[SOLVED] some emails marked as spam in subject while spam score is below required score

Discussion in 'ISPConfig 3 Priority Support' started by skylite, Aug 27, 2015.

  1. skylite

    skylite New Member

    Sometimes I get emails with the ***SPAM*** in the subject (ISPconfig/email/Policy/spamfilter/normal/tag level). The problem is that these emails arrive to my inbox and should not be marked as spam since in the header I see:
    X-Spam-Status: No, score=1.0 required=4.0
    or
    X-Spam-Status: No, score=3.4 required=4.0
    (for example). These emails are marked as spam only in the subject field. I am sure they are marked on my server because I changed the SPAM subject tag2 field to be **SPAM** (with two stars) and now I receive them with two stars.
    Other spams I receive and reach the score level 4, have also X-Spam-Flag: YES and they arrive to my Junk folder as expected (dovecot sieve).

    Strange thing is that the spams I receive in my inbox are always real spam so I could easily write a local spamassassin header rule to get rid of them, but the question still remains:
    Why are these emails marked as spam in the subject field when they dont reach the required score?

    I am using Postfix, Spamassassin, Amavis, Dovecot in my ISPconfig
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I've never seen that the spam header and subject dont match. The only possible reason that I see is that the mails are sent to an alias address of your mailbox and this alias has no or a different policy assigned.

    Example:

    your mailbox: you@domain.tld
    info@domain.tld is an alias address pointing to you@domain.tld. In this case a policy assigned to the domain.tld and not a policy assigned to you@domain.tld will get applied. If domain.tld has no policy then the defaults from amavisd.conf get applied.
     
  3. skylite

    skylite New Member

    The email I get the fake spam to is an email forward indeed, but the policy for @domain.tld is set to Normal (as well as mine).
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try to turn on logging in amavisd.conf (or 50-user file if you use debain and ubuntu) to see what is going on in detail. Set log level e.g. to 5.
     
  5. skylite

    skylite New Member

    I configured the loglevel to debug and waited patiently for a fake spam. Finally I got one (this one is addressed to me specifically not to an alias).
    This is what the header looks like: http://pastebin.com/28xSdKQn
    And this is the log: http://pastebin.com/1uY86bw0
    Im not sure why a single mail has three different id's but here in all cases I see Passed SPAMMY in the logs which makes things more interesting...
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats strange indeed, the email got 7.925 if the debug output matches the email, so marking it in the header is correct.

    Code:
    Aug 27 22:25:53 web amavis[3178]: (03178-06) header: X-Virus-Scanned: Debian amavisd-new at domain.tld\n
    Aug 27 22:25:53 web amavis[3178]: (03178-06) header: X-Spam-Flag: YES\n
    Aug 27 22:25:53 web amavis[3178]: (03178-06) header: X-Spam-Score: 7.925\n
    Aug 27 22:25:53 web amavis[3178]: (03178-06) header: X-Spam-Level: *******\n
    Aug 27 22:25:53 web amavis[3178]: (03178-06) header: X-Spam-Status: Yes, score=7.925 tagged_above=1 required=4.5\n\ttests=[HTML_MESSAGE=0.001, MISSING_MID=0.14,\n\tRCVD_IN_BL_SPAMCOP_NET=1.246, RCVD_IN_BRBL_LASTEXT=1.644,\n\tRCVD_IN_PSBL=2.7, RDNS_NONE=1.274, SPF_FAIL=0.919,\n\tUNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no\n
    So marking it in the subject is correct but the spam score headers dont match the ones that amavis assigned, so the headers must have been altered afterwards. Do you use the exact perfect servers setup or did you alter the postfix config somehow? My guess is that there must run a second spamassassin instance after the amavis check which alters spam tag header.
     
  7. skylite

    skylite New Member

    You may be right. I made some modifications in postfix but its unclear to me what went wrong. Pasting you the relevant information that could be related. I really appreciate the help:
    http://pastebin.com/VmXKz5k9
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is this from master.cf:

    1. dovecot-spamassassin unix - n n - - pipe
    2. flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -f -e /usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
    you run spamassassin a second time after amavis has scanned and tagged the email and this causes wrong results. Change the transport back to the original one from ispconfig and restart postfix.
     
  9. skylite

    skylite New Member

    Thank you! I wasnt aware that amavis calls spamassassin by default.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Amavis loads the SpamAssassin libraries internally and uses them to scan for spam, so amavis does not have to call SpamAssassin. You can disable spamd on your server as it is not needed.
     
    skylite likes this.

Share This Page