From mmgomess at gmail.com Tue Jul 7 18:11:41 2020 From: mmgomess at gmail.com (Marcelo Machado) Date: Tue, 7 Jul 2020 15:11:41 -0300 Subject: QP DOS Message-ID: Hello everybody. My MailScanner is blocking emails and showing this report below. Anyone can help me? MailScanner: Suspected QP DOS checks failed could not read file Marcelo Gomes -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Wed Jul 8 09:47:53 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Wed, 8 Jul 2020 05:47:53 -0400 Subject: QP DOS In-Reply-To: References: Message-ID: This sounds like a permissions problem.? Your MailScanner cannot read the emails and is failing during the QP DOS check. On 7/7/20 2:11 PM, Marcelo Machado wrote: > Hello everybody. > > My MailScanner is blocking emails and showing this report below. > Anyone can help me? > > MailScanner: Suspected QP DOS > checks failed > could not read file > > Marcelo Gomes > > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmgomess at gmail.com Wed Jul 8 12:14:34 2020 From: mmgomess at gmail.com (Marcelo Machado) Date: Wed, 8 Jul 2020 09:14:34 -0300 Subject: QP DOS In-Reply-To: References: Message-ID: Hi Shawn, thank you for you answer. I forgot to say that this is only happening with read-receipt messages. Marcelo Em qua., 8 de jul. de 2020 ?s 06:48, Shawn Iverson via MailScanner < mailscanner at lists.mailscanner.info> escreveu: > This sounds like a permissions problem. Your MailScanner cannot read the > emails and is failing during the QP DOS check. > > On 7/7/20 2:11 PM, Marcelo Machado wrote: > > Hello everybody. > > My MailScanner is blocking emails and showing this report below. Anyone > can help me? > > MailScanner: Suspected QP DOS > checks failed > could not read file > > Marcelo Gomes > > -- > > Shawn Iverson > shawniverson at summitgrid.com > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Wed Jul 8 12:16:32 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Wed, 8 Jul 2020 08:16:32 -0400 Subject: QP DOS In-Reply-To: References: Message-ID: <017b900e-fe51-5adf-177d-a24bff88e7c9@summitgrid.com> Any chance you can get your hands on the message source for one of these read receipts (minus identifying information)? On 7/8/20 8:14 AM, Marcelo Machado wrote: > Hi Shawn, thank you for you answer. > > I forgot to say that this is only happening with read-receipt messages. > > Marcelo > > Em qua., 8 de jul. de 2020 ?s 06:48, Shawn Iverson via MailScanner > > escreveu: > > This sounds like a permissions problem.? Your MailScanner cannot > read the emails and is failing during the QP DOS check. > > On 7/7/20 2:11 PM, Marcelo Machado wrote: > >> Hello everybody. >> >> My MailScanner is blocking emails and showing this report below. >> Anyone can help me? >> >> MailScanner: Suspected QP DOS >> checks failed >> could not read file >> >> Marcelo Gomes >> > -- > > Shawn Iverson > shawniverson at summitgrid.com > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ricky.boone at gmail.com Tue Jul 21 17:08:59 2020 From: ricky.boone at gmail.com (Ricky Boone) Date: Tue, 21 Jul 2020 13:08:59 -0400 Subject: Spam-Virus Header and SpamAssassin custom rules Message-ID: This may be a simple question, but wanted to run it by the mailing list. Some virus signatures that can be classified as spam and phishing sometimes have different reliability rates (lots of false positives on some, fewer on others). Rather than just having a SpamAssassin rule (currently MS_FOUND_SPAMVIRUS) that looks for the existence of the X-foo-MailScanner-SpamVirus-Report header, I'm thinking some rules can be set up to look for different patterns in the value of this header and score accordingly. I've been looking at some of the code related to how this header is generated. Unfortunately I don't know the best way to test this (outside of a test system, uncommenting out lines that will likely dump to STDERR, etc.). I'm not sure if the X-foo-MailScanner-SpamVirus-Report header contains something similar to what MailScanner logs: Jul 21 02:50:06 mailscanner1 clamd[11617]: /var/spool/MailScanner/incoming/11566/E609120168F6.A21E7.message: Heuristics.Phishing.Email.SpoofedDomain FOUND Jul 21 02:50:06 mailscanner1 MailScanner[11566]: Clamd::INFECTED::Heuristics.Phishing.Email.SpoofedDomain :: ./E609120168F6.A21E7/ Jul 21 02:50:06 mailscanner1 MailScanner[11566]: Found spam based virus Heuristics.Phishing.Email.SpoofedDomain in E609120168F6.A21E7 ...Or if it is formatted a different way (which might impact how the rule's regex is defined). Does anyone have a sample of what the generated X-foo-MailScanner-SpamVirus-Report header would look like when SpamAssassin processes it, or a safe way to capture what it should look like on a running system? -------------- next part -------------- An HTML attachment was scrubbed... URL: From miron at plus.hr Wed Jul 22 16:08:43 2020 From: miron at plus.hr (=?UTF-8?Q?Miron_Jajti=c4=87?=) Date: Wed, 22 Jul 2020 18:08:43 +0200 Subject: Bayes issue Message-ID: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> Hello to everyone! I'm trying to solve issue with Bayesian filtering. For some reason one message is constantly marked as spam due to this: ================================== Spam Report:??? Score??? Matching Rule??? Description 15.00??? BAYES_99??? Bayes spam probability is 99 to 100% 15.00??? BAYES_999??? Bayes spam probability is 99.9 to 100% ================================== No matter does I disable or enable bayes inside of /etc/MailScanner/spamassassin.conf or change bump score to negative, etc. ================================== [root at smtp MailScanner]# grep -i bayes /etc/MailScanner/spamassassin.conf # =============== Bayesian Filtering =============== # By default, the Bayesian engine is used. This is a real CPU hog # use_bayes 0 use_bayes 1 bayes_auto_expire 1 bayes_store_module????????????? Mail::SpamAssassin::BayesStore::Redis bayes_sql_dsn?????????????????? server=xx.xx.xx.xx:6379;database=0 bayes_token_ttl 21d bayes_seen_ttl?? 12d bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam??? -2.0 bayes_auto_learn_threshold_spam?????? 5.0 # Bump up SA score if it matches something in Bayes score BAYES_00 -5.0 score BAYES_05 -1.5 score BAYES_50 1.5 score BAYES_60 2.0 score BAYES_80 6.0 score BAYES_95 9.0 #score BAYES_99 0 #score BAYES_999 0 ================================== What's interesting is when I test the same message directly with Spamassassin and using above config file, then bayes rules are not activated. After two days of debugging, I'm out of idea where to check why is this message marked with 30 spam points when is processed via MailScanner. I would be really grateful if someone can point me in the right direction how to resolve this issue ============== MailWatch: 1.2.15 OS: CentOS 7 MailScanner: 5.3.3 SpamAssassin: 3.4.4 ============== Best regards, Miron -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From thom at vdb.nl Thu Jul 23 08:39:57 2020 From: thom at vdb.nl (Thom van der Boon) Date: Thu, 23 Jul 2020 10:39:57 +0200 (CEST) Subject: mails with valid SPF sender don't get marked SPF_PASS Message-ID: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> Hi guys, I have something weird. Most mails with valid SPF record are marked correctly (SPF_FAIL or SPF_PASS), but I see some messages which should be marked as SPF_PASS get no SPF_PASS Anonimised example: Return-Path: Received: from out1-36.antispamcloud.com (out1-36.antispamcloud.com [185.201.16.