1

I'm having issues with SpamAssassin; it's assigning emails scores that are way lower than it should. In addition, the scores it's assigning as emails come in are different from the results of running spamassassin -t on that same email after the fact. For example, here's a spam email's score report taken from the headers of the email in my email client:

Content analysis details:   (1.3 points, 5.0 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                          for more information.
                             [URIs: goatkoo.us]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  0.0 DATE_IN_FUTURE_06_12   Date: is 6 to 12 hours after Received: date
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                         background
  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
  0.0 T_REMOTE_IMAGE         Message contains an external image

Meanwhile, the results of spamassassin -t:

Content analysis details:   (4.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                         for more information.
                            [URIs: wilsonbiggs.com]
 1.9 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                            [URIs: goatkoo.us]
 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
               [Blocked - see <http://www.spamcop.net/bl.shtml?185.73.200.38>]
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 DATE_IN_FUTURE_06_12   Date: is 6 to 12 hours after Received: date
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                            background
 1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
 0.0 T_REMOTE_IMAGE         Message contains an external image

I have no custom rules set. I have exim4 and courier, and use ajenti-v as a control panel; in ajenti-v, I have the following configuration set up for exim4:

Custom configuration:

SMTP_PORT == 25:587
LOCAL_INTERFACES == <; 0.0.0.0.25 ; 0.0.0.0.587 ; 0.0.0.0.465 ; [::0]:25 ; [::0]:587 ; [::0]:465
smtp_accept_max = 50

spamd_address = 127.0.0.1 783
ACL_SMTP_DATA == acl_custom_check_data
USE = "exiscan"

Custom ACLs:

acl_custom_check_data:

  deny
    message = Message headers fail syntax check
    !verify = header_syntax

  warn spam = nobody:true
    add_header = X-Spam-Score: $spam_score ($spam_bar)
    add_header = X-Spam-Report: $spam_report

  warn spam = nobody
    remove_header = Subject
    add_header = Subject: ***SPAM (score: $spam_score)*** $rh_Subject:

  warn message = Content Policy Restriction: Mails to undisclosed recipients are not permitted
    condition = ${if eq{$h_TO:}{undisclosed-recipients:;} {true}{false}}

  accept

Custom routers:

maildir_spam:
  driver    = accept
  transport = maildir_spam_delivery
  condition = ${if def:h_X-Spam_score: {true}}

Custom transports:

maildir_spam_delivery:
  driver = appendfile
  maildir_format = true
  directory = /var/vmail/$domain/$local_part/.Spam
  user = mail
  create_directory
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0600

Because of these issues, I've been getting 120+ spam messages a day. Thanks everyone for the help!

W Biggs
  • 111
  • 3
  • How long "after the fact"? The difference between the two tests is in SURBL and Spamcop. Blacklisting may have happened after the message has been received and before you repeated the test manually. – Rodolfo Saccani Sep 25 '17 at 19:14

1 Answers1

0

As Rodolfo Saccani commented those IPs can be listed after you received the message, so that will make that difference.

Looking at warning you're receiving on the first score it seems you're having problems with DNS resolution to check RBLs. ON the first headers SpamAssassin didn't assigned any score due to RBLs, but on the second one you got some points due to that mail came from a RBL listed IP address.

Edit/create the file custom.cf on your spamassassing config folder (usually /etc/mail/spamassassin or similar) and add this:

dns_server 8.8.8.8
dns_server 8.8.4.4
dns_server 1.1.1.1

or the DNS servers you prefer. If your problem it's due to DNS resolution of SpamAssassin those lines will help you. Remember to restart the spamd daemon.

NetVicious
  • 462
  • 5
  • 17