I have a server with postfix, amavis and spamassassin.
In the spamassassin local.cf file, I changed the default header subject marker for spam from *****SPAM****** to [SPAM] because it is more compact.
I have noticed that some mails have two [SPAM] in their subject. These mails were marked once as spam, and the mail gets a prefix added telling that the mail is considered spam, and this mail is also tagged as spam.
Here is the content of such mail with server names and email address replaced with ~~~~~.
Apparently spamassassin is sending this mail and it filters it again. How could this be avoided ?
Received: from localhost by ~~~~~
with SpamAssassin (version 3.4.2);
Tue, 10 Nov 2020 02:48:05 +0100
From: "Hansen Yang" <shibinjiu@126.com>
To: ~~~~~
Subject: [SPAM] [SPAM]Re: BK7, Sapphire, Fused Silica, Borosilicate Lens Supplier
Date: 10 Nov 2020 09:47:43 +0800
Message-Id: <20201110014803.1F3BE46C0DDE@~~~~~>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ~~~~~
X-Spam-Flag: YES
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.3 required=5.0 tests=BAYES_60,DEAR_FRIEND,
FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,
SPOOFED_FREEM_REPTO,URIBL_BLOCKED autolearn=no autolearn_force=no
version=3.4.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5FA9F155.89B4A390"
This is a multi-part message in MIME format.
------------=_5FA9F155.89B4A390
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "~~~~~",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear Friendï¼› This is Hansen from Newdistrict Optics Co.,Limited.
I am professional Customized Optics manufacturer: 1)Lens plano-convex,plano-concave,bi-convex,bi-concave,doubletlens.
2)Window,mirror Planowinows,Squarewindows,Wedgewindow,IRfilter,UVfilter.
3)Cylindr [...]
Content analysis details: (9.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: yeah.net]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (shibinjiu[at]126.com)
2.6 DEAR_FRIEND BODY: Dear Friend? That's not very dear!
1.5 BAYES_60 BODY: Bayes spam probability is 60 to 80%
[score: 0.7688]
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and
EnvelopeFrom freemail headers are
different
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different freemails
2.5 SPOOFED_FREEM_REPTO Forged freemail sender with freemail
reply-to
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_5FA9F155.89B4A390
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path: <sonuimr@axls.com>
X-Original-To: ~~~~~
Delivered-To: ~~~~~
Received: from localhost (localhost [127.0.0.1])
by ~~~~~ (Postfix) with ESMTP id 1F3BE46C0DDE
for <~~~~~>; Tue, 10 Nov 2020 02:48:03 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at ~~~~~
X-Spam-Flag: YES
X-Spam-Score: 5.376
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.376 tagged_above=-99 required=5
tests=[ALL_TRUSTED=-1, DEAR_FRIEND=2.604,
FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001,
FREEMAIL_REPLYTO=1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105, MISSING_MID=0.14,
RDNS_NONE=1.274, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ~~~~~ ([127.0.0.1])
