spam detected but not deleted

Discussion in 'Server Operation' started by tfboy, Nov 30, 2016.

  1. tfboy

    tfboy Member

    Hi Till
    Great new UI for 3.1 BTW, bought the updated manual :)
    Strange issue which I can't understand. I've always had an awful lot of spam come into my mail settings. ISPconfig is installed as per the perfect server, currently running Ubuntu 14.04 LTS. ISP now running 3.1.1p1.
    Until recently, I used to get an awful lot of spam (like 300 a day). It was correctly detected and placed in the Junk folder with the ***Spam*** inserted in the header. I manually cleared it through my email client. A pain, but nothing too bad. A lot of them also had viruses which apparently weren't picked up although I have amavis set up.
    However, just yesterday, I realised I hadn't configured all the extra security and authentication. I now have DKIM, DMARC and SFP all set up with keys configured through ISPconfig. As a result, at least I think because of this!, I no longer have spam on one of my email accounts. The Junk folder is empty, so I'm assuming it's deleted / filtered before getting to the spam filter.

    However, for one of my email accounts, I'm still getting the Spam coming in with the ***Spam*** header, placed in the Junk folder. I've been through ISPconfig's settings, ensured DKIM is active, keys set up, all the relevant TXT entries in DNS (my server is on a Linode and I use Linode's DNS manager, not the one in ISPconfig). As far as I can tell, the settings are identical, so I can't understand why I still get them on this account, but not on the other one.

    Any idea where to start looking?
    I'd also like to understand why viruses aren't filtered too (they get killed by my local antivirus on the PC).
    Thanks :)
     
  2. tfboy

    tfboy Member

    Example email not filtered:
    Code:
    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
       by xavserver.co.uk (Postfix) with ESMTP id 1211B1035D
       for <[email protected]>; Wed, 30 Nov 2016 20:02:37 +0000 (GMT)
    X-Virus-Scanned: Debian amavisd-new at xavserver.co.uk
    X-Spam-Flag: YES
    X-Spam-Score: 12.902
    X-Spam-Level: ************
    X-Spam-Status: Yes, score=12.902 tagged_above=1 required=4.5
       tests=[BAYES_00=-1.9, CK_HELO_DYNAMIC_SPLIT_IP=0.001,
       HELO_DYNAMIC_IPADDR2=3.607, PHP_ORIG_SCRIPT=2.497,
       RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
       RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L5=0.001, RCVD_IN_PBL=3.335,
       RCVD_IN_PSBL=2.7, RCVD_IN_RP_RNBL=1.31, RCVD_IN_SORBS_SPAM=0.5,
       RCVD_IN_XBL=0.375, RP_MATCHES_RCVD=-2.997, SPF_SOFTFAIL=0.665,
       TVD_RCVD_IP=0.001, UNPARSEABLE_RELAY=0.001]
       autolearn=no autolearn_force=no
    Received: from xavserver.co.uk ([127.0.0.1])
       by localhost (xavserver.co.uk [127.0.0.1]) (amavisd-new, port 10024)
       with ESMTP id X1n9HOKzTXhd for <[email protected]>;
       Wed, 30 Nov 2016 20:02:36 +0000 (GMT)
    Received: from 187-162-250-157.static.axtel.net (187-162-250-157.static.axtel.net [187.162.250.157])
       by xavserver.co.uk (Postfix) with ESMTP id 4EB8610309
       for <[email protected]>; Wed, 30 Nov 2016 20:02:36 +0000 (GMT)
    Received: from internal (unknown [x.x.x.x])
    Received: (mailer pid 85300 invoked by uid 1409764);
       Wed, 30 Nov 2016 14:02:33 -0500
    To: <[email protected]>
    Subject: [virus a variant of JS/Danger.ScriptAttachment trojan] ***SPAM***Urgent
    X-PHP-Originating-Script: 1409764:SMail.class.php
    From: "Ira Maxwell" <[email protected]>
    Date: Wed, 30 Nov 2016 14:02:33 -0500
    MIME-Version: 1.0
    Content-Type: multipart/related; boundary="554f433593903224dc666cb306c226f9"
    Message-Id: <[email protected]>
    X-EsetResult: clean (cleaned), contained a variant of JS/Danger.ScriptAttachment trojan
    X-EsetId: 26366E2C8A310E6A3C7E3130D82E086A6674667D83
    
    --554f433593903224dc666cb306c226f9
    Content-type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: quoted-printable
    
    Dear Client! We have to inform you that payments for contractors' services were insufficient.
    Thus, we are sending the report and the amount details in the attachment.
    
    
    __________ ESET Smart Security warning, version of virus signature database 14530 (20161130) __________
    
    Warning, ESET Smart Security found the following threats in the message:
    
      details_xavier.zip - a variant of JS/Danger.ScriptAttachment trojan - deleted
    
    http://www.eset.com
    
    
    --554f433593903224dc666cb306c226f9
    Content-Type: text/plain
    X-Removed: Removed by ESET Smart Security
    
    
    
    --554f433593903224dc666cb306c226f9--[/cpde]
     
  3. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Did you enable move to junk for this address?
     
  4. tfboy

    tfboy Member

    Yes Florian, of course. I've always had the move to junk enabled on all addresses.
    [​IMG]
     
  5. tfboy

    tfboy Member

    In fact, it might be OK. Maybe sometimes it takes longer for the DNS changes and filters to really take effect. I haven't had any spam emails come in overnight, so it's probably OK after all. I'll update if I still get some by the end of today :)
     
  6. tfboy

    tfboy Member

    OK, I'm still getting spam correctly flagged and placed into the Junk folder on the xavimages account, at the rate of about one an hour.
    My other domain which I have set up identically (and which received several hundred a day) now has zero spam.
    So either there's something really subtle I've missed or somehow the spam mechanisms are consistantly different for each mailbox which I find hard to believe.
    Florian, Till, anyone else have any suggestions on where to look?
    Thanks :)
     

Share This Page