) (envelope-from ) id 1XyjZg-0000kT-UK for me@mydomain.com; Wed, 10 Dec 2014 10:53:13 -0500 Date: Wed, 10 Dec 2014 10:53:12 -0500 To: me@mydomain.com From: Improve your vision Reply-to: Improve your vision Subject: Eyecare companies HATE this Lady Message-ID: <61c963bfcf49ce36566fb300ace958cc@l.spam.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_61c963bfcf49ce36566fb300ace958cc" X-domain-MailScanner-Information: Please contact the ISP for more information X-domain-MailScanner-ID: 1XyjZg-0000kT-UK X-domain-MailScanner: Found to be clean X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.095, required 5, autolearn=disabled, BAYES_00 -1.90, HTML_FONT_LOW_CONTRAST 0.00, HTML_MESSAGE 0.00, RDNS_NONE 0.79, T_REMOTE_IMAGE 0.01) X-domain-MailScanner-From: spam@spam.com X-Spam-Status: No Return-path: Envelope-to: me@mydomain.com Delivery-date: Wed, 10 Dec 2014 10:22:25 -0500 Received: from rate.spam.com ([xxx.xxx.xxx.xxx]:45052) by svr.domain.com with esmtp (Exim 4.84) (envelope-from ) id 1Xyj5g-0007uw-RE for me@mydomain.com; Wed, 10 Dec 2014 10:22:13 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=spam.com; h=MIME-Version:Content-Type:From:To:Subject:Message-Id:Date; i=globalwhos@spam.com; bh=QOM/s6LvhGIHex5bI8+5xRdfTCg=; b=TuBjr7OhHayXKtJrGo/efU2SHpev9jKwgt0cltnt818zpvlBepUiQNEocJsYJnQEn3m0Ujkt/tnn M7yHcUJwzDofyyymoGYZvEbf/hQ+NQMCgmeazopjS85zOAFPqNYZSQCEWW9FnMXOMJQUhFiqjerr dJiy3U0su/yXB2UG1K8= Received: by rate.spam.com id hh1iia0001gq for ; Wed, 10 Dec 2014 10:21:18 -0500 (envelope-from ) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="==============2241564209561175063==" From: Global Who's_Who To: me@mydomain.com Subject: You've Been Accepted by Who's_Who. Message-Id: <07b8124deb1612a11b0d7b8c78059936@spam.com> Date: Wed, 10 Dec 2014 10:21:18 -0500 X-domain-MailScanner-Information: Please contact the ISP for more information X-domain-MailScanner-ID: 1Xyj5g-0007uw-RE X-domain-MailScanner: Found to be clean X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.997, required 5, autolearn=disabled, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00, LOTS_OF_MONEY 0.00, URIBL_BLOCKED 0.00) X-domain-MailScanner-From: spam@spam.com X-Spam-Status: No Return-path: Envelope-to: me@mydomain.com Delivery-date: Wed, 10 Dec 2014 09:00:53 -0500 Received: from [xx.xx.xx.xx] (port=37906 helo=couple.spam.com) by svr.domain.com with esmtp (Exim 4.84) (envelope-from ) id 1Xyhow-0004LF-Ds for me@mydomain.com; Wed, 10 Dec 2014 09:00:50 -0500 Date: Wed, 10 Dec 2014 09:00:50 -0500 To: me@mydomain.com From: Walk in Bathtubs Reply-to: Walk in Bathtubs Subject: Safe Bathing for Your Mom or Dad Message-ID: <88ab9362bfdd2fbf5bde5201cd25f51e@m.spam.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_88ab9362bfdd2fbf5bde5201cd25f51e" X-domain-MailScanner-Information: Please contact the ISP for more information X-domain-MailScanner-ID: 1Xyhow-0004LF-Ds X-domain-MailScanner: Found to be clean X-domain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.095, required 5, BAYES_00 -1.90, HTML_FONT_LOW_CONTRAST 0.00, HTML_MESSAGE 0.00, RDNS_NONE 0.79, T_REMOTE_IMAGE 0.01) X-domain-MailScanner-From: spam@spam.com X-Spam-Status: No
Hope that works. Thanks,
0
cPanelMichael

December 11, 2014 15:11
Hello :) It looks like the spammers are developing their messages to avoid detection by SpamAssassin. Have you considered enabling additional options beyond SpamAssassin to help combat these messages? For instance, you can browse to "WHM Home " Service Configuration " Exim Configuration Manager" and enable options such as RBL blacklisting and SPF record verification. These options are documented here: Exim Configuration Editor Thank you.
0
TheDjinn

December 11, 2014 16:36
]Hello :) It looks like the spammers are developing their messages to avoid detection by SpamAssassin. Have you considered enabling additional options beyond SpamAssassin to help combat these messages? For instance, you can browse to "WHM Home " Service Configuration " Exim Configuration Manager" and enable options such as RBL blacklisting and SPF record verification. These options are documented here: Exim Configuration Editor Thank you.