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.vdb.eu (Postfix) with ESMTPS id 16EA01403EA for ; Thu, 23 Jul 2020 09:43:03 +0200 (CEST) Received: from [xx.xx.xx.xx] (helo=mail.somedomain.com) by mx41.antispamcloud.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.92) (envelope-from ) id 1jyVsb-0001hb-Fv for thom at vdb.nl; Thu, 23 Jul 2020 09:43:02 +0200 Content-Type: multipart/related; boundary="_2c714b49-0f22-469c-ac6b-a16d0bccfe6b_" Received: from someinternalserver (10.14.1.110) by internalserver.somedomain.com (10.14.1.100) with Microsoft SMTP Server id 14.3.487.0; Thu, 23 Jul 2020 09:38:57 +0200 MIME-Version: 1.0 Date: Thu, 23 Jul 2020 09:38:57 +0200 To: From: Some User Reply-To: < some.user at somedomain.com > Subject: Some subject (...) X-Report-Abuse-To: spam at quarantine10.antispamcloud.com X-vdbeu-MailScanner-Information: Please contact the ISP for more information X-vdbeu-MailScanner-ID: 16EA01403EA.A1841 X-vdbeu-MailScanner: Found to be clean X-vdbeu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.786, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00, KAM_DMARC_STATUS 0.01, MIME_HTML_ONLY 0.10, RCVD_IN_DNSWL_NONE -0.00, RCVD_IN_MSPIKE_H4 0.00, RCVD_IN_MSPIKE_WL 0.00, SPF_HELO_NONE 0.00) X-vdbeu-MailScanner-From: some.user at somedomain.com SPF record for the senders domain: v=spf1 a mx ip4:y.y.y.y ip4:y.y.y.y ip4:y.y.y.y ip4:xx.xx.xx.xx include:spf.antispamcloud.com include:spf.protection.outlook.com include:include.com include:some.otherinclude.com ~all The host my server (mail.vdb.eu) receives the mail from ( out1-36.antispamcloud.com ) which is a valid sender. When I run the headers of the mail via the "Header analyse" tool at mxtoolbox.com it says "SPF Authenticated" (see attached image) Versions: MailScanner: 5.3.3 Postfix: 3.3.0 Mail::SPF v2.009 Any clues where to dig deeper? Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: mxtoolbox result.jpg Type: image/jpeg Size: 120825 bytes Desc: not available URL: From mark at msapiro.net Thu Jul 23 20:38:17 2020 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 23 Jul 2020 13:38:17 -0700 Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> Message-ID: <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> On 7/23/20 1:39 AM, Thom van der Boon wrote: > Hi guys, > > I have something weird. Most mails with valid SPF record are marked > correctly (SPF_FAIL or SPF_PASS), but I see some messages which should > be marked as SPF_PASS get no SPF_PASS Assuming you are talking about the SPF_PASS rule in the SpamAssassin report in the X-vdbeu-MailScanner-SpamCheck: header, this is a SpamAssassin question, not a MailScanner question per se. You might do better on a SpamAssassin list. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From shawniverson at summitgrid.com Thu Jul 23 20:42:01 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Thu, 23 Jul 2020 16:42:01 -0400 Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> Message-ID: I would add just to verify that your /etc/mailscanner/spamassassin.conf is properly symlinked to your spamassassin config directory, but yes, if that isn't the problem, appears to be a spamassassin question. On 7/23/20 4:38 PM, Mark Sapiro wrote: > On 7/23/20 1:39 AM, Thom van der Boon wrote: >> Hi guys, >> >> I have something weird. Most mails with valid SPF record are marked >> correctly (SPF_FAIL or SPF_PASS), but I see some messages which should >> be marked as SPF_PASS get no SPF_PASS > > Assuming you are talking about the SPF_PASS rule in the SpamAssassin > report in the X-vdbeu-MailScanner-SpamCheck: header, this is a > SpamAssassin question, not a MailScanner question per se. You might do > better on a SpamAssassin list. See > . > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Thu Jul 23 20:42:57 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Thu, 23 Jul 2020 16:42:57 -0400 Subject: Bayes issue In-Reply-To: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> Message-ID: Verify that your /etc/mailscanner/spamassassin.conf is properly symlinked to your spamassassin config directory. On 7/22/20 12:08 PM, Miron Jajti? wrote: > Hello to everyone! > > > I'm trying to solve issue with Bayesian filtering. > > For some reason one message is constantly marked as spam due to this: > > ================================== > > Spam Report: > Score??? Matching Rule??? Description > 15.00??? BAYES_99??? Bayes spam probability is 99 to 100% > 15.00??? BAYES_999??? Bayes spam probability is 99.9 to 100% > > ================================== > > > No matter does I disable or enable bayes inside of > /etc/MailScanner/spamassassin.conf or change bump score to negative, etc. > > > ================================== > > [root at smtp MailScanner]# grep -i bayes /etc/MailScanner/spamassassin.conf > > # =============== Bayesian Filtering =============== > # By default, the Bayesian engine is used. This is a real CPU hog > # use_bayes 0 > use_bayes 1 > bayes_auto_expire 1 > bayes_store_module????????????? Mail::SpamAssassin::BayesStore::Redis > bayes_sql_dsn?????????????????? server=xx.xx.xx.xx:6379;database=0 > bayes_token_ttl 21d > bayes_seen_ttl?? 12d > bayes_auto_learn 1 > bayes_auto_learn_threshold_nonspam??? -2.0 > bayes_auto_learn_threshold_spam?????? 5.0 > # Bump up SA score if it matches something in Bayes > score BAYES_00 -5.0 > score BAYES_05 -1.5 > score BAYES_50 1.5 > score BAYES_60 2.0 > score BAYES_80 6.0 > score BAYES_95 9.0 > #score BAYES_99 0 > #score BAYES_999 0 > ================================== > > > What's interesting is when I test the same message directly with > Spamassassin and using above config file, then bayes rules are not > activated. > > After two days of debugging, I'm out of idea where to check why is this > message marked with 30 spam points when is processed via MailScanner. > > I would be really grateful if someone can point me in the right > direction how to resolve this issue > > > ============== > > MailWatch: 1.2.15 > OS: CentOS 7 > MailScanner: 5.3.3 > SpamAssassin: 3.4.4 > > ============== > > > Best regards, > Miron > > > > > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From miron at plus.hr Thu Jul 23 20:54:18 2020 From: miron at plus.hr (=?UTF-8?Q?Miron_Jajti=c4=87?