0

Centos7 Posftfix 3.2.2 Amavisd 2.11.0 spamassassin-3.4.0

I have a logwatch output that gets mailed to me daily. Spamassassin is scoring it high enough as exceed my threshold for whacking it as spam.

While this is not good, I'm concerned I have something fundamental misconfigured where it would flag anything internal at all. Bayes is not being used yet (tokens <200). What is the proper way to allow messages form the server itself to not get flagged by SA?

In local.cf I have the server's IP address (y.y.y.y) in my lists of trusted and internal as so:

trusted_networks xx.xx.xx.xx
trusted_networks y.y.y.y
trusted_networks z.z.z.z

internal_networks xx.xx.xx.xx
internal_networks y.y.y.y
internal_networks z.z.z.z

I don't see that that made any difference. Shouldn't it have?

Header of intercepted message:

From MAILER-DAEMON  Sun Aug  6 04:02:19 2017
Return-Path: <>
X-Original-To: spam@myserver.com
Delivered-To: spam@myserver.com
X-Envelope-From: <root@mail2.myserver.com>
X-Envelope-To: <root@mail2.myserver.com>
X-Envelope-To-Blocked: <root@mail2.myserver.com>
X-Quarantine-ID: <oadqecN-93HM>
X-Spam-Flag: YES
X-Spam-Score: 7.332
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.332 tag=-9999 tag2=5 kill=6.4
    tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001,
    URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5,
    URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
To: root@mail2.myserver.com
From: logwatch@mail2.myserver.com
Subject: Logwatch for mail2.myserver.com (Linux)
Auto-Submitted: auto-generated
Precedence: bulk
Content-Type: text/plain; charset="iso-8859-1"
Date: Sun,  6 Aug 2017 04:02:03 -0500 (CDT)
shorton
  • 149
  • 1
  • 9
  • There is no `Received` header in the shown mail. Are you sure the mail is handled by postfix, what does it's log say? – sebix Aug 06 '17 at 20:14
  • Positive it's handled by postfix. I may have found the problem though. I did not have the server's IP address in the equivalent trusted network setting for amavisd. I've fixed that, will see if the logwatch email flows tomorrow. Amavis is also handling the headers I figured out. Bypassing or overriding spamasassins settings. I've got received turned on now. – shorton Aug 07 '17 at 01:01
  • You'll know your networks are properly configured when you see `ALL_TRUSTED` in the rule hits. That rule has a negative score, but it likely isn't enough to overcome all of those URI DNSBL hits. – Adam Katz Aug 29 '17 at 19:07

1 Answers1

0

If you take a look at this part of email headers:

X-Spam-Status: Yes, score=7.332 tag=-9999 tag2=5 kill=6.4
    tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001,
    URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5,
    URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no

you will find that you got ~1.9 from URIBL_ABUSE_SURBL, 1.7 from URIBL_BLACK and 2.5 from URIBL_DBL_SPAM (...). That means: spamassassin found URIs in your message that is reported to be abusive or malicious. Different tests filled up your spam sore.

You should carefully examine content of your logwatch messages in order to find out what it may be. That would be the 1st thing I recommend, for many reasons.

regarding

What is the proper way to allow messages form the server itself to not get flagged by SA?

part of your question, you have two options:

  1. not to check outbound email traffic at all - that highly depend on your Postfix configuration, to be more specific the way email is passed to spamc binary

  2. use spamassassin whitelist options

Miloš Đakonović
  • 682
  • 3
  • 9
  • 28