SPAM issues

Discussion in 'General' started by alphachris, Oct 13, 2016.

  1. alphachris

    alphachris New Member

    Hi Volks ..

    Recently we're receiving sh**-tons of spam and found out the issue was kind of an open relay, which seems to have been opened by a package update - I am not quite sure what exactly caused this to happen. We're currently running ISPConfig 3.1 as a single server setup (before that we used ISPConfig 2 which we migrated to a new clean Debian 8/ISPConfig 3.0 (Perfect Server Guide) setup using the ISPC migration tool).

    After our upgrade to 3.1 we followed the guide "Hardening Postfix for ISPConfig 3" which ended up in blocking the unwanted connections/relaying. Besides that, I found a guide to reset the spamassassin bayes DB (su amavis -c 'sa-learn --clear') and changed CRON=0 to CRON=1 in /etc/cron.daily/spamassassin. We've got 5 RBL's in our server configuration, which I am unable to put in here due to minimum post warning. Oh, and by the way - we're on postfix and dovecot.

    But because we are still receiving spam which doesn't get the "X-Spam-Flag", we decided to check what is going on exactly and changed the Spam Tag Level 1 in the SPAM Policies to -999 for debug purposes. It seems the incoming spam is not recognized as such. In some cases the spam even got a negative score which makes it impossible to filter ...
    Interesting fact: before I cleared the bayes DB, the email header value "autolearn" was "ham" instead of "no" at every single spam email.

    Anyone who could help us out ? I googled for days, but still found no proper solution ...

    Best,
    Chris
     
  2. jivko790

    jivko790 New Member

    Hi people help us a lot of spam also

    Final-Recipient: rfc822; [email protected]

    Original-Recipient: rfc822;[email protected]

    Action: failed

    Status: 5.7.1

    Remote-MTA: dns; gmail-smtp-in.l.google.com

    Diagnostic-Code: smtp; 550-5.7.1 [163.172.220.123 1] Our system has

    detected an unusual rate of 550-5.7.1 unsolicited mail originating from

    your IP address. To protect our 550-5.7.1 users from spam, mail sent from

    your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1

    https://support.google.com/mail/?p=UnsolicitedIPError to review our 550

    5.7.1 Bulk Email Senders Guidelines. t19si7127128lfi.357 - gsmtp


    Final-Recipient: rfc822; [email protected]

    Original-Recipient: rfc822;[email protected]

    Action: failed

    Status: 5.0.0

    Remote-MTA: dns; mx1.mindspring.com

    Diagnostic-Code: smtp; 550 IP 163.172.220.123 is blocked by EarthLink. Go to

    earthlink.net/block for details.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    @jivko790. You see that your problem is not related to the one of the thread starter? Your problem is that your server is sending spam and therefore your server IP gets rejected by other server like gmail. There are several threads here in the forum that explain how to use postcat to find out which website or mail account us sending the spam.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Either the emails have so little spammy content that spamassassin finds no spam signs or there is something broken in the spamassassin setup. Try to restart amavis and check the mail.log if you see any errors in the start output. Then you can update the spamassassin rules database with:

    sa-update

    command and restart amavis afterwards. Regarding the bayes issue, it can happen that the database learnt wrong things and this case filtering will get worse, so resetting it is ok.

    Which spam tag 2 level do you use? I use a level of 3.5 on my system, but my bayes database is trained quite well already over more than five years.

    An ispconfig server is not relaying emails when installed as described in the perfect server tutorial, so maybe something got wrong during base installation. I never use the hardened setup as it blocks legetimate email and I don't need it to get goog filter results.
     
  5. jivko790

    jivko790 New Member

    @till really try anything update spamassassin amavis restart any thing nothing to do .. i run antivirus all on server nothing found ..after remove domains which ist not worldpress .. all worldpress last version .. get 10000 emails per day will be very happy if you told me which comand can find path send me spam .. also stop apache end see get spam also
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Your server is sending spam, this thread is about receiving spam. So your post is completely off topic. Use the search function, is has been explained in many threads how to find a spam sending account or website. I even posted you the command to view the mails in the queue, so a simple search for this command will give you the right threads. @jivko790 stop this hijacking of the thread of @alphachris.
     
  7. alphachris

    alphachris New Member

    First, thank you for your reply !

    Indeed, the emails that are NOT declared as spam by spamassassin have only a small amount of content. In fact, the spam mails nowadays sound a lot like regular ham emails with correct german grammar, which is annoying as you can guess because SA doesn't filter them out.
    I tried restarting amavis several times, even set the debug level to 5 to see what exactly is going on inside of amavis daemon - but no errors were given.

    In my first post I mentioned that I've changed the "CRON" value from 0 to 1 to activate the cron which runs sa-update periodically (cron.daily), but that didn't seem to solve the problem. On the other hand, it did not get worse than before - so I think I'll leave it like that for now.

    We're currently using "5" as spam tag level 2. But as I can see from the mail headers, the X-Spam-Score doesn't even climb that high. The highest X-Spam-Score I've spotted in the last couple days was something like 1.5 - the problem is that I cannot set the value to 1.5, because the mails that we want (Newsletters, etc.) got a score of 1.5.

    Yeah, we also said that it is unusual that the server is relaying/forwarding mails - we did follow the instructions step by step. The hardening guide did seem to solve that issue though, although we're risking to "loose" some mails due to the hardened access rules.

    Yesterday I stumbled across some interesting threads and maybe the solution to our problem.
    What about "learning" the spamassassin/bayes DB in the good old way ?
    2 domains that run on our server are the most "attacked" - one of them is owned by me. So I'm considering to teach the users to move the spam to their Junkmail folder, to teach the bayes DB globally what mails should be considered as spam, as spamassesssin does not recognize spam as such at the moment and only feeds the DB with ham.

    I'm thinking of something periodically to automate the process:
    Code:
    #!/bin/bash
    /usr/bin/sa-learn --dbpath /var/lib/amavis/.spamassassin --spam /var/vmail/*/*/Maildir/.Junk/cur/
    rm -r /var/vmail/*/*/Maildir/.Junk/cur/
    /usr/bin/sa-update
    /etc/init.d/amavis restart
    The script should then run as root let's say every 4 hours or something. My thoughts were on the permissions/file owners, but I've tried the above commands, and they seem to work and even the file permissions/owners were untouched, so I guess this could be a solution. The involved users can check their Junk folder to see if the script is doing it's job. If the folder is empty, the DB got updated with new spam.

    Your thoughts on this ?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Additional learning by feeding emails into spamassassin is something that you can try. But I guess you have to run the sa-learn as amavis user and not root.

    Do you use MX blacklists on the server? If not, you should try to add some.
     
  9. alphachris

    alphachris New Member

    I tried running it as amavis. The problem is that amavis has no r/w permissions at /var/vmail directories, because they are owned by vmail. That's the reason why I'm considering running the script as root. The other approach would be adding amavis to vmail group to grant r/w access to /var/vmail directories and then run the script as amavis.
    Running the script as root works like a charm, but I would like to use the other way. Running a cronjob as root is boo-boo, I know :)

    We do use RBL's, but no MX blacklists. Can you give me a short hint ?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    If it works as root then you should run it as root. I was just not sure if the tokens get added to the correct database, but probably the --dbpath settings fixed that.

    RBL and MX blacklists are the same thing, so if you use RBL, then that should be fine.
     
  11. alphachris

    alphachris New Member

    Exactly ! That's the reason why I added --dbpath.
    Alright, I was not quite sure - yes, we're using five RBL's at the moment ..
    • zen.spamhaus.org
    • cbl.abuseat.org
    • b.barracudacentral.org
    • bl.spamcop.net
    • ix.dnsbl.manitu.net
    They work fine as I can see the host rejection in the mail log. We are now considering that either the migration from ISPC 2 to ISPC 3 went wrong, or at least something while the installation from ISPC 3 went wrong ... right now we're feeding the bayes DB as mentioned before. The script I posted above is doing it's job good so far. I got to mention that I changed the second command to not delete the spam, but to move it to the Trash folder.
     
  12. Jesse Norell

    Jesse Norell Active Member

    I believe another option is to use a bind-mount at another location to remap user/group id's, so that amavis can then read the files.

    Assuming you have a recent postfix, if you can live with users sending on port 587 (not 25!), you might try using postscreen eg. see example config in https://git.ispconfig.org/ispconfig/ispconfig3/issues/4239#note_58360
     
  13. alphachris

    alphachris New Member

    I also considered this as an option, maybe I'll get down to it soon :)

    In fact, because we followed the "Hardening Postfix in ISPC3" Guide, they also dedicated a part to postscreen - we're already using it !

    I found a trusted website which offers spam-emails for download. Feeding these to spamassassin's bayes DB did speed things up a little bit and seems to filter quite a amount of mails already. We're still continuing to "manually" feed our DB with two hosts as mentioned, but we still cannot get rid of all the "new generation" spam mails. When received, they get interpreted as autolearn=ham as the scoring is from -1.5 to -2.7 ... I'm then using our script from above, but as the next mail with the same content is received, it still doesn't get blocked or at least gets a score of 1 or 2 so that it doesn't get wrongly interpreted as ham ..

    Any ideas on this one ? How long does it usually take until spamassasssin gets used to new spam emails ?
    I appreciate any help or ideas ! For your own amusement but mostly for diagnosis, etc I quoted the header and the body to give you an idea ...
     
  14. Jesse Norell

    Jesse Norell Active Member

    Turn off autolearning, it can/does often fight against you. If you can (eg. allowed to legally), keep all your training messages around so at a point like this you can drop your bayes db and rebuild from correctly sorted mail. Hand-feed both ham and spam to train it.

    The spam scanner runs as user amavis, try verifying that the bayes database it uses has some number of spam/ham:
    Code:
    sudo -u amavis sa-learn --dump magic
    
    A common mistake is to run the spam scanner as one user, eg. amavis, but train (the wrong db) as another user, eg. root.
     
  15. alphachris

    alphachris New Member

    I will try disabling autolearn, as it seems to fu** up our bayes DB.

    No no, you got it wrong .. The output that you quoted IS the output when I run "sudo -u amavis sa-learn --dump magic". It says the DB got 31012 spam tokens and 11806 ham tokens.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    You should consider to feed ham messages as well, a good working bayes db should contain about the same amount of ham and spam messages.
     

Share This Page