=) Date: Thu, 23 Jul 2020 22:54:18 +0200 Subject: Bayes issue In-Reply-To: References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> Message-ID: <1b8ad4aa-0817-8051-c1f2-808ff6646436@plus.hr> It's symlinked like this: =========================== [root at smtp ~]# stat /etc/mail/spamassassin/MailScanner.cf ? File: ?/etc/mail/spamassassin/MailScanner.cf? -> ?/etc/MailScanner/spamassassin.conf? ? Size: 34??????? ??? Blocks: 0????????? IO Block: 4096?? symbolic link Device: fd00h/64768d??? Inode: 1704809???? Links: 1 Access: (0777/lrwxrwxrwx)? Uid: (??? 0/??? root)?? Gid: (??? 0/??? root) Access: 2020-07-21 21:45:40.558652022 +0200 Modify: 2020-07-21 21:45:40.558652022 +0200 Change: 2020-07-21 21:45:40.558652022 +0200 ?Birth: - [root at smtp ~]# stat /etc/MailScanner/spamassassin.conf ? File: ?/etc/MailScanner/spamassassin.conf? ? Size: 14619???? ??? Blocks: 32???????? IO Block: 4096?? regular file Device: fd00h/64768d??? Inode: 1704870???? Links: 1 Access: (0644/-rw-r--r--)? Uid: (??? 0/??? root)?? Gid: (??? 0/??? root) Access: 2020-07-22 00:46:38.602638839 +0200 Modify: 2020-07-22 00:46:38.602638839 +0200 Change: 2020-07-22 00:46:38.611638569 +0200 ?Birth: - =========================== Is this somehow wrong? Best regards, Miron On 23. 07. 2020. 22:42, Shawn Iverson via MailScanner wrote: > > Verify that your /etc/mailscanner/spamassassin.conf is properly > symlinked to your spamassassin config directory. > > On 7/22/20 12:08 PM, Miron Jajti? wrote: >> Hello to everyone! >> >> >> I'm trying to solve issue with Bayesian filtering. >> >> For some reason one message is constantly marked as spam due to this: >> >> ================================== >> >> Spam Report:??? >> Score??? Matching Rule??? Description >> 15.00??? BAYES_99??? Bayes spam probability is 99 to 100% >> 15.00??? BAYES_999??? Bayes spam probability is 99.9 to 100% >> >> ================================== >> >> >> No matter does I disable or enable bayes inside of >> /etc/MailScanner/spamassassin.conf or change bump score to negative, etc. >> >> >> ================================== >> >> [root at smtp MailScanner]# grep -i bayes /etc/MailScanner/spamassassin.conf >> >> # =============== Bayesian Filtering =============== >> # By default, the Bayesian engine is used. This is a real CPU hog >> # use_bayes 0 >> use_bayes 1 >> bayes_auto_expire 1 >> bayes_store_module????????????? Mail::SpamAssassin::BayesStore::Redis >> bayes_sql_dsn?????????????????? server=xx.xx.xx.xx:6379;database=0 >> bayes_token_ttl 21d >> bayes_seen_ttl?? 12d >> bayes_auto_learn 1 >> bayes_auto_learn_threshold_nonspam??? -2.0 >> bayes_auto_learn_threshold_spam?????? 5.0 >> # Bump up SA score if it matches something in Bayes >> score BAYES_00 -5.0 >> score BAYES_05 -1.5 >> score BAYES_50 1.5 >> score BAYES_60 2.0 >> score BAYES_80 6.0 >> score BAYES_95 9.0 >> #score BAYES_99 0 >> #score BAYES_999 0 >> ================================== >> >> >> What's interesting is when I test the same message directly with >> Spamassassin and using above config file, then bayes rules are not >> activated. >> >> After two days of debugging, I'm out of idea where to check why is this >> message marked with 30 spam points when is processed via MailScanner. >> >> I would be really grateful if someone can point me in the right >> direction how to resolve this issue >> >> >> ============== >> >> MailWatch: 1.2.15 >> OS: CentOS 7 >> MailScanner: 5.3.3 >> SpamAssassin: 3.4.4 >> >> ============== >> >> >> Best regards, >> Miron >> >> >> >> > -- > > Shawn Iverson > shawniverson at summitgrid.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From shawniverson at summitgrid.com Thu Jul 23 20:55:48 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Thu, 23 Jul 2020 16:55:48 -0400 Subject: Bayes issue In-Reply-To: <1b8ad4aa-0817-8051-c1f2-808ff6646436@plus.hr> References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> <1b8ad4aa-0817-8051-c1f2-808ff6646436@plus.hr> Message-ID: That looks correct. On 7/23/20 4:54 PM, Miron Jajti? wrote: > It's symlinked like this: > > =========================== > [root at smtp ~]# stat /etc/mail/spamassassin/MailScanner.cf > ? File: ?/etc/mail/spamassassin/MailScanner.cf? -> ?/etc/MailScanner/spamassassin.conf? > ? Size: 34??????? ??? Blocks: 0????????? IO Block: 4096?? symbolic link > Device: fd00h/64768d??? Inode: 1704809???? Links: 1 > Access: (0777/lrwxrwxrwx)? Uid: (??? 0/??? root)?? Gid: (??? 0/??? root) > Access: 2020-07-21 21:45:40.558652022 +0200 > Modify: 2020-07-21 21:45:40.558652022 +0200 > Change: 2020-07-21 21:45:40.558652022 +0200 > ?Birth: - > > [root at smtp ~]# stat /etc/MailScanner/spamassassin.conf > ? File: ?/etc/MailScanner/spamassassin.conf? > ? Size: 14619???? ??? Blocks: 32???????? IO Block: 4096?? regular file > Device: fd00h/64768d??? Inode: 1704870???? Links: 1 > Access: (0644/-rw-r--r--)? Uid: (??? 0/??? root)?? Gid: (??? 0/??? root) > Access: 2020-07-22 00:46:38.602638839 +0200 > Modify: 2020-07-22 00:46:38.602638839 +0200 > Change: 2020-07-22 00:46:38.611638569 +0200 > ?Birth: - > =========================== > Is this somehow wrong? > > > Best regards, > Miron > > On 23. 07. 2020. 22:42, Shawn Iverson via MailScanner wrote: >> >> Verify that your /etc/mailscanner/spamassassin.conf is properly >> symlinked to your spamassassin config directory. >> >> On 7/22/20 12:08 PM, Miron Jajti? wrote: >>> Hello to everyone! >>> >>> >>> I'm trying to solve issue with Bayesian filtering. >>> >>> For some reason one message is constantly marked as spam due to this: >>> >>> ================================== >>> >>> Spam Report: >>> Score??? Matching Rule??? Description >>> 15.00??? BAYES_99??? Bayes spam probability is 99 to 100% >>> 15.00??? BAYES_999??? Bayes spam probability is 99.9 to 100% >>> >>> ================================== >>> >>> >>> No matter does I disable or enable bayes inside of >>> /etc/MailScanner/spamassassin.conf or change bump score to negative, etc. >>> >>> >>> ================================== >>> >>> [root at smtp MailScanner]# grep -i bayes /etc/MailScanner/spamassassin.conf >>> >>> # =============== Bayesian Filtering =============== >>> # By default, the Bayesian engine is used. This is a real CPU hog >>> # use_bayes 0 >>> use_bayes 1 >>> bayes_auto_expire 1 >>> bayes_store_module????????????? Mail::SpamAssassin::BayesStore::Redis >>> bayes_sql_dsn?????????????????? server=xx.xx.xx.xx:6379;database=0 >>> bayes_token_ttl 21d >>> bayes_seen_ttl?? 12d >>> bayes_auto_learn 1 >>> bayes_auto_learn_threshold_nonspam??? -2.0 >>> bayes_auto_learn_threshold_spam?????? 5.0 >>> # Bump up SA score if it matches something in Bayes >>> score BAYES_00 -5.0 >>> score BAYES_05 -1.5 >>> score BAYES_50 1.5 >>> score BAYES_60 2.0 >>> score BAYES_80 6.0 >>> score BAYES_95 