No spamassasin headers?

Hi all,

I recently installed ispconfig3 and postfix with spam assassin. Was working fine but today I seem to get a large amount of spam. I checked the headers and there is no X-Spam headers in my email at all.

I checked to see if spam assassin was running, it is and I can connect to the socket. I also telnet to my server and send g-tube which is correctly removed as spam.

I check the size of my emails, they are all less than 100k so should be no problem there.

Its been a while since I looked at spamassassin but IIRC the spam score header should always be present?

Any ideas?

 

Are there any errors in your mail log (in the /var/log/ directory)?

 

Not that I can see, in fact there is very little reference to spamd in maillog at all. The only entries that are in there are related to me stopping and starting the spamassassin daemon.


Its odd because some stuff is getting scored and is removed from the queue but other emails which are most definitely spam (and would surely be detected by SA) are not. As I mentioned before, no X-Spam headers at all.

Heres a sample email, whether or not you personaly classify it as spam is neither here nor there, it should still have some X-Spam headers right?

Code:

Return-Path: <[email protected]>
Delivered-To: [email protected]_REMOVED_.com
Received: from localhost (unknown [127.0.0.1])
        by mailgate._REMOVED_.com (Postfix) with ESMTP id 441F5B2078
        for <[email protected]_REMOVED_.com>; Fri,  4 Mar 2011 20:35:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at _REMOVED_.vm.bytemark.co.uk
Received: from mailgate._REMOVED_.com ([127.0.0.1])
        by localhost (mailgate._REMOVED_.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id POldj2ZarUlq for <[email protected]_REMOVED_.com>;
        Fri,  4 Mar 2011 20:35:42 +0000 (UTC)
Received: from mailer5.first-espot.com (mailer5.first-espot.com [74.118.36.57])
        by mailgate._REMOVED_.com (Postfix) with ESMTP id E7BCAB2075
        for <[email protected]_REMOVED_.com>; Fri,  4 Mar 2011 20:35:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=first-espot.com;
 h=To:Subject:Message-ID:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; [email protected];
 bh=gtgL2j0u5HyMfmXfNvau0aTnsBA=;
 b=ZaQp1l4S44xtThzhJrzBoVwrL0dwyniAulwwXuiw43AM/rc+TAOzTz9FTCHLv3xa4+0DJtbhEyUA
   jQNSyYLjfF4P+dW35bVyXoLWuRPIa5DG0/uC6V9Vx4EC5F5wOw3WCS+AT5k2DrlO0oj+VRaZRK/W
   zWHKS1odc21jHOpf6uY=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=first-espot.com;
 b=mUnIGdvmTto4vAJx20X3YsDBpsvylDlBj+nK2n6l/qiZLwGxzIXoo329bYZmvVbkTge9LBzTdKu+
   sspZRtoTY1NgHgi7ny8HZuY4tZcLs3a2S+p5C1f9DodNl3ob0L3q5Aam0tm7+4LhheEuXF887oML
   sYj+6+ZumiIqI2Ew5UU=;
Received: from cpa3.first-espot.com (10.10.248.250) by mailer5.first-espot.com (PowerMTA(TM) v3.5r13) id he56i011o9gf for <[email protected]_REMOVED_.com>; Fri, 4 Mar 2011 20:35:40 +0000 (envelope-from <[email protected]>)
To: "_REMOVED_" <[email protected]_REMOVED_.com>
Subject: Grab a Year's Free Shopping at ASDA
Message-ID: <[email protected]>
Date: Fri, 04 Mar 2011 19:51:02 +0000
From: "Offersclick" <[email protected]>
Reply-To: [email protected]
MIME-Version: 1.0
X-Mailer-LID: 4
List-Unsubscribe: <http://www.first-espot.com/emailflow/unsubscribe.php?M=1135762&C=7e5c58392a7cc53e106c2f82371d4145&L=4&N=3884>
X-Mailer-SID: 3884
X-Mailer-Sent-By: 4
X-Mailer: Email Flow::Enterprise 0.5
X-Mailer-Info: AQt4Zlk6LaNhpz96LaOynUIaDUWirzWjMJu1Mlj0
x-job: 3984
Content-Type: multipart/alternative; charset="UTF-8"; boundary="b1_2138ca8c292b2b5b30c32f302cd4e8f9"
Content-Transfer-Encoding: 8bit

--b1_2138ca8c292b2b5b30c32f302cd4e8f9
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Transfer-Encoding: 8bit

This prize is brought to you by Offersclick and Emailinform.
Make sure you hear about great money-saving offers and be in with a chance
to win a yearâ[email protected]~Ys free shopping at ASDA.

