Amavisd not identfying spam properly

[Cracklefish]

Amavisd does not seem to report spam properly.

Suse, 11.1; Perfect Server; ISPC 3.0.1.4

If I run debug I get what looks like an error "Pid_file already exists for running process (3076)... aborting"...

Is this a good place to start?

Code:

amavisd debug
Oct 13 17:21:12.686 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: starting.  /usr/sbin/amavisd at Golf1.greenway.co.uk amavisd-new-2.6.1 (20080629), Unicode aware, LC_CTYPE="en_GB.UTF-8", LANG="POSIX"
Oct 13 17:21:12.687 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: user=, EUID: 65 (65);  group=, EGID: 113 113 (113 113)
Oct 13 17:21:12.688 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: Perl version               5.010000
Oct 13 17:21:12.923 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: INFO: no optional modules: IO::Socket::INET6
Oct 13 17:21:14.253 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: INFO: SA version: 3.2.5, 3.002005, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Mail::SpamAssassin::BayesStore::PgSQL Encode::Detect Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::ExpMail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d auto::NetAddr::IP::Util::ipv6_n2x Mail::SPF::Query Error
Oct 13 17:21:14.255 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: SpamControl: init_pre_chroot on SpamAssassin done
Pid_file already exists for running process (3076)... aborting
Oct 13 17:21:14.260 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: (!)Net::Server: 2009/10/13-17:21:14 Pid_file already exists for running process (3076)... aborting\n\n  at line 277 in file /usr/lib/perl5/vendor_perl/5.10.0/Net/Server.pm
Oct 13 17:21:14.262 Golf1.greenway.co.uk /usr/sbin/amavisd[4013]: Net::Server: 2009/10/13-17:21:14 Server closing!

This is a typical header from a spam (in the POP box not the client)

Code:

Return-Path: <leopoldbn3@tigertcontractors.com>
Received: from localhost (unknown [127.0.0.1])
	by golf1.greenway.co.uk (Postfix) with ESMTP id 90FB0160F2;
	Tue, 13 Oct 2009 15:19:56 +0000 (UTC)
X-Virus-Scanned: amavisd-new at greenway.co.uk
Received: from golf1.greenway.co.uk ([127.0.0.1])
	by localhost (Golf1.greenway.co.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id a4KQprg7P0im; Tue, 13 Oct 2009 16:19:42 +0100 (BST)
Received: from ABTS-TN-dynamic-222.160.164.122.airtelbroadband.in (unknown [122.164.160.222])
	by golf1.greenway.co.uk (Postfix) with ESMTP id 16835160EC;
	Tue, 13 Oct 2009 16:19:40 +0100 (BST)
Message-ID: <000d01ca4c18$8ed3c610$6400a8c0@leopoldbn3>
From: "Carlo Blue" <leopoldbn3@tigertcontractors.com>
To: <wtop@xxxxxxx.com>
Subject: Apply for your diploma.
Date: Tue, 13 Oct 2009 20:49:29 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01CA4C18.8ED3C610"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01CA4C18.8ED3C610
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

[till]

Amavisd is not able to start as its pid file exists already. Please try to reboot the server.

[Cracklefish]

Quote:

Originally Posted by till

Amavisd is not able to start as its pid file exists already. Please try to reboot the server.

That helped. The PID file error has gone and now I get a normal debug report. Funny though the server has been rebooted several times lately for other reasons.

The Amavis still does not seem to be behaving properly.

I have reset the tags in ISPC to:

SPAM tag level = 2.5
SPAM tag2 level = 5
SPAM kill level = 6.8

But amavisd.conf shows

$sa_tag_level_deflt = 2.0
$sa_tag2_level_deflt = 6.2
$sa_kill_level_deflt = 6.2


I have never had an email with ***SPAM*** in the subject field

Here is a header:

Code:

Return-Path: <custodianjxa121@hotelbaboosoorya.com>
Received: from localhost (unknown [127.0.0.1])
	by golf1.sanitised (Postfix) with ESMTP id E0EEC160FF;
	Fri, 16 Oct 2009 11:08:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sanitised
X-Spam-Flag: NO
X-Spam-Score: 6.07
X-Spam-Level: ******
X-Spam-Status: No, score=6.07 tagged_above=2 required=6.2 tests=[BAYES_60=1,
	HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.619, RDNS_NONE=0.1,
	TVD_RCVD_SINGLE=1.351, URIBL_SBL=1.499, URIBL_WS_SURBL=1.5]
Received: from golf1.sanitised ([127.0.0.1])
	by localhost (Golf1.sanitised [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id rMYNV8KuaVzO; Fri, 16 Oct 2009 12:08:41 +0100 (BST)
Received: from YPNCKGMG (unknown [77.120.129.178])
	by golf1.sanitised (Postfix) with ESMTP id 421C016101;
	Fri, 16 Oct 2009 12:08:41 +0100 (BST)
Message-ID: <000d01ca4e51$0232c680$6400a8c0@custodianjxa121>
From: "Ollie Dotson" <custodianjxa121@hotelbaboosoorya.com>
To: <wtop@sanitised>
Subject: Unbelievable prices for spruce watches. 
Date: Fri, 16 Oct 2009 14:08:36 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01CA4E51.0232C680"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Although the spam score is 6.07 the header has not been modified.

There are 2 mailboxes on this domain, this one and a catchall
Both have a filter set to transfer anything with ***SPAM in subject field to the spam folder (.Spam)

The spam folder for the catchall box has lots of emails in it, the majority are "Considered UNSOLICITED BULK EMAIL..." with a header;

Code:

Return-Path: <MAILER-DAEMON>
Received: from localhost (unknown [127.0.0.1])
	by golf1.sanitised (Postfix) with ESMTP id E7E6516101
	for <wtop@sanitised>; Fri, 16 Oct 2009 12:05:08 +0000 (UTC)
Content-Type: multipart/report; report-type=delivery-status;
 boundary="----------=_1255694708-7025-2"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: Considered UNSOLICITED BULK EMAIL, apparently from you
In-Reply-To: <6704PBT.736021A7.26395804513273LFYMCSVWPYWJJND740@PC3>
Message-ID: <SSY7d3JPt4eQwA@Golf1.greenway.co.uk>
From: "Content-filter at Golf1.sanitised" <postmaster@Golf1.sanitised>
To: <wtop@sanitised>
Date: Fri, 16 Oct 2009 13:04:52 +0100 (BST)

The header from a conventional spam looks like this:

Code:

Return-Path: <pangingatcm5@broadwayplastering.com>
Received: from localhost (unknown [127.0.0.1])
	by golf1.sanitised (Postfix) with ESMTP id 65C3616101
	for <jmh711nsuk@sanitised>; Fri, 16 Oct 2009 12:09:21 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sanitised
X-Spam-Flag: NO
X-Spam-Score: 5.031
X-Spam-Level: *****
X-Spam-Status: No, score=5.031 tagged_above=2 required=6.2 tests=[BAYES_95=3,
	BODY_ENHANCEMENT=0.309, BODY_ENHANCEMENT2=0.001, HTML_MESSAGE=0.001,
	RDNS_DYNAMIC=0.1, URI_NOVOWEL=1.62]
Received: from golf1.sanitised ([127.0.0.1])
	by localhost (Golf1.sanitised [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id fSmE7MdYLuzO for <jmh711nsuk@sanitised>;
	Fri, 16 Oct 2009 13:09:05 +0100 (BST)
Received: from host111-111-dynamic.14-87-r.retail.telecomitalia.it (host111-111-dynamic.14-87-r.retail.telecomitalia.it [87.14.111.111])
	by golf1.sanitised (Postfix) with ESMTP id A74C8160FF
	for <jmh711nsuk@sanitised>; Fri, 16 Oct 2009 13:09:04 +0100 (BST)
Received: from 87.14.111.111 by mailhub13.yellgroup.com; Fri, 16 Oct 2009 14:09:00 +0100
Message-ID: <000d01ca4e59$71e59e50$6400a8c0@pangingatcm5>
From: "Major Daley" <pangingatcm5@broadwayplastering.com>
To: <jmh711nsuk@sanitised>
Subject: By enlarging your instrument you will manage to keep up your good name.
Date: Fri, 16 Oct 2009 14:09:00 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01CA4E59.71E59E50"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

[till]

Set the loglevel in amavisd higher and check which tag levels get applied to a specific email.

[Cracklefish]

Quote:

Originally Posted by till

Set the loglevel in amavisd higher and check which tag levels get applied to a specific email.

There are 2 entries in etc/amavisd.conf

At line 37:

Code:

$log_level = 0;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,

and the penultimate line:

Code:

$DO_SYSLOG = 1;
$LOGFILE = "/var/log/amavis.log";  # (defaults to empty, no log)

$log_level = 5;                # (defaults to 0)

There is no var/log/amavis.log

I tried setting them both to 5 but still no logfile, or am I looking for the wrong file?

[till]

Amavisd should log into your syslog or mail log file as $DO_SYSLOG is set to 1. Please take a look in the mail log, you should find the debug output there.