9.0 >>> #score BAYES_99 0 >>> #score BAYES_999 0 >>> ================================== >>> >>> >>> What's interesting is when I test the same message directly with >>> Spamassassin and using above config file, then bayes rules are not >>> activated. >>> >>> After two days of debugging, I'm out of idea where to check why is this >>> message marked with 30 spam points when is processed via MailScanner. >>> >>> I would be really grateful if someone can point me in the right >>> direction how to resolve this issue >>> >>> >>> ============== >>> >>> MailWatch: 1.2.15 >>> OS: CentOS 7 >>> MailScanner: 5.3.3 >>> SpamAssassin: 3.4.4 >>> >>> ============== >>> >>> >>> Best regards, >>> Miron >>> >>> >>> >>> >> -- >> >> Shawn Iverson >> shawniverson at summitgrid.com >> > > > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Jul 24 00:18:04 2020 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 23 Jul 2020 17:18:04 -0700 Subject: Bayes issue In-Reply-To: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> Message-ID: Miron Jajti? wrote: > No matter does I disable or enable bayes inside of > /etc/MailScanner/spamassassin.conf or change bump score to negative, etc. Did you restart spamassassin or whatever the spamd service is called on your server after making changes. Restarting MailScanner won't do it. > What's interesting is when I test the same message directly with > Spamassassin and using above config file, then bayes rules are not > activated. And how do you test 'directly' with Spamassassin?. If you use the `spamassassin` command, that will read your config files, but if MailScanner is using spamd, it is still using old files until you restart/reload spamd. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From thom at vdb.nl Fri Jul 24 07:02:31 2020 From: thom at vdb.nl (Thom van der Boon) Date: Fri, 24 Jul 2020 09:02:31 +0200 (CEST) Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> Message-ID: <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> Mark, It is a MailScanner issue (I think) When I run the message through SA directly by the following command: spamassassin -t -p /etc/MailScanner/spam.assassin.prefs.conf < message.txt I get a SPF_PASS pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [185.201.16.36 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [185.201.16.36 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment but as stated before; the "live" message that went through my mailscanner X-vdbeu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.786, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00, KAM_DMARC_STATUS 0.01, MIME_HTML_ONLY 0.10, RCVD_IN_DNSWL_NONE -0.00, RCVD_IN_MSPIKE_H4 0.00, RCVD_IN_MSPIKE_WL 0.00, SPF_HELO_NONE 0.00) So, I don't get it MailScanner --link reports nothing weird Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "Mark Sapiro" Aan: "MailScanner Discussion" Verzonden: Donderdag 23 juli 2020 22:38:17 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS On 7/23/20 1:39 AM, Thom van der Boon wrote: > Hi guys, > > I have something weird. Most mails with valid SPF record are marked > correctly (SPF_FAIL or SPF_PASS), but I see some messages which should > be marked as SPF_PASS get no SPF_PASS Assuming you are talking about the SPF_PASS rule in the SpamAssassin report in the X-vdbeu-MailScanner-SpamCheck: header, this is a SpamAssassin question, not a MailScanner question per se. You might do better on a SpamAssassin list. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Fri Jul 24 07:05:33 2020 From: thom at vdb.nl (Thom van der Boon) Date: Fri, 24 Jul 2020 09:05:33 +0200 (CEST) Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> Message-ID: <500646033.174787.1595574333207.JavaMail.zimbra@vdb.nl> >> MailScanner --link reports nothing weird MailScanner --lint reports nothing weird :) Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "Thom van der Boon" Aan: "MailScanner Discussion" Verzonden: Vrijdag 24 juli 2020 09:02:31 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS Mark, It is a MailScanner issue (I think) When I run the message through SA directly by the following command: spamassassin -t -p /etc/MailScanner/spam.assassin.prefs.conf < message.txt I get a SPF_PASS pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [185.201.16.36 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [185.201.16.36 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment but as stated before; the "live" message that went through my mailscanner X-vdbeu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.786, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00, KAM_DMARC_STATUS 0.01, MIME_HTML_ONLY 0.10, RCVD_IN_DNSWL_NONE -0.00, RCVD_IN_MSPIKE_H4 0.00, RCVD_IN_MSPIKE_WL 0.00, SPF_HELO_NONE 0.00) So, I don't get it MailScanner --link reports nothing weird Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "Mark Sapiro" Aan: "MailScanner Discussion" Verzonden: Donderdag 23 juli 2020 22:38:17 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS On 7/23/20 1:39 AM, Thom van der Boon wrote: > Hi guys, > > I have something weird. Most mails with valid SPF record are marked > correctly (SPF_FAIL or SPF_PASS), but I see some messages which should > be marked as SPF_PASS get no SPF_PASS Assuming you are talking about the SPF_PASS rule in the SpamAssassin report in the X-vdbeu-MailScanner-SpamCheck: header, this is a SpamAssassin question, not a MailScanner question per se. You might do better on a SpamAssassin list. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Fri Jul 24 08:09:00 2020 From: thom at vdb.nl (Thom van der Boon) Date: Fri, 24 Jul 2020 10:09:00 +0200 (CEST) Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> Message-ID: <2100871616.175152.1595578140220.JavaMail.zimbra@vdb.nl> Symlink is OK Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "MailScanner Discussion" Aan: "MailScanner Discussion" Cc: "Shawn Iverson" Verzonden: Donderdag 23 juli 2020 22:42:01 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS I would add just to verify that your /etc/mailscanner/spamassassin.conf is properly symlinked to your spamassassin config directory, but yes, if that isn't the problem, appears to be a spamassassin question. On 7/23/20 4:38 PM, Mark Sapiro wrote: On 7/23/20 1:39 AM, Thom van der Boon wrote: BQ_BEGIN Hi guys, I have something weird. Most mails with valid SPF record are marked correctly (SPF_FAIL or SPF_PASS), but I see some messages which should be marked as SPF_PASS get no SPF_PASS Assuming you are talking about the SPF_PASS rule in the SpamAssassin report in the X-vdbeu-MailScanner-SpamCheck: header, this is a SpamAssassin question, not a MailScanner question per se. You might do better on a SpamAssassin list. See [ https://cwiki.apache.org/confluence/display/SPAMASSASSIN/MailingLists | ] . BQ_END -- Shawn Iverson [ mailto:shawniverson at summitgrid.com | shawniverson at summitgrid.com ] -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Fri Jul 24 11:24:23 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Fri, 24 Jul 2020 07:24:23 -0400 Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> Message-ID: What version of MailScanner do you have? And out of curiosity, do you have the following both present? /etc/MailScanner/spam.assassin.prefs.conf /etc/MailScanner/spamassassin.conf On 7/24/20 3:02 AM, Thom van der Boon wrote: > Mark, > > It is a MailScanner issue (I think) > > When I run the message through SA directly by the following command: > > spamassassin -t -p /etc/MailScanner/spam.assassin.prefs.conf < message.txt > > I get a SPF_PASS > > ?pts rule name????????????? description > ---- ---------------------- > -------------------------------------------------- > ?0.0 RCVD_IN_MSPIKE_H4????? RBL: Very Good reputation (+4) > ??????????????????????????? [185.201.16.36 listed in wl.mailspike.net] > -0.0 RCVD_IN_DNSWL_NONE???? RBL: Sender listed at https://www.dnswl.org/, > ???????????????????????????? no trust > ??????????????????????????? [185.201.16.36 listed in list.dnswl.org] > -1.9 BAYES_00?????????????? BODY: Bayes spam probability is 0 to 1% > ??????????????????????????? [score: 0.0000] > ?0.0 SPF_HELO_NONE????????? SPF: HELO does not publish an SPF Record > -0.0 SPF_PASS?????????????? SPF: sender matches SPF record > ?0.1 MIME_HTML_ONLY???????? BODY: Message only has text/html MIME parts > ?0.0 HTML_MESSAGE?????????? BODY: HTML included in message > ?0.0 RCVD_IN_MSPIKE_WL????? Mailspike good senders > ?0.0 KAM_DMARC_STATUS?????? Test Rule for DKIM or SPF Failure with Strict > ??????????????????????????? Alignment > > but as stated before; the "live" message that went through my mailscanner > > X-vdbeu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=-1.786, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00, > KAM_DMARC_STATUS 0.01, MIME_HTML_ONLY 0.10, RCVD_IN_DNSWL_NONE -0.00, > RCVD_IN_MSPIKE_H4 0.00, RCVD_IN_MSPIKE_WL 0.00, SPF_HELO_NONE 0.00) > > So, I don't get it > > MailScanner --link reports nothing weird > > Met vriendelijke groet, Best regards, > > > Thom van der Boon > E-Mail: thom at vdb.nl > > ------------------------------------------------------------------------ > *Van: *"Mark Sapiro" > *Aan: *"MailScanner Discussion" > *Verzonden: *Donderdag 23 juli 2020 22:38:17 > *Onderwerp: *Re: mails with valid SPF sender don't get marked SPF_PASS > > On 7/23/20 1:39 AM, Thom van der Boon wrote: > > Hi guys, > > > > I have something weird. Most mails with valid SPF record are marked > > correctly (SPF_FAIL or SPF_PASS), but I see some messages which should > > be marked as SPF_PASS get no SPF_PASS > > > Assuming you are talking about the SPF_PASS rule in the SpamAssassin > report in the X-vdbeu-MailScanner-SpamCheck: header, this is a > SpamAssassin question, not a MailScanner question per se. You might do > better on a SpamAssassin list. See > . > > -- > Mark Sapiro ? ? ? ?The highway is for gamblers, > San Francisco Bay Area, California ? ?better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Fri Jul 24 11:32:29 2020 From: thom at vdb.nl (Thom van der Boon) Date: Fri, 24 Jul 2020 13:32:29 +0200 (CEST) Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> Message-ID: <1867990721.179360.1595590349645.JavaMail.zimbra@vdb.nl> MailScanner 5.3.3 root at mail:/etc/MailScanner# ls -l total 888 (...) -rw-r--r-- 1 root root 11404 Apr 30 2019 spamassassin.conf -rw-r--r-- 1 root root 1870 Jul 24 08:48 spam.assassin.prefs.conf (...) Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "MailScanner Discussion" Aan: "MailScanner Discussion" Cc: "Shawn Iverson" Verzonden: Vrijdag 24 juli 2020 13:24:23 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS What version of MailScanner do you have? And out of curiosity, do you have the following both present? /etc/MailScanner/spam.assassin.prefs.conf /etc/MailScanner/spamassassin.conf On 7/24/20 3:02 AM, Thom van der Boon wrote: Mark, It is a MailScanner issue (I think) When I run the message through SA directly by the following command: spamassassin -t -p /etc/MailScanner/spam.assassin.prefs.conf < message.txt I get a SPF_PASS pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [185.201.16.36 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at [ https://www.dnswl.org/ | https://www.dnswl.org/ ] , no trust [185.201.16.36 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment but as stated before; the "live" message that went through my mailscanner X-vdbeu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.786, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00, KAM_DMARC_STATUS 0.01, MIME_HTML_ONLY 0.10, RCVD_IN_DNSWL_NONE -0.00, RCVD_IN_MSPIKE_H4 0.00, RCVD_IN_MSPIKE_WL 0.00, SPF_HELO_NONE 0.00) So, I don't get it MailScanner --link reports nothing weird Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: [ mailto:thom at vdb.nl | thom at vdb.nl ] Van: "Mark Sapiro" [ mailto:mark at msapiro.net | ] Aan: "MailScanner Discussion" [ mailto:mailscanner at lists.mailscanner.info | ] Verzonden: Donderdag 23 juli 2020 22:38:17 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS On 7/23/20 1:39 AM, Thom van der Boon wrote: > Hi guys, > > I have something weird. Most mails with valid SPF record are marked > correctly (SPF_FAIL or SPF_PASS), but I see some messages which should > be marked as SPF_PASS get no SPF_PASS Assuming you are talking about the SPF_PASS rule in the SpamAssassin report in the X-vdbeu-MailScanner-SpamCheck: header, this is a SpamAssassin question, not a MailScanner question per se. You might do better on a SpamAssassin list. See [ https://cwiki.apache.org/confluence/display/SPAMASSASSIN/MailingLists | ] . -- Mark Sapiro [ mailto:mark at msapiro.net | ] The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list [ mailto:mailscanner at lists.mailscanner.info | mailscanner at lists.mailscanner.info ] [ http://lists.mailscanner.info/mailman/listinfo/mailscanner | http://lists.mailscanner.info/mailman/listinfo/mailscanner ] -- Shawn Iverson [ mailto:shawniverson at summitgrid.com | shawniverson at summitgrid.com ] -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Fri Jul 24 11:33:33 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Fri, 24 Jul 2020 07:33:33 -0400 Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <1867990721.179360.1595590349645.JavaMail.zimbra@vdb.nl> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> <1867990721.179360.1595590349645.JavaMail.zimbra@vdb.nl> Message-ID: <81496ce9-3deb-f54d-96d4-12e9eefcfe78@summitgrid.com> You need to merge those two into just spamassassin.conf and ditch spam.assassin.prefs.conf. On 7/24/20 7:32 AM, Thom van der Boon wrote: > MailScanner 5.3.3 > > root at mail:/etc/MailScanner# ls -l > total 888 > (...) > -rw-r--r-- 1 root??? root???? 11404 Apr 30? 