Asda is known for its great value, but why not make the price of your
weekly shop ZERO? Win a free YEAR of shopping at family favourite Asda.
Complete this survey to enter the prize draw.

Complete our consumer survey to be automatically entered into our prize
draw AND ensure you get deals and offers in the future tailored to suit
your needs.

http://www.first-espot.com/emailflow/link.php?M=1135762&N=3884&L=308&F=T

 

A little more digging done. Seems like amavis is loading spamassassin when it starts

Code:

Mar  5 22:33:50 mailgate amavis[3188]: Module Mail::DKIM::Verifier 0.39
Mar  5 22:33:50 mailgate amavis[3188]: Module Mail::Header        2.07
Mar  5 22:33:50 mailgate amavis[3188]: Module Mail::Internet      2.07
Mar  5 22:33:50 mailgate amavis[3188]: Module Mail::SpamAssassin  3.002005
....
....
Mar  5 22:33:50 mailgate amavis[3188]: ANTI-VIRUS code      loaded
Mar  5 22:33:50 mailgate amavis[3188]: ANTI-SPAM code       loaded
Mar  5 22:33:50 mailgate amavis[3188]: ANTI-SPAM-EXT code   NOT loaded
Mar  5 22:33:50 mailgate amavis[3188]: ANTI-SPAM-C code     NOT loaded
Mar  5 22:33:50 mailgate amavis[3188]: ANTI-SPAM-SA code    loaded

Then sent myself a mail and see the following in the log:

Code:

Mar  5 22:59:34 mailgate amavis[3214]: (03214-02) Passed CLEAN, [x.x.x.x] [x.x.x.x] <[email protected]_REMOVED.com> -> <[email protected]_REMOVED.com>, Message-ID: <[email protected]_REMOVED_.com>, mail_id: YBK5Dg6+Gse8, Hits: 3.962, size: 416, queued_as: A8B28B20B4, 526 ms

I see it has a hit score, not sure if that relates to SA scoring or if its amavis own scoring but I check the headers of the mail and definitely no X-Spam headers still.

What am I missing here? Bound to be something really stupid

 

Did you check the SpamAssassin scoes in your amavisd configuration?
Also, have you tried to update SpamAssassin's rules?

Code:

sa-update --no-gpg

 

I am having the exact same problem. It seems like all spam is getting through. There is nothing about spamd in the maillog file. I also set up logging for spamd to log to a file and there are only entries about it starting up. I followed the CentOS tutorial: Virtual Users And Domains With Postfix, Courier And MySQL (CentOS 5.1)

 

Ok, I had set @bypass_spam_checks_maps = ( [ "!.$mydomain","." ] ); in an attempt to not scan outgoing mail, but then it wasn't scanning ANY mail.

So I commented it out, and it is scanning all mail, except now ALL outgoing mail is being tagged as spam.

We have virtual users on many different domains, so how can I bypass spam filtering for all smtp authenticated users?

 

Hi Falko,

I already ran sa-update however, I just realised that the amavisd.conf file in /etc is not the one that is read, its the copy in /etc/amavisd. I knew I was missing something stupid.

I have cranked the loglevel up as far as it will go (5) and updated $sa_tag_level_deflt to 0.1. Guess X-Spam headers were not being applied previuously because this was set to 2, I want the headers on all emails so I can analyze what each mail is scoring. Then I will learn SA on my spam and ham accordingly.


@waters - I think that you dont see spamd reference in the logs because amavis is calling the SA libs internally, try turning up the log level in amavisd.conf and then grep maillog for amavis instead.

I guess that spamd does not event need to run (in fact, if you've started spamd you're probably just wasting memory?)