I do have SPF record verification enabled, and I have Spamassassin handling the RBL blocks. Is it better to let Exim handle them directly? Thanks,
0
cPanelMichael

December 11, 2014 17:09
You could enable the RBL blocking through Exim to see if it helps. If specific accounts are targeted, then "Account Level Filters" with rules to block messages with specific content might also help. Thank you.
0
TheDjinn

December 11, 2014 17:51
I do have some account level filters in place, but the spam is varied greatly. For instance I might get 200 messages, but only 2-5 will be debt consulting. Some are gibberish and have no coherency at all. [COLOR="silver">- - - Updated - - - Sorry for the second reply, but the Bayes filter always seems to qualify the most obvious of spam as clean, while picking up on the obscure ones.
0
cPanelMichael

December 11, 2014 18:07
You may also find this thread helpful: SpamAssassin Improvements Thank you.
0
TheDjinn

December 12, 2014 17:03
I'm attempting to get DCC updated and working with Spamassassin. Do you have any information on how I can test that I'm using the latest DCC? Thanks,
0
cPanelMichael

December 12, 2014 17:08
]I'm attempting to get DCC updated and working with Spamassassin. Do you have any information on how I can test that I'm using the latest DCC?

You can find a test SPAM message at:
0
sawbuck

December 12, 2014 17:18
]I'm attempting to get DCC updated and working with Spamassassin. Do you have any information on how I can test that I'm using the latest DCC?

From the command line run dccproc -V and compare the version here: [url=http://www.dcc-servers.net/dcc/]Distributed Checksum Clearinghouses currently 1.3.155
0
TheDjinn

December 15, 2014 23:59
Awesome I'm updated. Also I'm not getting the thread update alerts from Cpanel Forums oddly enough. Sorry for the late reply. Possibly stupid question, but I want to check and see if DCC is implemented correctly. I can't seem to find documentation on how to verify if Spamassassin is using DCC correctly. Any ideas?
0
sawbuck

December 16, 2014 01:17
]I can't seem to find documentation on how to verify if Spamassassin is using DCC correctly. Any ideas?

Now try using Michael's suggestion for sending a spam message and check the MW interface to see whether SA scoring is including DCC.
0
TheDjinn

December 23, 2014 17:06
Sorry for the delay in reply. I was out of town for a week. I tried that and all seems well. However I do have one other issue that has cropped up. Spamassassin seems to be refusin to enable bayes autolearn. I disabled it temporarily until I could retrain it and now I can't seem to re-enable it.
# Use Bayesian classifier (default: 1) # use_bayes 1 # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1
Am I missing something? Thanks,
0
cPanelMichael

December 23, 2014 17:41
What specific file did you modify, and did you restart SpamAssassin after making the change? Thank you.
0
TheDjinn

December 23, 2014 17:57
erased for idiocy
0
TheDjinn

December 23, 2014 18:09
I used the /etc/mail/spamassassin/local.cf file. Same one I used to disable bayes and yes I restarted spamassassin and mailscanner. Thanks,
0
cPanelMichael

December 24, 2014 13:48
The issue might be isolated to MailScanner. Do you notice the change to the configuration if you temporarily disable MailScanner on your system? Thank you.
0
TheDjinn

December 29, 2014 16:09
I've elected to just disable bayes for now. It's never worked correctly for me and every message it flags is flagged incorrectly. Unless there is a solid argument for keeping bayes enabled, I think this is for the best. Last edit: I wanted to thank everyone for all the assistance. The spam levels have dropped significantly since enabling pyzor, razor2, and getting DCC working correctly. Now that i've disabled bayes, spam that was once being saved by the bayes system is now being caught so we are down to around 5 or so messages a day. Which is a huge improvement over the 300 that were bypassing it before. Thanks again,
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?