E-mails flags as spam

Discussion in 'Installation/Configuration' started by Kevin Colbert, May 19, 2020.

  1. Kevin Colbert

    Kevin Colbert New Member

    Hello all,
    first of all, I'm sorry if I sorted this post wrong.

    I have a problem with my e-mail server on Debian throught ISPconfig. My e-mails are flagged as spam. I have configured all. PTR record, DKIM, SPF, etc. PTR record are good: domain < -- > IPv4 and domain < -- > IPv6. DKIM pass is good too. But isnotspam.com writes me this:
    Code:
    ==========================================================
    Summary of Results
    ==========================================================
    
    SPF Check : pass
    Sender-ID Check : pass
    DKIM Check : pass
    SpamAssassin Check : ham (non-spam)
    ==========================================================
    Details:
    ==========================================================
    
    HELO hostname: email.domain.tld
    Source IP: xx.xxx.xx.xxx
    mail-from: [email protected]
    Anonymous To: [email protected]
    ---------------------------------------------------------
    SPF check details:
    ----------------------------------------------------------
    
    Result: pass
    ID(s) verified: [email protected]
    DNS record(s):
    domain.tld. 1799 IN TXT "v=spf1 a mx ip4:xx.xxx.xx.xxx ip6:xxxx:xxx:xx:x::xxxx:xxxx include:_spf.google.com ~all"
    
    
    ----------------------------------------------------------
    Sender-ID check details:
    ----------------------------------------------------------
    
    Result: pass
    
    ID(s) verified: [email protected]
    DNS record(s):
    domain.tld. 1799 IN TXT "v=spf1 a mx ip4:xx.xxx.xx.xxx ip6:xxxx:xxx:xx:x::xxxx:xxxx include:_spf.google.com ~all"
    
    
    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    
    Result: pass
    ID(s) verified: [email protected]
    Selector=dkim
    domain=
    domain.tld
    DomainKeys DNS Record=dkim._domainkey.
    domain.tld
    
    ----------------------------------------------------------
    SpamAssassin check details:
    ----------------------------------------------------------
    SpamAssassin 3.4.1 (2015-04-28)
    
    Result: ham (non-spam) (03.7points, 10.0 required)
    
    pts rule name description
    ---- ---------------------- -------------------------------
    
    
    * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    * See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    * for more information.
    * [URIs: linkedin.com]
    * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    * [score: 0.9999]
    * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
    * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    * [score: 0.9999]
    * 0.1 HTML_MESSAGE BODY: HTML included in message
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
    * domain
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * 0.0 T_REMOTE_IMAGE Message contains an external image
    X-Spam-Status: Yes, hits=3.7 required=-20.0 tests=BAYES_99,BAYES_999,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RP_MATCHES_RCVD,
    SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED autolearn=no
    autolearn_force=no version=3.4.0
    X-Spam-Score: 3.7
    I tryed to send e-mail with simple HTML template and without it as simple text. Everytime I write subject and body and I have the same result.

    Code:
    3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    The e-mail I sent is:
    Subject: Question about article
    Text: Good evening, I'm writing this e-mail because I would like to know more informations about your article. Can you send me some links and images about it? Thank you very much for your time. Kevin Colbert


    What I'm doing wrong and how to avoid this X-SPAM-Status?

    Thank you very much for your time and have a nice evening.
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    How have you trained the Bayes filter?
     
  3. Kevin Colbert

    Kevin Colbert New Member

    I have stock settings from ISPconfig. But yeasterday, I created a conjob for repeating every day at 04:00:
    Code:
    #!/bin/bash
    /usr/bin/sa-learn --spam /var/vmail/*/*/Maildir/.Junk/*/*
    /usr/bin/sa-learn --ham /var/vmail/*/*/Maildir/cur/*
    But report still writes me:
    Code:
    X-Spam-Status: Yes, hits=3.7 required=-20.0 tests=BAYES_99,BAYES_999,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RP_MATCHES_RCVD,
    SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED autolearn=no
    autolearn_force=no version=3.4.0
    X-Spam-Score: 3.7
    mean autolearn=no and autolearn_force=no. Which one I have to change?
     
