Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th October 2009, 18:53
Cracklefish Cracklefish is offline
Member
 
Join Date: Mar 2009
Posts: 95
Thanks: 8
Thanked 3 Times in 3 Posts
Default Amavisd not identfying spam properly

Amavisd does not seem to report spam properly.

Suse, 11.1; Perfect Server; ISPC 3.0.1.4

If I run debug I get what looks like an error "Pid_file already exists for running process (3076)... aborting"...

Is this a good place to start?

Code:
amavisd debug
Oct 13 17:21:12.686 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: starting.  /usr/sbin/amavisd at Golf1.greenway.co.uk amavisd-new-2.6.1 (20080629), Unicode aware, LC_CTYPE="en_GB.UTF-8", LANG="POSIX"
Oct 13 17:21:12.687 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: user=, EUID: 65 (65);  group=, EGID: 113 113 (113 113)
Oct 13 17:21:12.688 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: Perl version               5.010000
Oct 13 17:21:12.923 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: INFO: no optional modules: IO::Socket::INET6
Oct 13 17:21:14.253 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: INFO: SA version: 3.2.5, 3.002005, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Mail::SpamAssassin::BayesStore::PgSQL Encode::Detect Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::ExpMail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d auto::NetAddr::IP::Util::ipv6_n2x Mail::SPF::Query Error
Oct 13 17:21:14.255 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: SpamControl: init_pre_chroot on SpamAssassin done
Pid_file already exists for running process (3076)... aborting
Oct 13 17:21:14.260 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: (!)Net::Server: 2009/10/13-17:21:14 Pid_file already exists for running process (3076)... aborting\n\n  at line 277 in file /usr/lib/perl5/vendor_perl/5.10.0/Net/Server.pm
Oct 13 17:21:14.262 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: Net::Server: 2009/10/13-17:21:14 Server closing!
This is a typical header from a spam (in the POP box not the client)

Code:
Return-Path: <leopoldbn3@tigertcontractors.com>
Received: from localhost (unknown [127.0.0.1])
	by golf1.greenway.co.uk (Postfix) with ESMTP id 90FB0160F2;
	Tue, 13 Oct 2009 15:19:56 +0000 (UTC)
X-Virus-Scanned: amavisd-new at greenway.co.uk
Received: from golf1.greenway.co.uk ([127.0.0.1])
	by localhost (Golf1.greenway.co.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id a4KQprg7P0im; Tue, 13 Oct 2009 16:19:42 +0100 (BST)
Received: from ABTS-TN-dynamic-222.160.164.122.airtelbroadband.in (unknown [122.164.160.222])
	by golf1.greenway.co.uk (Postfix) with ESMTP id 16835160EC;
	Tue, 13 Oct 2009 16:19:40 +0100 (BST)
Message-ID: <000d01ca4c18$8ed3c610$6400a8c0@leopoldbn3>
From: "Carlo Blue" <leopoldbn3@tigertcontractors.com>
To: <wtop@xxxxxxx.com>
Subject: Apply for your diploma.
Date: Tue, 13 Oct 2009 20:49:29 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01CA4C18.8ED3C610"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01CA4C18.8ED3C610
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Reply With Quote
Sponsored Links
  #2  
Old 14th October 2009, 09:11
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Amavisd is not able to start as its pid file exists already. Please try to reboot the server.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 16th October 2009, 14:38
Cracklefish Cracklefish is offline
Member
 
Join Date: Mar 2009
Posts: 95
Thanks: 8
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by till View Post
Amavisd is not able to start as its pid file exists already. Please try to reboot the server.
That helped. The PID file error has gone and now I get a normal debug report. Funny though the server has been rebooted several times lately for other reasons.

The Amavis still does not seem to be behaving properly.

I have reset the tags in ISPC to:

SPAM tag level = 2.5
SPAM tag2 level = 5
SPAM kill level = 6.8

But amavisd.conf shows

$sa_tag_level_deflt = 2.0
$sa_tag2_level_deflt = 6.2
$sa_kill_level_deflt = 6.2


I have never had an email with ***SPAM*** in the subject field

Here is a header:

Code:
Return-Path: <custodianjxa121@hotelbaboosoorya.com>
Received: from localhost (unknown [127.0.0.1])
	by golf1.sanitised (Postfix) with ESMTP id E0EEC160FF;
	Fri, 16 Oct 2009 11:08:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sanitised
X-Spam-Flag: NO
X-Spam-Score: 6.07
X-Spam-Level: ******
X-Spam-Status: No, score=6.07 tagged_above=2 required=6.2 tests=[BAYES_60=1,
	HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.619, RDNS_NONE=0.1,
	TVD_RCVD_SINGLE=1.351, URIBL_SBL=1.499, URIBL_WS_SURBL=1.5]
Received: from golf1.sanitised ([127.0.0.1])
	by localhost (Golf1.sanitised [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id rMYNV8KuaVzO; Fri, 16 Oct 2009 12:08:41 +0100 (BST)
Received: from YPNCKGMG (unknown [77.120.129.178])
	by golf1.sanitised (Postfix) with ESMTP id 421C016101;
	Fri, 16 Oct 2009 12:08:41 +0100 (BST)
Message-ID: <000d01ca4e51$0232c680$6400a8c0@custodianjxa121>
From: "Ollie Dotson" <custodianjxa121@hotelbaboosoorya.com>
To: <wtop@sanitised>
Subject: Unbelievable prices for spruce watches. 
Date: Fri, 16 Oct 2009 14:08:36 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01CA4E51.0232C680"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Although the spam score is 6.07 the header has not been modified.