by localhost (~~~~~ [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 1_MKDXS7gYRM for <meessen@smtp.meessen.net>;
Tue, 10 Nov 2020 02:48:00 +0100 (CET)
Received: from axls.com (unknown [180.104.175.97])
by ~~~~~ (Postfix) with ESMTP id F2E7B46C0DD4
for <~~~~~>; Tue, 10 Nov 2020 02:47:59 +0100 (CET)
Received: from vps9733 ([127.0.0.1]) by localhost via TCP with ESMTPA; Tue, 10 Nov 2020 09:47:43 +0800
MIME-Version: 1.0
From: "Hansen Yang" <shibinjiu@126.com>
Sender: "Hansen Yang" <sonuimr@axls.com>
To: ~~~~~
Reply-To: "Hansen Yang" <shibinjiu@126.com>
Date: 10 Nov 2020 09:47:43 +0800
Subject: [SPAM]Re: BK7, Sapphire, Fused Silica, Borosilicate Lens Supplier
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Message-Id: <20201110014803.1F3BE46C0DDE@~~~~~>
PGh0bWw+PGJvZHk+PFA+RGVhciBGcmllbmTvvJs8L1A+DQo8UD5UaGlzIGlzIEhhbnNlbiBm
cm9tIE5ld2Rpc3RyaWN0IE9wdGljcyBDby4sTGltaXRlZC48L1A+DQo8UD5JIGFtIHByb2Zl
c3Npb25hbCBDdXN0b21pemVkIE9wdGljcyBtYW51ZmFjdHVyZXI6IDxCUj4xKUxlbnM8QlI+
cGxhbm8tY29udmV4LHBsYW5vLWNvbmNhdmUsYmktY29udmV4LGJpLWNvbmNhdmUsZG91Ymxl
dGxlbnMuPEJSPjIpV2luZG93LG1pcnJvcjxCUj5QbGFub3dpbm93cyxTcXVhcmV3aW5kb3dz
LFdlZGdld2luZG93LElSZmlsdGVyLFVWZmlsdGVyLjxCUj4zKUN5bGluZHJpY2FsbGVuczxC
Uj5wbGFuby1jb252ZXgmYW1wO2NvbmNhdmVjeWxpbmRyaWNhbGxlbnMsQmktY29uY2F2ZSZh
bXA7Y29udmV4Y3lsaW5kcmljYWxsZW5zLjxCUj40KVByaXNtPEJSPlBlcmlzY29wZXByaXNt
LFJpZ2h0YW5nbGVwcmlzbSxQZW50YXByaXNtLERvdmVwcmlzbSxDb3JuZXJjdWJlcHJpc20u
PEJSPjUpQ29hdGluZy1BUiwgRExDLCBIUiwgSFQgZXRjLjxCUj5NYXRlcmlhbDpCazcsRnVz
ZWRTaWxpY2EsIFNhcHBoaXJlLEJvcm9zaWxpY2F0ZSBnbGFzcywgQ0RHTSwgU0NIT1RUIGV0
Yy48L1A+DQo8UD5QbGVhc2UgZmVlbCBmcmVlIHRvIGNvbnRhY3QgbWUgaWYgeW91IGhhdmUg
YW55IHJlcXVlc3RzLjwvUD4NCjxQPkFuZCBJIGhvcGUgdG8gYmUgeW91ciByZWxpYWJsZSBz
dXBwbGllciBpbiBmdXR1cmUuPC9QPg0KPFA+QmVzdCBSZWdhcmRzLDxCUj5IYW5zZW4gWWFu
ZzxCUj5HZW5lcmFsIE1hbmFnZXI8QlI+QWRkOjctNDAxIEFsbGV5NTggQmFvTGUgUm9hZCBN
YUx1IFRvd25KaWFEaW5nIERpc3RyaWN0IFNoYW5naGFpLENoaW5hPEJSPk1vYmlsZTo4Ni0x
ODkxNzM5NjU2NjxCUj5UZWw6Kzg2LTIxLTYxMTI2NTkyLEZheDo4Ni0yMS02MTEyNjU5MzxC
Uj5FLW1haWw6TmV3ZGlzdHJpY3RAeWVhaC5uZXQ8QlI+UGxlYXNlIGNvbnNpZGVyIHRoZSBl
bnZpcm9ubWVudCBiZWZvcmUgcHJpbnRpbmcgdGhpcyBlbWFpbC48L1A+PC9ib2R5PjwvaHRtbD4=
------------=_5FA9F155.89B4A390--
EDIT 1: Apparently, one [SPAM] is added by spamassassin and the other by amavis. They are apparently interfering.
EDIT 2: After further investigation, it seam that amavis is processing the incoming mail before spamassassin. When the incoming mail has the X-Spam-Flag: YES with the appropriate score, amavis adds the spam tag to the subject line.
Then the mail is apparently passed to spamassassin who will add his own X-Spam header fields and will add the spam tag in front of the subject line when the mail is considered spam.
So the reason amavis puts its spam tag is because it reacts to the X-Spam headers of the incoming mail. Weird, because it should react based of the header fields put by spamassassin. Is it a feature of amavis or a misconfiguration ?
At least it shows that disabling the adding of the spam tag in amavis should fix the problem.