2019 spamassassin.conf > -rw-r--r-- 1 root??? root????? 1870 Jul 24 08:48 spam.assassin.prefs.conf > (...) > > > Met vriendelijke groet, Best regards, > > > Thom van der Boon > E-Mail: thom at vdb.nl > > > > ------------------------------------------------------------------------ > *Van: *"MailScanner Discussion" > *Aan: *"MailScanner Discussion" > *Cc: *"Shawn Iverson" > *Verzonden: *Vrijdag 24 juli 2020 13:24:23 > *Onderwerp: *Re: mails with valid SPF sender don't get marked SPF_PASS > > What version of MailScanner do you have? > > And out of curiosity, do you have the following both present? > > /etc/MailScanner/spam.assassin.prefs.conf > > /etc/MailScanner/spamassassin.conf > > On 7/24/20 3:02 AM, Thom van der Boon wrote: > > Mark, > > It is a MailScanner issue (I think) > > When I run the message through SA directly by the following command: > > spamassassin -t -p /etc/MailScanner/spam.assassin.prefs.conf < > message.txt > > I get a SPF_PASS > > ?pts rule name????????????? description > ---- ---------------------- > -------------------------------------------------- > ?0.0 RCVD_IN_MSPIKE_H4????? RBL: Very Good reputation (+4) > ??????????????????????????? [185.201.16.36 listed in wl.mailspike.net] > -0.0 RCVD_IN_DNSWL_NONE???? RBL: Sender listed at > https://www.dnswl.org/, > ???????????????????????????? no trust > ??????????????????????????? [185.201.16.36 listed in list.dnswl.org] > -1.9 BAYES_00?????????????? BODY: Bayes spam probability is 0 to 1% > ??????????????????????????? [score: 0.0000] > ?0.0 SPF_HELO_NONE????????? SPF: HELO does not publish an SPF Record > -0.0 SPF_PASS?????????????? SPF: sender matches SPF record > ?0.1 MIME_HTML_ONLY???????? BODY: Message only has text/html MIME > parts > ?0.0 HTML_MESSAGE?????????? BODY: HTML included in message > ?0.0 RCVD_IN_MSPIKE_WL????? Mailspike good senders > ?0.0 KAM_DMARC_STATUS?????? Test Rule for DKIM or SPF Failure with > Strict > ??????????????????????????? Alignment > > but as stated before; the "live" message that went through my > mailscanner > > X-vdbeu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=-1.786, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00, > KAM_DMARC_STATUS 0.01, MIME_HTML_ONLY 0.10, RCVD_IN_DNSWL_NONE -0.00, > RCVD_IN_MSPIKE_H4 0.00, RCVD_IN_MSPIKE_WL 0.00, SPF_HELO_NONE 0.00) > > > So, I don't get it > > MailScanner --link reports nothing weird > > Met vriendelijke groet, Best regards, > > > Thom van der Boon > E-Mail: thom at vdb.nl > > ------------------------------------------------------------------------ > *Van: *"Mark Sapiro" > *Aan: *"MailScanner Discussion" > > > *Verzonden: *Donderdag 23 juli 2020 22:38:17 > *Onderwerp: *Re: mails with valid SPF sender don't get marked SPF_PASS > > On 7/23/20 1:39 AM, Thom van der Boon wrote: > > Hi guys, > > > > I have something weird. Most mails with valid SPF record are marked > > correctly (SPF_FAIL or SPF_PASS), but I see some messages which > should > > be marked as SPF_PASS get no SPF_PASS > > > Assuming you are talking about the SPF_PASS rule in the SpamAssassin > report in the X-vdbeu-MailScanner-SpamCheck: header, this is a > SpamAssassin question, not a MailScanner question per se. You might do > better on a SpamAssassin list. See > > . > > -- > Mark Sapiro ? ? ?The > highway is for gamblers, > San Francisco Bay Area, California ? ?better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- > > Shawn Iverson > shawniverson at summitgrid.com > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Sat Jul 25 19:04:29 2020 From: thom at vdb.nl (Thom van der Boon) Date: Sat, 25 Jul 2020 21:04:29 +0200 (CEST) Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <81496ce9-3deb-f54d-96d4-12e9eefcfe78@summitgrid.com> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> <1867990721.179360.1595590349645.JavaMail.zimbra@vdb.nl> <81496ce9-3deb-f54d-96d4-12e9eefcfe78@summitgrid.com> Message-ID: <1871858499.182471.1595703869766.JavaMail.zimbra@vdb.nl> Hi guys, After digging much much more deeper..... the problem was caused by a DNS timeout The weird thing was that running spamassassin with no config file I got a SPF_PASS but with in the configuration file "envelope_sender_header" set to something I got a dns timeout Solution was to install a local dns caching server on the mailserver. I would suggest that in the instructions how to install MailScanner installing a local dns caching server is included Thanks Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "Shawn Iverson" Aan: "Thom van der Boon" , "MailScanner Discussion" Verzonden: Vrijdag 24 juli 2020 13:33:33 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS You need to merge those two into just spamassassin.conf and ditch spam.assassin.prefs.conf. On 7/24/20 7:32 AM, Thom van der Boon wrote: MailScanner 5.3.3 root at mail:/etc/MailScanner# ls -l total 888 (...) -rw-r--r-- 1 root root 11404 Apr 30 2019 spamassassin.conf -rw-r--r-- 1 root root 1870 Jul 24 08:48 spam.assassin.prefs.conf (...) Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: [ mailto:thom at vdb.nl | thom at vdb.nl ] Van: "MailScanner Discussion" [ mailto:mailscanner at lists.mailscanner.info | ] Aan: "MailScanner Discussion" [ mailto:mailscanner at lists.mailscanner.info | ] Cc: "Shawn Iverson" [ mailto:shawniverson at summitgrid.com | ] Verzonden: Vrijdag 24 juli 2020 13:24:23 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS What version of MailScanner do you have? And out of curiosity, do you have the following both present? /etc/MailScanner/spam.assassin.prefs.conf /etc/MailScanner/spamassassin.conf On 7/24/20 3:02 AM, Thom van der Boon wrote: BQ_BEGIN Mark, It is a MailScanner issue (I think) When I run the message through SA directly by the following command: spamassassin -t -p /etc/MailScanner/spam.assassin.prefs.conf < message.txt I get a SPF_PASS pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [185.201.16.36 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at [ https://www.dnswl.org/ | https://www.dnswl.org/ ] , no trust [185.201.16.36 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment but as stated before; the "live" message that went through my mailscanner X-vdbeu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.786, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00, KAM_DMARC_STATUS 0.01, MIME_HTML_ONLY 0.10, RCVD_IN_DNSWL_NONE -0.00, RCVD_IN_MSPIKE_H4 0.00, RCVD_IN_MSPIKE_WL 0.00, SPF_HELO_NONE 0.00) So, I don't get it MailScanner --link reports nothing weird Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: [ mailto:thom at vdb.nl | thom at vdb.nl ] Van: "Mark Sapiro" [ mailto:mark at msapiro.net | ] Aan: "MailScanner Discussion" [ mailto:mailscanner at lists.mailscanner.info | ] Verzonden: Donderdag 23 juli 2020 22:38:17 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS On 7/23/20 1:39 AM, Thom van der Boon wrote: > Hi guys, > > I have something weird. Most mails with valid SPF record are marked > correctly (SPF_FAIL or SPF_PASS), but I see some messages which should > be marked as SPF_PASS get no SPF_PASS Assuming you are talking about the SPF_PASS rule in the SpamAssassin report in the X-vdbeu-MailScanner-SpamCheck: header, this is a SpamAssassin question, not a MailScanner question per se. You might do better on a SpamAssassin list. See [ https://cwiki.apache.org/confluence/display/SPAMASSASSIN/MailingLists | ] . -- Mark Sapiro [ mailto:mark at msapiro.net | ] The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list [ mailto:mailscanner at lists.mailscanner.info | mailscanner at lists.mailscanner.info ] [ http://lists.mailscanner.info/mailman/listinfo/mailscanner | http://lists.mailscanner.info/mailman/listinfo/mailscanner ] -- Shawn Iverson [ mailto:shawniverson at summitgrid.com | shawniverson at summitgrid.com ] -- MailScanner mailing list [ mailto:mailscanner at lists.mailscanner.info | mailscanner at lists.mailscanner.info ] [ http://lists.mailscanner.info/mailman/listinfo/mailscanner | http://lists.mailscanner.info/mailman/listinfo/mailscanner ] BQ_END -- Shawn Iverson [ mailto:shawniverson at summitgrid.com | shawniverson at summitgrid.com ] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailscanner at replies.cyways.com Sat Jul 25 19:11:12 2020 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Sat, 25 Jul 2020 15:11:12 -0400 Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <1871858499.182471.1595703869766.JavaMail.zimbra@vdb.nl> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> <1867990721.179360.1595590349645.JavaMail.zimbra@vdb.nl> <81496ce9-3deb-f54d-96d4-12e9eefcfe78@summitgrid.com> <1871858499.182471.1595703869766.JavaMail.zimbra@vdb.nl> Message-ID: <10a519c5-1cfe-c162-9323-ae144e2858f4@cyways.com> I run my own DNS servers, but requests to Google's DNS at 8.8.8.8 and 8.8.4.4 are answered in well under a second. $ time host www.mailscanner.info www.mailscanner.info is an alias for foo.mailborder.com. foo.mailborder.com has address 52.2.4.15 real 0m0.123s user 0m0.005s sys 0m0.000s Peter On 7/25/20 3:04 PM, Thom van der Boon wrote: > After digging much much more deeper..... the problem was caused by a DNS > timeout From thom at vdb.nl Sat Jul 25 19:44:27 2020 From: thom at vdb.nl (Thom van der Boon) Date: Sat, 25 Jul 2020 21:44:27 +0200 (CEST) Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <10a519c5-1cfe-c162-9323-ae144e2858f4@cyways.com> References: <244647655.166509.1595493597195.JavaMail.zimbra@vdb.nl> <9e320ee1-604f-1a51-70ad-ddc99007f1d4@msapiro.net> <116334144.174746.1595574151264.JavaMail.zimbra@vdb.nl> <1867990721.179360.1595590349645.JavaMail.zimbra@vdb.nl> <81496ce9-3deb-f54d-96d4-12e9eefcfe78@summitgrid.com> <1871858499.182471.1595703869766.JavaMail.zimbra@vdb.nl> <10a519c5-1cfe-c162-9323-ae144e2858f4@cyways.com> Message-ID: <112977281.182780.1595706267795.JavaMail.zimbra@vdb.nl> Peter, I run my own DNS servers as well. It looks like there is a problem in the spamassassin code when the "envelope_sender_header" is set in the configuration file. I will report it in the upcoming hours as a spamassassin bug in the spamassassin bugzilla Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "Peter Lemieux" Aan: "MailScanner Discussion" Verzonden: Zaterdag 25 juli 2020 21:11:12 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS I run my own DNS servers, but requests to Google's DNS at 8.8.8.8 and 8.8.4.4 are answered in well under a second. $ time host www.mailscanner.info www.mailscanner.info is an alias for foo.mailborder.com. foo.mailborder.com has address 52.2.4.15 real 0m0.123s user 0m0.005s sys 0m0.000s Peter On 7/25/20 3:04 PM, Thom van der Boon wrote: > After digging much much more deeper..... the problem was caused by a DNS > timeout -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Mon Jul 27 06:47:48 2020 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 27 Jul 2020 08:47:48 +0200 Subject: mails with valid SPF sender don't get marked SPF_PASS In-Reply-To: <112977281.182780.1595706267795.JavaMail.zimbra@vdb.nl> References: <10a519c5-1cfe-c162-9323-ae144e2858f4@cyways.com> Message-ID: If you setup the cachening DNS, you could add in resolv.conf ? options timeout:2 options attempts:2 options edns0 And is TCP and UDP allowed on port 53. ? Last, SpamAssassin includes a default set of 13 servers,?among which 3 are picked randomly. If you have a strickt firewall, these are probely blocked .. ? Somethings to checkout. ? ? Greetz, ? Louis ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Thom van der Boon Verzonden: zaterdag 25 juli 2020 21:44 Aan: MailScanner Discussion Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS Peter, I run my own DNS servers as well. It looks like there is a problem in the spamassassin code when the "envelope_sender_header" is set in the configuration file. I will report it in the upcoming hours as a spamassassin bug in the spamassassin bugzilla Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl Van: "Peter Lemieux" Aan: "MailScanner Discussion" Verzonden: Zaterdag 25 juli 2020 21:11:12 Onderwerp: Re: mails with valid SPF sender don't get marked SPF_PASS I run my own DNS servers, but requests to Google's DNS at 8.8.8.8 and 8.8.4.4 are answered in well under a second. $ time host www.mailscanner.info www.mailscanner.info is an alias for foo.mailborder.com. foo.mailborder.com has address 52.2.4.15 real ? ?0m0.123s user ? ?0m0.005s sys ? ? 0m0.000s Peter On 7/25/20 3:04 PM, Thom van der Boon wrote: > After digging much much more deeper..... the problem was caused by a DNS > timeout -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From miron at plus.hr Mon Jul 27 08:21:43 2020 From: miron at plus.hr (=?UTF-8?Q?Miron_Jajti=c4=87?=) Date: Mon, 27 Jul 2020 10:21:43 +0200 Subject: Bayes issue In-Reply-To: References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> Message-ID: On 24. 07. 2020. 