There are 2 mailboxes on this domain, this one and a catchall
Both have a filter set to transfer anything with ***SPAM in subject field to the spam folder (.Spam)

The spam folder for the catchall box has lots of emails in it, the majority are "Considered UNSOLICITED BULK EMAIL..." with a header;

Code:
Return-Path: <MAILER-DAEMON>
Received: from localhost (unknown [127.0.0.1])
	by golf1.sanitised (Postfix) with ESMTP id E7E6516101
	for <wtop@sanitised>; Fri, 16 Oct 2009 12:05:08 +0000 (UTC)
Content-Type: multipart/report; report-type=delivery-status;
 boundary="----------=_1255694708-7025-2"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: Considered UNSOLICITED BULK EMAIL, apparently from you
In-Reply-To: <6704PBT.736021A7.26395804513273LFYMCSVWPYWJJND740@PC3>
Message-ID: <SSY7d3JPt4eQwA@Golf1.greenway.co.uk>
From: "Content-filter at Golf1.sanitised" <postmaster@Golf1.sanitised>
To: <wtop@sanitised>
Date: Fri, 16 Oct 2009 13:04:52 +0100 (BST)
The header from a conventional spam looks like this:

Code:
Return-Path: <pangingatcm5@broadwayplastering.com>
Received: from localhost (unknown [127.0.0.1])
	by golf1.sanitised (Postfix) with ESMTP id 65C3616101
	for <jmh711nsuk@sanitised>; Fri, 16 Oct 2009 12:09:21 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sanitised
X-Spam-Flag: NO
X-Spam-Score: 5.031
X-Spam-Level: *****
X-Spam-Status: No, score=5.031 tagged_above=2 required=6.2 tests=[BAYES_95=3,
	BODY_ENHANCEMENT=0.309, BODY_ENHANCEMENT2=0.001, HTML_MESSAGE=0.001,
	RDNS_DYNAMIC=0.1, URI_NOVOWEL=1.62]
Received: from golf1.sanitised ([127.0.0.1])
	by localhost (Golf1.sanitised [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id fSmE7MdYLuzO for <jmh711nsuk@sanitised>;
	Fri, 16 Oct 2009 13:09:05 +0100 (BST)
Received: from host111-111-dynamic.14-87-r.retail.telecomitalia.it (host111-111-dynamic.14-87-r.retail.telecomitalia.it [87.14.111.111])
	by golf1.sanitised (Postfix) with ESMTP id A74C8160FF
	for <jmh711nsuk@sanitised>; Fri, 16 Oct 2009 13:09:04 +0100 (BST)
Received: from 87.14.111.111 by mailhub13.yellgroup.com; Fri, 16 Oct 2009 14:09:00 +0100
Message-ID: <000d01ca4e59$71e59e50$6400a8c0@pangingatcm5>
From: "Major Daley" <pangingatcm5@broadwayplastering.com>
To: <jmh711nsuk@sanitised>
Subject: By enlarging your instrument you will manage to keep up your good name.
Date: Fri, 16 Oct 2009 14:09:00 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01CA4E59.71E59E50"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Reply With Quote
  #4  
Old 17th October 2009, 09:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Set the loglevel in amavisd higher and check which tag levels get applied to a specific email.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 19th October 2009, 15:52
Cracklefish Cracklefish is offline
Member
 
Join Date: Mar 2009
Posts: 95
Thanks: 8
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by till View Post
Set the loglevel in amavisd higher and check which tag levels get applied to a specific email.
There are 2 entries in etc/amavisd.conf

At line 37:
Code:
$log_level = 0;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
and the penultimate line:
Code:
$DO_SYSLOG = 1;
$LOGFILE = "/var/log/amavis.log";  # (defaults to empty, no log)

$log_level = 5;                # (defaults to 0)
There is no var/log/amavis.log

I tried setting them both to 5 but still no logfile, or am I looking for the wrong file?
Reply With Quote
  #6  
Old 20th October 2009, 10:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Amavisd should log into your syslog or mail log file as $DO_SYSLOG is set to 1. Please take a look in the mail log, you should find the debug output there.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Spam Filter not functioning (revisited) Cracklefish Installation/Configuration 7 8th March 2010 12:16
Spam still getting through Meph Installation/Configuration 1 8th July 2009 00:24
Spam & ISPConfig 3. itsnedkeren Installation/Configuration 13 3rd June 2009 16:24
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37
In ISPconfig whitelist but still seen as spam edge Installation/Configuration 12 5th September 2007 00:30


All times are GMT +2. The time now is 02:16.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.