    Last edited: May 19, 2020
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So if I read that correctly, the report you posted is from an email you sent to isnotspam.com? It clearly says, "Result: ham (non-spam) (03.7points, 10.0 required)" - what makes you think otherwise? The only substantial spamassasin score listed was BAYES_99, which would mean that the bayes database at isnotspam.com had strong spam token matches for your test message, it doesn't mean anything for a real-world mail system (assuming the purpose of that site is to fire off "anything" and get a spam report back, I wouldn't put too much concern to what tokens match in that particular bayes database).
     
  6. Kevin Colbert

    Kevin Colbert New Member

    Thank you for your answer. Is good to clear SA database before every cronejob, or only first time?

    Thank you too for you answer. "Result: ham (non-spam) (03.7points, 10.0 required)" means isnotspam.com's spamassassin, so the email is good? And "X-Spam-Status: Yes, hits=3.7 required=-20.0 tests=BAYES_99,BAYES_999,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RP_MATCHES_RCVD,
    SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED autolearn=no
    autolearn_force=no version=3.4.0" means my spamassassins marks my e-mail that?
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Correct, their system didn't classify it as spam, even though their BAYES database had a very strong match.

    That 'required=-20' is the level at which your system is tagging this as spam, which is completely ridiculous/wrong. Spamassassin rules are tuned with a target score of 5 to be considered spam, it seems you must have played around with the tag levels in your spamfilter policies and didn't realize what you were doing.
     
  8. Kevin Colbert

    Kevin Colbert New Member

    Thank you for your answer. You are right I was playing around it. But never wrote -20. I have only one policy named "normal".
    [​IMG]
    [​IMG] [​IMG]
    Quarantine and Other are in defaults. Can you write me what have I to change?
     
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If you only have one policy, is it assigned to either the mailbox or the mail domain? If neither of those is set, then you will be using the tag levels specified in amavis config files. Try 'grep sa_tag_level_deflt /etc/amavis/conf.d/*' .. there is a default setting of 20.0 in /etc/amavis/conf.d/50-user, maybe you added a negative sign there?
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    This is not going to help, as this will update the bayes database for the root user, but when amavis scans your mail using spamassassin libraries, it runs as the 'amavis' user. And you can't just change that to run as amavis, because the amavis user doesn't have permissions to read the mail files under /var/mail/. There are different ways you can solve this; what I do is have my training script temporarily bind mount the actual mail folders to a location which amavis can read, and remap user ids.
     
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  12. Kevin Colbert

    Kevin Colbert New Member

    Thank you for answer. I have set this policy to emails domains and on every emails mailbox too. But I don't know why is using -20 from config.
    Code:
    /etc/amavis/conf.d/20-debian_defaults:$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
    
    /etc/amavis/conf.d/50-user:$sa_tag_level_deflt  = 20.0;  # add spam info headers if at, or above that level
    What are you recommended to set?
     
  13. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I think that cron job is not a good idea.
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The config you show is actually a positive 20, not negative, so that's not where that value is coming from.

    I'm about out of guesses as to what's going on, but right offhand I wonder what is the full mail delivery path of that? Can you post full message headers and mail logs from a test delivery? I wonder if the spam scanning/header would be happening on another system entirely along the delivery path?

    Assuming that's not the case, you might try downloading the ispconfig installer, run update.php and let it reconfigure services. If that doesn't change anything, you'll probably need to set some debug logging in amavis and track down what's going on. You can also examine the amavis config files and walk through how it's config gets setup; normally on an ISPConfig system you'll have the setup in /etc/amavis/conf.d/50-user which ISPConfig's installer makes, eg.
    Code:
    $sql_select_policy =
       'SELECT *,spamfilter_users.id'.
       ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'.
       ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC';
    
    this is what configures amavis to read the spamfilter settings from the database. Assuming you have that setting, what is in your spamfilter_policy and spamfilter_users table?
     

Share This Page