02:18, Mark Sapiro wrote: > Miron Jajti? wrote: > >> No matter does I disable or enable bayes inside of >> /etc/MailScanner/spamassassin.conf or change bump score to negative, etc. > > Did you restart spamassassin or whatever the spamd service is called on > your server after making changes. Restarting MailScanner won't do it. Yes, restarted on every change, it's spamd service. >> What's interesting is when I test the same message directly with >> Spamassassin and using above config file, then bayes rules are not >> activated. > And how do you test 'directly' with Spamassassin?. If you use the > `spamassassin` command, that will read your config files, but if > MailScanner is using spamd, it is still using old files until you > restart/reload spamd. Directly is tested using `spamassassin -t` command. I've added this one sender on MailScanner whitelist, it's not helping at all. https://prnt.sc/tp41lx It's not even marked as whitelisted in report. Miron -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xC8F491DE2DBDE05F.asc Type: application/pgp-keys Size: 88008 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From mark at msapiro.net Mon Jul 27 23:47:29 2020 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 27 Jul 2020 16:47:29 -0700 Subject: Bayes issue In-Reply-To: References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> Message-ID: <1d7d7e96-dea3-b21b-7240-bc73968a38f6@msapiro.net> On 7/27/20 1:21 AM, Miron Jajti? wrote: > > Directly is tested using `spamassassin -t` command. What happens if you test directly with `spamc` rather than with `spamassassin`? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: From miron at plus.hr Tue Jul 28 06:09:14 2020 From: miron at plus.hr (=?UTF-8?Q?Miron_Jajti=c4=87?=) Date: Tue, 28 Jul 2020 08:09:14 +0200 Subject: Bayes issue In-Reply-To: <1d7d7e96-dea3-b21b-7240-bc73968a38f6@msapiro.net> References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> <1d7d7e96-dea3-b21b-7240-bc73968a38f6@msapiro.net> Message-ID: <256b60e3-e570-f3b7-db96-8d443476c50b@plus.hr> 28. 07. 2020. u 01:47, Mark Sapiro je napisao/la: > On 7/27/20 1:21 AM, Miron Jajti? wrote: >> Directly is tested using `spamassassin -t` command. > > What happens if you test directly with `spamc` rather than with > `spamassassin`? Content analysis details:?? (1.9 points, 5.0 required) ?pts rule name????????????? description ---- ---------------------- -------------------------------------------------- ?0.0 URIBL_BLOCKED????????? ADMINISTRATOR NOTICE: The query to URIBL was blocked. ??????????????????????????? See ??????????????????????????? http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block ???????????????????????????? for more information. ??????????????????????????? [URIs: xxxx.xx] ?0.0 SPF_NONE?????????????? SPF: sender does not publish an SPF Record ?0.0 SPF_HELO_NONE????????? SPF: HELO does not publish an SPF Record ?0.0 TVD_SPACE_RATIO??????? No description available. ?0.7 SUBJ_OBFU_PUNCT_FEW??? Possible punctuation-obfuscated Subject: header ?1.2 SUBJ_OBFU_PUNCT_MANY?? Punctuation-obfuscated Subject: header -- Miron -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xC8F491DE2DBDE05F.asc Type: application/pgp-keys Size: 88008 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From mark at msapiro.net Tue Jul 28 23:21:27 2020 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 28 Jul 2020 16:21:27 -0700 Subject: Bayes issue In-Reply-To: <256b60e3-e570-f3b7-db96-8d443476c50b@plus.hr> References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> <1d7d7e96-dea3-b21b-7240-bc73968a38f6@msapiro.net> <256b60e3-e570-f3b7-db96-8d443476c50b@plus.hr> Message-ID: On 7/27/20 11:09 PM, Miron Jajti? wrote: > > 28. 07. 2020. u 01:47, Mark Sapiro je napisao/la: >> On 7/27/20 1:21 AM, Miron Jajti? wrote: >>> Directly is tested using `spamassassin -t` command. >> >> What happens if you test directly with `spamc` rather than with >> `spamassassin`? > > > Content analysis details:?? (1.9 points, 5.0 required) > > > ?pts rule name????????????? description > ---- ---------------------- > -------------------------------------------------- > ?0.0 URIBL_BLOCKED????????? ADMINISTRATOR NOTICE: The query to URIBL was > blocked. > ??????????????????????????? See > ??????????????????????????? > http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block > ???????????????????????????? for more information. > ??????????????????????????? [URIs: xxxx.xx] > ?0.0 SPF_NONE?????????????? SPF: sender does not publish an SPF Record > ?0.0 SPF_HELO_NONE????????? SPF: HELO does not publish an SPF Record > ?0.0 TVD_SPACE_RATIO??????? No description available. > ?0.7 SUBJ_OBFU_PUNCT_FEW??? Possible punctuation-obfuscated Subject: header > ?1.2 SUBJ_OBFU_PUNCT_MANY?? Punctuation-obfuscated Subject: header So it doesn't appear to be a `spamc` (invoking spamd) vs `spamassassin` issue. Have you tried removing /var/spool/MailScanner/spamassassin/* Also, do you have MCP Checks = yes somewhere in your MailScanner configuration? If so, do you have use_bayes 1 in /etc/MailScanner/mcp/mcp.spamassassin.conf? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: From miron at plus.hr Wed Jul 29 07:20:25 2020 From: miron at plus.hr (=?UTF-8?Q?Miron_Jajti=c4=87?=) Date: Wed, 29 Jul 2020 09:20:25 +0200 Subject: Bayes issue In-Reply-To: References: <9cfea888-b9d3-5f0c-2b13-0d1ad3787c4d@plus.hr> <1d7d7e96-dea3-b21b-7240-bc73968a38f6@msapiro.net> <256b60e3-e570-f3b7-db96-8d443476c50b@plus.hr> Message-ID: 29. 07. 2020. u 01:21, Mark Sapiro je napisao/la: > On 7/27/20 11:09 PM, Miron Jajti? wrote: >> 28. 07. 2020. u 01:47, Mark Sapiro je napisao/la: >>> On 7/27/20 1:21 AM, Miron Jajti? wrote: >>>> Directly is tested using `spamassassin -t` command. >>> What happens if you test directly with `spamc` rather than with >>> `spamassassin`? >> >> Content analysis details:?? (1.9 points, 5.0 required) >> >> >> ?pts rule name????????????? description >> ---- ---------------------- >> -------------------------------------------------- >> ?0.0 URIBL_BLOCKED????????? ADMINISTRATOR NOTICE: The query to URIBL was >> blocked. >> ??????????????????????????? See >> ??????????????????????????? >> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block >> ???????????????????????????? for more information. >> ??????????????????????????? [URIs: xxxx.xx] >> ?0.0 SPF_NONE?????????????? SPF: sender does not publish an SPF Record >> ?0.0 SPF_HELO_NONE????????? SPF: HELO does not publish an SPF Record >> ?0.0 TVD_SPACE_RATIO??????? No description available. >> ?0.7 SUBJ_OBFU_PUNCT_FEW??? Possible punctuation-obfuscated Subject: header >> ?1.2 SUBJ_OBFU_PUNCT_MANY?? Punctuation-obfuscated Subject: header > > So it doesn't appear to be a `spamc` (invoking spamd) vs `spamassassin` > issue. Have you tried removing /var/spool/MailScanner/spamassassin/* > > Also, do you have > > MCP Checks = yes > > somewhere in your MailScanner configuration? If so, do you have > > use_bayes 1 > > in /etc/MailScanner/mcp/mcp.spamassassin.conf? > At end, it was spamassasin cache, the message is always the same (sender/recipient/content), so spamassassin just took existing score from cache without even scanning it further. It's solved now, but I'm still wondering why spamassassin cache isn't utilized in manually started scan via spamc/spamassassin. Best, Miron J. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xC8F491DE2DBDE05F.asc Type: application/pgp-keys Size: 88008 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: