Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th August 2010, 22:55
crypted crypted is offline
Senior Member
 
Join Date: Dec 2006
Location: Oklahoma, USA
Posts: 429
Thanks: 3
Thanked 14 Times in 6 Posts
Default more crazy spam

Allirght, we have been inundated with an unreal amount of spam on the server lately.

So, I added the black URIBL to Spam Assassin. Still didn't help.

So, two questions:

1) I want to block specific @domain.tld from all email domains. Under Global Filters -> Postfix Blacklist do I select "Senders" to disable those domains from sending email to mailboxes? Or, no? In otherwords, I want to add a global filter to block @nutsviagrasex.ch from spamming any email address. Would I add @nutsviagrasex.ch as "sender" in that filter?

2) I've seen mention on the tutorials about DKIM. Would that be helpful?
Reply With Quote
Sponsored Links
  #2  
Old 31st August 2010, 08:57
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

Please post the email headers of spam emails that had come trough. Also which scores do you use in the spamfilter policy?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 31st August 2010, 16:14
crypted crypted is offline
Senior Member
 
Join Date: Dec 2006
Location: Oklahoma, USA
Posts: 429
Thanks: 3
Thanked 14 Times in 6 Posts
Default

Okay. I have been receiving about 20 spam emails a day on average to my mailbox for the past three weeks. I went years without a single spam email getting to the Inbox on ISPCONFIG + Spam Assassin.

Currently, my mailbox uses ISPConfig's default settings for "NORMAL" spamfilter. It appears the default numbers are: tag = 1, tag2 = 4.5, kill = 50, dns = 0, quarantine = 0. I wonder what can be adjusted without throwing legit emails into the Junk folder. My Junk folder grows by about 140 emails a day...crazy spam!

Headers for this mornings spam area s follows:
Code:
Return-Path: <myauravie@affiliateincomeadvantage.com>
Delivered-To: crypted@mypersonaldomain.tld
Received: from localhost (localhost.localdomain [127.0.0.1])
	by personalwebserver.tld (Postfix) with ESMTP id 9AE1D5416E
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 06:19:15 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at my.derekgordon.com
Received: from personalwebserver.tld ([127.0.0.1])
	by localhost (personalwebserver.tld [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id lj5xh4+WH1rG for <crypted@mypersonaldomain.tld>;
	Tue, 31 Aug 2010 06:19:14 -0400 (EDT)
Received: from automatedwealthkit.com (automatedwealthkit.com [173.244.178.212])
	by personalwebserver.tld (Postfix) with SMTP id 2F4DB5416A
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 06:19:14 -0400 (EDT)
DKIM-Signature: v=1;
	a=rsa-sha1; c=relaxed/relaxed; d=affiliateincomeadvantage.com;
	s=gamma; t=1283249953; bh=tTGnhmF/h3uRT2xFtfbGQmvJL/U=; h=To:From;
	b=BLK4eyibxrqVdbY7AqLGbf3BLekcb0bj8+nwCqMmTuHEKE6qvC/ABnZ5qjR40MVGE
	 oorPegYQzkKrqWL8qZtwoQ5ExJj3mCKsJZ9a/NuP5o1rTIDI/2tW9/d1asZQYzN
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=gamma; d=affiliateincomeadvantage.com;
	h=To:From;
	b=sUH4kw1ftqEVUnBhxmy1FheNz3yfZ6BmpMUSvqDUBCExeejaFTbklRMQQ95KET4n3
	4Pw0UugjDiVdjPIv7vV1I8aXy1vWYtb8+wmm3COO6uMRXLy4WzFJtv8lFEgsRoe;
To: crypted@mypersonaldomain.tld
From: "My AuraVie" <myauravie@affiliateincomeadvantage.com>
Subject: Save over $250 on top of the line AuraVie 3 in 1 Skincare
Date: 31 Aug 2010 06:19:13 -0400
Message-ID: <1283249953.hqolqnqdcubvlp@automatedwealthkit.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable



Return-Path: <taxsolutions@clickaffiliateincome.com>
Delivered-To: crypted@mypersonaldomain.tld
Received: from localhost (localhost.localdomain [127.0.0.1])
	by personalwebserver.tld (Postfix) with ESMTP id 0BF835416E
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 06:08:19 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at my.derekgordon.com
Received: from personalwebserver.tld ([127.0.0.1])
	by localhost (personalwebserver.tld [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id pQ3z2ba9ySGK for <crypted@mypersonaldomain.tld>;
	Tue, 31 Aug 2010 06:08:16 -0400 (EDT)
Received: from clickaffiliateincome.com (clickaffiliateincome.com [66.207.161.156])
	by personalwebserver.tld (Postfix) with SMTP id 86FC85416A
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 06:08:16 -0400 (EDT)
DKIM-Signature: v=1;
	a=rsa-sha1; c=relaxed/relaxed; d=clickaffiliateincome.com; s=gamma;
	t=1283249296; bh=EPnKqVsLlSv9DdiBghgezgo2w5k=; h=To:From;
	b=Jha9cB741nXRon7nxvIVm2TwMwxTyqZbsMaHkKlmXqbu1SzmKY1Hz8OIn3zH55p2L
	 QCHPaAS1pegNEjfXALefj1KQe6mEx8IcVOqmrxIZtfD7VYWeEeNrlUslDtUezoC
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=gamma; d=clickaffiliateincome.com;
	h=To:From;
	b=CCGcua5eXuUJLq9PNhIGnMlnw1pYvofODp/V9phxEsVecoq6ixrng3n+Ii+3EmkxE
	aGemY0f1EWz9PjbYsn9Qikep5miYjZLP2fFg8lusBjl83sQWI5qHK8I4/rD3LQC;
To: crypted@mypersonaldomain.tld
From: "Tax Solutions" <taxsolutions@clickaffiliateincome.com>
Subject: Settle your tax debt for fractions of whats owed
Date: 31 Aug 2010 06:08:16 -0400
Message-ID: <1283249296.frsaumqpkks@clickaffiliateincome.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable




Return-Path: <Jennifer@black-jackfaq.com>
Delivered-To: crypted@mypersonaldomain.tld
Received: from localhost (localhost.localdomain [127.0.0.1])
	by personalwebserver.tld (Postfix) with ESMTP id E16BC5416E
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 03:28:39 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at my.derekgordon.com
Received: from personalwebserver.tld ([127.0.0.1])
	by localhost (personalwebserver.tld [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id sahhjH1aBXZv for <crypted@mypersonaldomain.tld>;
	Tue, 31 Aug 2010 03:28:39 -0400 (EDT)
Received: from black-jackfaq.com (black-jackfaq.com [76.73.108.215])
	by personalwebserver.tld (Postfix) with ESMTP id 17AEB5416A
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 03:28:24 -0400 (EDT)
From: "Jennifer Cox" <Jennifer@black-jackfaq.com>
To: "derek" <crypted@mypersonaldomain.tld>
Reply-To: reply@black-jackfaq.com
Date: Tue, 31 Aug 2010 07:28:26 +0000
Subject: New bonus offer high roller heaven
MIME-Version: 1.0
List-Unsubscribe: <http://www3.black-jackfaq.com/0b02452e8b07f9c74e0401000/0000000000000/000/0/00.ZVSC>
Content-Type: multipart/related;
	boundary="_=aspNetEmail=_642a60b212244c86914b616ee36ce2b6"
X-Mailer: aspNetEmail ver 3.12.656.1861
X-MimeOLE: 944-ebe3a 43672.3916.1,309
Message-ID: <4367239161@black-jackfaq.com>
Reply With Quote
  #4  
Old 31st August 2010, 16:25
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

You might want to set the "SPAM tag level" to -1000 so all the mails you receive, you are able to see the spamassassin results.
Reply With Quote
  #5  
Old 31st August 2010, 16:31
crypted crypted is offline
Senior Member
 
Join Date: Dec 2006
Location: Oklahoma, USA
Posts: 429
Thanks: 3
Thanked 14 Times in 6 Posts
Default

Mark, where would I see a description of what all of those #'s mean?
Reply With Quote
  #6  
Old 31st August 2010, 16:38
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

"#" ????

ehm, you can set is in ispconfig .. email -> policy -> click your policy -> tab Tag-level -> "SPAM tag level" set to -1000 .. save, and wait 1 minute for the changes to be done. then chek your incoming mail.
Reply With Quote
  #7  
Old 31st August 2010, 19:04
crypted crypted is offline
Senior Member
 
Join Date: Dec 2006
Location: Oklahoma, USA
Posts: 429
Thanks: 3
Thanked 14 Times in 6 Posts
Default

Right, I know where the PROFILE numbers are found in the panel. :-)

I'm asking what each category means for tweaking purposes:
tag = 1, tag2 = 4.5, kill = 50, dns = 0, quarantine = 0

I have edited to tag = 1 to tag = -1000.

What else should be done?

I think kill = 50 was the default as 5.0 in ISPCONFIG 2 wasn't it?

I want to get this tweaked as best as possible to remove all of this new spam while at the same time not having a lot of false positives as missing important emails would be a bad deal.
Reply With Quote
  #8  
Old 31st August 2010, 20:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

Quote:
What else should be done?
Post the header of spam emails that you received after changing the level.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 1st September 2010, 03:11
Turbanator Turbanator is offline
Senior Member
 
Join Date: Jun 2008
Posts: 220
Thanks: 23
Thanked 16 Times in 16 Posts
Default

If it helps you, here are my settings...NOTE: very aggressive since this is a corporate server meant for business email only.

SPAM tag level -100
SPAM tag2 level 3.09
SPAM kill level 10
SPAM dsn cutoff level 0
SPAM quarantine cutoff level 0
SPAM modifies subject Yes
SPAM subject tag .
SPAM subject tag2 ***SPAM***

You should also post some of your postfix settings to make sure you have some blocklists included...I think the setting to post is the

smtpd_recipient_restrictions = xxxxx

another note: It helps to Move spam into the Junk folders in webmail and tell spamassasin to learn from those you select as spam to train the engine.

/usr/bin/sa-learn --spam /var/vmail/*/*/.Junk/*/*
Reply With Quote
  #10  
Old 1st September 2010, 04:24
crypted crypted is offline
Senior Member
 
Join Date: Dec 2006
Location: Oklahoma, USA
Posts: 429
Thanks: 3
Thanked 14 Times in 6 Posts
 
Default

First, all I changed was tag level to -1000 and every email went to Junk all day. I was wondering why no one responded. Evidently, they did so. That was the only setting I altered.

Postfix main.cf smtpd_recipient_restrictions shows:
Code:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
Also, I a few days ago I added URIBL to local.cf for Spam Assassin:
Code:
urirhssub       URIBL_BLACK  multi.uribl.com.        A   2
body            URIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describe        URIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags          URIBL_BLACK  net       
score           URIBL_BLACK  3.0
Where can I find out what each setting is that Turbanator referred to? And their maximum and minimum values? That will be an assistance for playing around with them to tweak performance.


SA-LEARN runs twice a day. Sucks because it will now learn a bunch of GOOD email.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Spam Filter Policy don't seem to work bmclean Installation/Configuration 4 16th April 2010 00:54
Spam Filter not functioning (revisited) Cracklefish Installation/Configuration 7 8th March 2010 13:16
Stops all spam regardless of settings? Nicke Installation/Configuration 11 10th February 2010 17:09
Spamfilter policy - question about spam actions prisfeo Installation/Configuration 4 2nd February 2010 17:17
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 18:37


All times are GMT +2. The time now is 03:47.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.